Five key considerations on the Digital Operational Resilience Act (DORA) (Omkar Nisal)

On September 24, 2020, the European Commission published the first drafted proposal for a Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). The aim is to guide financial institutions through the complexities of crypto
assets, blockchain technology, and digital operational resilience, as well as advising on a renewed retail payment strategy. Despite the benefits that will be brought by the DORA, for many businesses, it will be a challenge to navigate the changes required.
Here are five key points to consider when ensuring compliance under the Act.

 1.       What is the DORA, and why is it important?

 The new act will provide major European financial players with the necessary safeguards to mitigate cyber-attacks and other ICT-related or IT-based risks.

 The DORA will soon constitute a binding law covering each of the EU member states, and financial services institutions that operate within them. So why does this matter to the UK?

 Although no longer a member of the EU, the UK remains one of the fundamental European financial hubs. UK financial services organisations engaging in the European marketplace– private or public – operating within the EU will soon need to abide by these
regulations – making the DORA an essential element of any UK business practices.

 2.       The legislative weight of the DORA

 The serious legislative weight carried by this new European act is another important reason UK financial services organisations should start thinking about compliance. Each European country’s financial services authority will take the role of compliance
oversight and enforce the regulation as necessary. Extensive fines will be issued for those institutions that fail to comply with the new regulations, leading to a dent in profits and potential reputational damage.

 This means significant penalties can be imposed by the Lead Overseer for non-compliance. These significant penalties will take the form of a periodic penalty payment of 1% of the average daily global turnover of the organisation in the preceding business
year. This will be applied by the Lead Overseer daily until compliance is achieved for no more than a period of six months.

 3.       Understand your state of vulnerability

 When it comes to cyber risk and resilience, having ‘cyber-insurance’ alone is simply not enough – constant intel on the state of risk is also vital. The ubiquity of technology in today’s businesses’ activities, and its connectivity, extends across the standard
physical technological resources sitting across day-to-day operations: from ICTs, ATMs, laptops, conference room cameras, to all the virtual domains of the cloud, on premise, AI, and quantum innovations.

 The Act helps stakeholders and decision-makers build a deeper understanding of the internal state of risks and vulnerability suffered by their companies. In its most recent

business of resilience report, the UK Government confirmed that the insurance protection gap remains high as far as cyber is concerned – ‘90% of all cyber losses remain uninsured’.

 The DORA will help UK financial institutions to overcome the broader challenge of providing stakeholders and responsible decision-makers with the right visibility on the critical assets and assets posture, which define the dependability and efficacy of
their services.

 4.       What falls within scope under the Act?

 When finalised, the Act will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. But it is not just financial services institutions
that are impacted. Under the DORA ‘critical ICT third party providers’ (CTPPs), including cloud service providers (CSPs), will fall within the regulatory perimeter of EU-wide standards for digital operational resilience testing.

 Another element of novelty, is the standardising of ICT risk management guidelines, incident classification, and reporting across financial services sectors. Harmonising across these critical assets opens the door to financial entities to establish themselves
within the secure borders of a unified EU-hub against cyberthreats.

 Any UK entities operating within the European financial market, will need to comply with the Act as a fundamental prerogative to assert visibility within the market and as a means of legitimacy to begin partnerships within it.

 5.       Specialist tools that can assist you in getting a DORA plan in place

 Some organisations still use manual processes and spreadsheets to capture, manage, and report corporate compliance, risk management, and regulatory change across the business. These static spreadsheets quickly fall apart when it comes to managing and tracking
all the complex governance, risk, and compliance efforts within an organisation.

 Institutions need to ensure a strict compliance to the DORA, and thus may require adequate assistance from specialised IT tools able to support in finding, documenting, managing, and classifying assets while evaluating levels of risk of assets falling within
scope.

 Specialised security platforms can be the most cost-effective solution to tackle these issues while abiding by the evolving regulation financial landscape. These specialist platforms help identify new types of endpoints (such as conference room cameras)
and can interface with existing tools, where they exist, to provide an accurate asset registry. The prime goal of these platforms is to seamlessly reduce any operational resilience blind spots and protect workforce in the face of adverse operational events
by anticipating, preventing, and adapting to such events.

 In conclusion

 So, to sum up, financial institutions need to ensure that they will be compliant under the DORA otherwise they risk not insignificant periodic penalty payments. To become compliant, organisations need to identify all of the assets that currently present
a risk to key processes. Then organisations need to understand the level of risk that each asset presents in order to ensure mitigations are considered. There are specialist tools on the market that can help organisations find, document, manage and classify
their assets. Speak to an IT specialist to see how they can help your organisation with all of this.