The following was penned by Matteo Alessandro, Senior Associate at MK Fintech Partners Ltd

The Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554 entered into force in January 2023, and will apply as of 17th January 2025. By this date, all subject entities are expected to be in full compliance with DORA requirements.

DORA mandates certain entities in the financial sector, including crypto-asset service providers (CASPs) to address ICT-related incidents comprehensively, covering protection, detection, containment, recovery, and restoration of capabilities.

DORA emphasises ICT risk, establishing rules for management, incident reporting, resilience testing, and third-party risk monitoring. It recognises that ICT incidents and operational resilience gaps can jeopardise the financial system, regardless of capital allocation.

DORA is based on five key pillars, which set out obligations for subject entities:

1) ICT Risk Management

DORA's ICT risk management framework requires firm leadership to take full responsibility for ICT risk management, resilience strategy, and Third-Party Provider (TPP) policies. Competent authorities can impose penalties for regulation breaches. These rules align with EBA and EIOPA guidelines but now have legal weight, increasing supervisory scrutiny.

Firms must define ICT disruption tolerances, identify critical functions, and understand dependencies. They must also conduct business impact analyses for severe disruptions, driving more sophisticated scenario testing and system redundancy for Critical Functions.

2) ICT-Related Incident Reporting

DORA simplifies EU financial sector obligations but imposes new ICT incident reporting requirements. Under DORA, firms must enhance incident collection and analysis capabilities. Significant cyber threats are added to reportable events, but reporting remains optional. Firms must record such threats and notify affected parties. The European Supervisory Authorities (ESAs) are to explore centralising

incident reporting via a single EU Hub to streamline and enhance cross-border threat understanding, reducing compliance burdens.

3) Digital Operational Resilience Testing

DORA mandates regular digital operational resilience tests for all relevant firms, excluding microenterprises. They must assess their critical ICT systems and applications comprehensively at least annually to address any identified vulnerabilities.

Additionally, firms with specific significance and maturity levels will perform advanced Threat-Led Penetration Testing (TLPT) every three years, guided by the European Central Bank's TIBER-EU framework.

DORA also requires financial sector firms to include all TPPs supporting Critical Functions in their advanced testing. If a TPP can't participate, it can conduct its own TLPT. This collaborative approach is an evolving practice that demands industry-wide cooperation.

4) ICT Third-Party Risk Management

DORA aligns Third-Party Risk Management (TPRM) requirements with existing ESAs guidelines but also extends such to non-Cloud Service Provider (CSP) ICT outsourcing. Financial firms must include specific contractual terms in ICT outsourcing agreements by January 2025.

Certain terms introduced by DORA such as providing "unrestricted access to premises" in contracts for supporting Critical Functions, may pose practical challenges. DORA promotes a holistic multi-vendor strategy in ICT risk management, though optional, with supervisors having the tools in place to encourage adoption.

Further, firms must conduct concentration risk assessments for all Critical Function outsourcing contracts, potentially prompting multi-vendor strategies or resilient frameworks to justify alternative approaches.

5) Oversight Framework

DORA maintains ESAs’ enhanced oversight over Critical Third-Party Providers (CTPPs), empowering them to assess, enforce security changes, and penalise as necessary. CTPPs must prove their ability to enhance operational resilience, especially for Critical or Important Functions (CIFs) of financial firms or CASPs.

New safeguards in DORA allow ESAs to instruct firms to suspend or terminate contracts with CTPPs only in exceptional circumstances.

DORA also significantly strengthens the Joint Oversight Forum's (JOF) role, fostering consistent best practices for CTPP oversight and defining resilience standards. These measures aim to ensure sector-wide resilience and mitigate risks associated with third-party dependencies.

How Can We Help?
We at MK Fintech Partners Ltd can help you ensure your compliance with DORA. Get in touch here or on [email protected]