The countdown to DORA: how businesses can prepare

As soon as details began to emerge about a new framework for enhancing the digital operational resilience of the EU financial sector, it was obvious to many that the eventual Digital Operational Resilience Act – DORA – would demand cross-organisational support like never before.

Passed on 16 January 2023, with an implementation timeframe of just two years, Its provisions require risk managers to establish everything from the risks arising from contractual arrangements on the use of ICT services (including those posed by third-party providers), to what systems they have in place for incident management, classification and reporting, as well as establishing digital operational resilience testing and information sharing.

It’s a mighty undertaking. But despite there being what panellist Michael Bratton, principle managed services consultant at Riskonnect, called: “lots of variance in putting testing programmes together,” the European Supervisory Authorities have confirmed that the January deadline will not be moved. And no additional transitional period will apply beyond this date.

So, with the clock ticking, what is the state of play as our panellists see it?

COMPLIANCE OR RESILIENCE?

On the positive side, observed Kairi Ilison, deputy of DORA programme, lead project leader at Nordea, DORA hasn’t arrived into a completely empty regulatory space. “The financial services sector is, as we know, extremely mature, and very alert to risk,” she said.

“It has implemented GDPR and other similar legislation – such as that around cyber risk. I’ve always thought DORA is like renovating a house – you’re adding a new part on to what’s already there. Like most additions, the challenge is how you live there [i.e., how the business accommodates it], while it’s being done.

“But,” she added: “what I think is different with DORA is the way it adds more to what’s already built. Resilience is not new, but the widening of resilience scope is, and it’s the way this runs across silos and requires a new level of coordination, that will really distinguish this act.”

“When there’s data privacy, legal, compliance, operations, IT, even communications involved, it becomes a question of who takes charge.”

This observation was not lost on both Bratton and Daniel Domingos Rodrigues, senior manager information security and cyber security at Capgemini. Rodrigues said: “When there’s data privacy, legal, compliance, operations, IT, even communications involved, it becomes a question of who takes charge.”

Bratton agreed, adding: “Different teams will probably have diff erent bits of the information needed – everyone from continuity compliance to crisis communications. All these disciplines could each give about 60–70% of the solution, so establishing what the right cross-ownership approach will be crucial.”

So how important will co-operation be? “For much of DORA, there isn’t an ‘owner’ as such – and so what becomes key is how different units work together,” Ilison said.

COMPLIANCE OR RESILIENCE?

Ilison went on to suggest that we could see the emergence of a dedicated ‘chief resilience officer’. This would, she asserted, “ensure, and define, how shared responsibilities would have to operate in practice”.

While the panel accepted that few companies have so far gone as far as to create this new position, Rodrigues observed that business continuity teams are already starting to up-skill and move more into operational resilience specifically to break these silos down.

Bratton added: “Organisations still need to iron out nuances around documenting governance; they need to set new criteria, and new skills will be needed in the risk discipline.”

But all the panellists agreed that in the race to prove compliance, arguably not enough emphasis is being placed on the ultimate aim of the act, which is to make more financial institutions see (and feel) the benefit of greater operational resilience. “Organisations are probably not yet at the stage where they are feeling the benefits of knowing how critical systems might be susceptible to failure, and understanding why addressing this is a good thing,” said Bratton.

“Organisations need to set new criteria, and new skills will be needed in the risk discipline.”

The panel all agreed that the main reason for this was confusion around a number of factors. Namely the extent to which they need to deep-test scenarios, whether certain suppliers – and suppliers of suppliers – fell under the provisions of the act, and who was responsible for determining if they did or not. As Ilison put it: “End-to-end control of the value chain is challenging.”

Where opinions divided, however, was on the extent to which DORA provided any guidance here. “I’ve worked on lots of regulations, and typically 99% of them concentrate on telling companies ‘what’ to do, with only 1% on actually ‘how’ to do it,” argued Rodrigues.

Ilison, on the other hand, was more generous, pointing to the various new Regulatory Technical Standards (RTSs), which set out the technical detail and methodology to meet the level 1 DORA general principles and requirements (although she acknowledged the second batch of these has only very recently appeared).

But even she accepted that challenges remain about how interpretations of testing might differ. “Banks globally have different authorities governing them, and interpretations of some external reporting requirements may not be 100% aligned, she added.“

This is why organisations always need to remind themselves that this is not a compliance-only exercise.”

REAL TESTING NEEDED

To mitigate some of these issues, the panel suggested that doing real-case scenario testing was an absolute must – which should include deciding who needs to lead, and determining precisely how information must flow.

As Rodrigues put it: “You’ve got to know who needs to be benched if they don’t have the skills needed. The challenge always, with an act like this, is that it’s not just an IT issue, but a human factor one, too.”

By establishing these sorts of protocols, the panel felt that over time, DORA would start to create the sort of change that it really aspires to – by requiring financial services providers to define their ambition for resilience, and set targets for how much they want to take risk down.

“This regulation didn’t just come out of the blue – it came because there was a reason for it first.”

“Running a company is never without risk,” observed Ilison. “Regulators have put us in a tough spot, and ideally, we would like more time. But I do think the regulators have listened, and that there is room to apply proportionality, allowing companies to prioritise and apply their own common sense.”

Noting that redrafting supplier contracts and testing both take time, Rodrigues hinted that regulators will be unlikely to be too heavy-handed with those who can demonstrate their compliance journey.

He said: “If we look back to GDPR, regulators just didn’t have the capability to regulate and investigate everyone – and it’s likely they will probably take a bit of a step back with DORA, too.” But that’s not, he reiterated, an excuse to take the foot off the pedal: “This regulation didn’t just come out of the blue – it came because there was a reason for it first.”

A MAP FOR DEFINING RISK

Fundamentally, says Ilison, DORA establishes a roadmap for companies to define their appetite to risk – and whether they accept a risk or mitigate it.

She said: “Someone once said: ‘Plans are useless, but planning is essential,’ and for DORA, planning is certainly needed. Testing is also needed, and I think that for some scenarios – like climate change – the testing is hard. So, companies should focus first on what they consider applicable.”

Rodrigues added: “Table-top models are easy, but it’s shifting to real scenarios and testing for this that matters. That’s when you see egos come out, and people claiming they are leaders when they might not be best suited.”

“Work with what you’ve got, and do what you can in-house first, before going anywhere else”

Ilison said DORA is something organisations will “need to draw their own conclusions about”, but with RTSs she argued there was also help. “The RTS for subcontracting outlines conditions for subcontracting, for example,” she said.

And with careful planning and silo-breaking, our three panellists agreed it can be interpreted and incorporated into a business effectively. “Work with what you’ve got, and do what you can in-house first, before going anywhere else,” advised Rodrigues.

“Understand the top-line picture,” added Bratton. “Can we always identify groupings of risk? It’s tough, but this must now be a part of an organisation’s determination of risk.”

Ilison concluded: “There’s the regulation, and then there’s what’s feasible. But DORA gives a few recipes to help us. The key is how we work it all out in practice.”

Watch the full webinar here.