The Digital Operational Resilience Act: Initiating the European Response to Operational Resilience

The global approach towards Operational Resilience has gathered momentum in recent years. The FCA’s policy statement release in March 2021 was the first of its kind to enter into force. However, Europe is now mobilising its response, in the form of the Digital Operational Resilience Act (DORA).

In light of the ongoing recalibration of firms’ risk appetites to focus increasingly on IT and digital risk, the European Commission published the Digital Finance package in September 2020, outlining how they plan to support the ongoing digital transformation taking place across the industry.

A key element of this package is the introduction of a new legislative proposal, the Digital Operational Resilience Act. DORA aims to reduce the regulatory complexity around Operational Resilience compliance by separating the requirements from those pertaining to Operational Risk, presenting new requirements regarding resilience testing, and bringing them together under a first, single, operational resilience-focused framework.

A final policy publication is due in the coming months, with an expected 24-month period to ensure compliance. Given the significance of the requirements, firms must start thinking about its impact and formulating their responses.

Requirements at a glance

A core emphasis of the framework is creating a unified strategy to tackle Information and Communications Technology (ICT) related risks. These risks are progressively more prevalent across financial services due to the growing dependency on internal software and digital processes.

DORA addresses both internal and external ICT risks by requiring firms to have in place robust ICT risk management and governance frameworks. This should be accompanied by an incident reporting policy and a comprehensive operational resilience testing programme. The regulation outlines six core regulatory requirement areas:

DORA consolidates the European approach to Governance, ICT Risk Management and ICT-related incident reporting, which are by no means new to the industry. The requirements pertaining to these topics are currently detailed across a host of existing frameworks, such as incident monitoring, detection and reporting requirements outlined in PSD2 or risk exposure reporting and risk management process documentation covered by CRD/CRR.

DORA brings these requirements together under one policy, whilst introducing new themes (i.e., Digital Operational Resilience test, ICT 3rd-Party testing, and Information Sharing requirements), to create a comprehensive framework that best sets out how to mitigate, prevent and respond to technology-induced risk.

Scope & Timelines

DORA’s reach is extremely wide, covering all “financial institutions” under the European Commission’s supervisory model, including credit and payment institutions, electronic money institutions, investment firms, AIFMs and insurance firms. However, DORA is unique in that it reaches beyond the industry to also regulate critical 3rd-party ICT suppliers, such as Cloud, data and other technology providers. DORA’s remit extends to encapsulate these relationships, ensuring it protects firms and consumers against risks from all sources.

The proposal is expected to come into force early in H2 2023, with further technical standards being published in the following months. It is important that firms begin considering how the proposal will affect them and what they can do to be prepared for its final publication.

Early mobilisation as a cost-saving initiative

The new requirements are dense and require significant time and resource investment to ensure compliance. Acting early comes with clear advantages. Rather than a rushed, and often more costly, push to comply with the rules in the run up to the implementation deadline, firms who plan ahead are able to identify synergies and ensure all cost-saving opportunities are assessed before designing their compliance strategy.

The overlap between DORA and existing regulatory publications, as highlighted above, presents firms with the opportunity to leverage pre-existing processes and uplift practices that were implemented as part of previous compliance projects, rather than duplicate their efforts. In developing their DORA compliance strategies, firms must diligently identify where these opportunities present themselves. Careful consideration at this early stage can result in significant time, resource and cost savings.

How Delta Capita can support your approach to DORA and compliance strategy

Delta Capita’s operational resilience experts include former C-suite Level banking executives who have personally been accountable for prudential risks and operational resilience initiatives at large Tier 1 investment banks. They are supported by a team of highly skilled delivery specialists, consultants, and proprietary strategy accelerators who can assist with all your implementation requirements such as developing the required governance frameworks, mapping important business services and defining your testing strategy.

If you are interested in finding out more, contact us to speak directly with one of our experts.

This article was written by Maikel Miggelbrink, Head of Risk & Regulation with contributions from Clay Bobeldijk, Senior Consultant, Gideon Ezra, Consultant and Gabriele Trevisan, Analyst.