DORA – Navigating The EU's Operational Resilience Landscape

CJ
CJC Ltd

Contributor

CJC Ltd logo
CJC is the leading market data technology consultancy and service provider for global financial markets. CJC provides multi-award-winning consultancy, managed services, cloud solutions, alert monitoring and observability, and commercial management services for mission-critical market data systems. CJC is vendor-neutral and ISO 27001 certified.
Digital technologies are pivotal for global financial and capital market firms to support complex systems, it is critical for the delivery of typical business functions...
European Union Compliance
To print this article, all you need is to be registered or login on Mondaq.com.

DORA – Bolstering and Harmonising Operational Resilience Across the EU

Digital technologies are pivotal for global financial and capital market firms to support complex systems, it is critical for the delivery of typical business functions and revenue-generating activities. Digitalisation and the resulting interconnectivity enable greater efficiency and cost savings but also amplify Information and communication technology (ICT) risks and increase the financial system's vulnerability to cyber threats or disruptions.

Despite targeted policy and legislative initiatives at the national level, the European Union (EU) recognises the critical need to harmonise and bolster operational resilience across its member states to protect the integrity and efficiency of the internal market, particularly considering escalating cyber threats1 and disruption incidents2. A view recently echoed by Liquidnet3:

"The industry is only as strong as its weakest link [...] 2024 will not only represent greater regulatory scrutiny of compliance, risks, and controls as well as technology interoperability, but individual responsibility in making the eco-system function optimally."

Addressing the ongoing resilience challenges, the EU introduced the Digital Operational Resilience Act (DORA) to fortify ICT security and operational robustness for financial entities.

What Is DORA and Its 5 Focus Areas?

DORA was adopted by the European Parliament and the Council on the 14th of December 2022, with compliance required by January 17th, 2025. The regulation aims to consolidate and enhance digital operational resilience across the financial landscape that has, up to this point, been addressed separately in various Union legal acts via a common framework4 for the digital operational resilience of financial entities to better withstand and recover from breaches and ICT incidents.

DORA's 5 Areas of Focus:

  1. ICT Risk Management.
  2. ICT-related Incident Management, Classification & Reporting.
  3. Digital Operational Resilience Testing.
  4. ICT Third-Party Risk Management.
  5. Information Sharing Arrangements.

Why Is DORA Important?

DORA builds on and supersedes earlier industry-specific guidelines to overcome disparities and consistently consolidates guidelines for key areas across the entire value chain. It is unique because it introduces a unionlevel common oversight framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs)5.

With the financial sector reliant on digital ICT systems and as interconnectivity grows, ICT risks and vulnerabilities will have an increasingly disruptive crossborder impact across the union, which amplifies the effect of operational disruptions and cyber threats at financial firms. DORA acknowledges that digitalisation now encompasses critical financial functions6 like payments, securities clearing, algorithmic trading, and back-office operations. It aims to bolster the operational resilience of these functions to maintain overall financial stability and protect consumer trust within the internal markets. DORA aims to preserve market confidence by ensuring the seamless provision of financial services even during challenging scenarios.

Did You Know?

CJC has a longstanding ISO 27001:2013 certification7, the international standard for information security management, and the operations team enhanced operational resilience8 and system reliability last year.

Last month9, Peter Williams, CJC's Chief Technology Officer, said "CJC is at the bleeding edge of operational resilience and third-party dependency requirements. No matter the service level, DORA-compliant standards and transparency are out-of-the-box from CJC".

Who Does DORA Apply To?

DORA applies to all financial institutions in the EU and the ICT third-party service providers supplying services to support them. A recent insight10 addressed this. The EU's DORA regulation introduces specific and prescriptive requirements for all financial market participants.

DORA – Financial Entities

To comply with DORA, financial entities must enhance ICT risk-related management practices, which include identifying, assessing, and mitigating risks associated with digital operations. DORA also introduces prompt ICT incident reporting obligations to the relevant authorities for critical function disruptions. Also, institutions must regularly simulate various disruptions to test operational resilience and recovery capabilities.

Notably, DORA emphasizes that financial entities must assess and manage the third-party ICT risk of their service providers and ensure contractual arrangements address operational resilience. This relates to the concentration of risk (DORA Article 2911) and follows incidents like the OPRA outage12, and cybercrime targeting critical suppliers in the financial supply chain like the Ion Group hack last year13 or cloud computing vendors14, where a single incident potentially impacts multiple financial entities.

It should be noted that the impact of outages is not limited to firms and endusers, with repercussions potentially overflowing onto personal finances as demonstrated by DBS bank15 earlier this year.

DORA –Third-Party Dependencies and Operational Resilience

Financial entities have increasingly relied on third-party providers to deliver critical parts of their operations and services, subsequently, DORA also significantly affects third-party dependencies. These third parties include cloud service providers, data vendors, software developers, and other technology partners. Outsourcing certain functions can enhance efficiency and reduce costs, but as we saw with Ion, it also introduces new risks. Authorities must now look beyond the resilience of individual regulated firms and assess the sector's wider operational resilience.

DORA emphasizes the importance of robust risk management practices for third-party dependencies aiming to bolster the overall resilience of the financial sector in the digital age. These include:

  1. Broad Scope of ICT Third-Party Risk – To enhance operational resilience across the financial services sector DORA casts a wide net to define ICT third-party risk. For example, DORA Article 3 (18)16 defines ICT third-party risk as any ICT risk – Article 3 (5)17 – that may arise for a financial entity derived from using ICT services provided by a third-party service provider, subcontractors, or outsourcing arrangements.
  2. Risk Management Practices for Third-Party Vendors – DORA mandates appropriate risk management practices for third-party vendors to reduce operational risks associated with third-party relationships and ensure resilience. It also aims to implement a harmonised regulatory framework for third-party vendor risk management across the EU (Article 15)18.
  3. Critical ICT Third-Party Providers – DORA recognises the critical role of ICT service providers in financial services. If a third party is deemed critical, like CJC in some instances, they must comply with DORA's requirements. Notably, critical third parties outside the EU are required to establish a subsidiary within the EU – Article 31 (12)19 – although preamble (82)20notes the requirement "should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union."

Speaking about operational resilience and DORA compliance, Gina Wee, Chief Information Officer at CJC said, "From implementing robust encryption and strict access control to conducting regular audits, CJC upholds high levels of compliance to ensure data security. Combined with proactive planning, adaptive procedures and a culture of continual improvement, we ensure uninterrupted services to our clients. We hope our commitment to information security, operational resilience and accountability provides our clients peace of mind and confidence in our managed services.

DORA Compliance vs. Non-Compliance

The Risk of Non-Compliance

Not complying with DORA may lead to reputational damage, financial losses, and regulatory penalties. Firms that fail to comply with DORA's requirements risk operational disruptions, customer dissatisfaction, and potential legal consequences.

DORA Compliance – 3 Considerations & Best Practices

To comply with DORA, financial institutions must comprehensively map existing third-party dependencies and involve understanding the services of outsourced functions to identify critical dependencies. Step 2 assesses the resilience of the mapped dependencies to evaluate their service provider's operational capabilities, security measures and disaster recovery plans. Finally, contractual agreements with third parties should specifically address operational resilience requirements. This includes provisions for incident reporting, business continuity, and recovery time objectives.

To stay compliant, financial institutions can take several steps to implement best practices to ensure continuous compliance with DORA. These include:

  1. Due Diligence – When selecting third-party providers, conduct thorough due diligence by considering their record of accomplishment, financial stability, and operational resilience.
  2. Scenario Testing – Simulate various scenarios with third parties to test the effectiveness of recovery plans. This should include cyberattacks, system failures, and natural disasters.
  3. Continuous Monitoring – Monitor third-party performance and compliance regularly, being prepared to adapt should resilience postures change.

Footnotes

1. FinExtra (2023), "ICBC pays ransom after US hack" at "https://www.finextra.com/newsarticle/43287/icbc-pays-ransom-after-us-hack" [Accessed 22 March 2024].

2. FinExtra (2024), "Aussie banks hit by outage at key supplier" at "https://www.finextra.com/newsarticle/43709/aussie-banks-hit-by-outage-at-keysupplier" [Accessed 22 March 2024].

3. Preece C. (2024), "Market outages and resiliency a must watch area for market participants going forward, says Liquidnet" at "https://www.thet radenews.com/market-outages-and-resiliency-a-must-watch-area-for-market-participants-going-forward-says-liquidnet" [Accessed 22 March 2024].

4. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Preamble 1 to 10" at "https://www.digital-operational-resilience-act. com/Preamble_1_to_10.html" [Accessed 2 April 2024].

5. PricewaterhouseCoopers (2023), "DORA and its impact on UK financial entities and ICT service providers" at "https://www.pwc.co.uk/indus tries/financial-services/insights/dora-and-its-impact-on-uk-financial-entities-and-ict-service-providers.html" [Accessed 2 April 2024].

6. The Guardian (2023), "Bank of England outage hits key payments systems processing billions" at "https://www.theguardian.com/business/2023/ aug/14/bank-of-england-outage-hits-key-payments-systems-processing-billions" [Accessed 2 April 2024].

7. Crown Jewels Consultants (2023), "CJC Recertified for ISO 27001:2013, Version 2022 Next" at "https://cjcit.com/cjc-news/iso-27001-recertified2023/" [Accessed 2 April 2024].

8. Crown Jewels Consultants (2023), "CJC Enhances Market Data IT Reliability & Operational Resilience" at "https://cjcit.com/cjc-news/ehance-ma rket-data-reliability-operational-resilience/" [Accessed 2 April 2024].

9. Moreton S. (2024), "DORA – The Upcoming Changes & Impacts On Your Managed Services" at "https://cjcit.com/insight/dora-and-operationalresilience/" [Accessed 2 April 2024].

10. Moreton S. (2024), "DORA – The Upcoming Changes & Impacts On Your Managed Services" at "https://cjcit.com/insight/dora-and-operation al-resilience/" [Accessed 2 April 2024].

11. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Article 29" at "https://www.digital-operational-resilience-act.com/Articl e_29.html" [Accessed 2 April 2024].

12. Goyder B. (2023), "Opra outage cause consternation in options markets" at "https://www.risk.net/derivatives/7958170/opra-outages-causes-con sternation-in-options-markets" [Accessed 2 April 2024].

13. Clancy L. (2023), "One-fifth of CME clearing members hit by Ion hack" at "https://www.waterstechnology.com/regulation/7950682/one-fifth-ofcme-clearing-members-hit-by-ion-hack" [Accessed 2 April 2024].

14. FinExtra (2023), "Ransomware attack on vendor causes outages at 60 credit unions" at "https://www.finextra.com/newsarticle/43389/ransom ware-attack-on-vendor-causes-outages-at-60-credit-unions" [Accessed 2 April 2024].

15. FinExtra (2024), "DBS chief Gupta docked millions of dollars in annual salary over outages" at "https://www.finextra.com/newsarticle/43662/ dbs-chief-gupta-docked-million-of-dollars-in-annual-salary-over-outages [Accessed 2 April 2024].

16. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Article 3" at "https://www.digital-operational-resilience-act.com/Arti cle_3.html" [Accessed 2 April 2024].

17. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Article 3" at "https://www.digital-operational-resilience-act.com/Arti cle_3.html" [Accessed 2 April 2024].

18. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Article 15" at "https://www.digital-operational-resilience-act.com/Arti cle_15.html" [Accessed 2 April 2024].

19. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Article 31" at "https://www.digital-operational-resilience-act.com/Arti cle_31.html" [Accessed 2 April 2024].

20. Cyber Risk GmbH (2022), "Digital Operational Resilience Act (DORA), Preamble 81 to 90" at "hhttps://www.digital-operational-resilience-act. com/Preamble_81_to_90.html" [Accessed 2 April 2024].

Originally published by 04 April, 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More