Digital Operational Resilience Act (DORA)

Your expert for questions

Philipp Schulz
Director, DORA Lead at PwC Germany
E-Mail

Harmonisation of security in the entire EU financial sector

The Digital Operational Resilience Act is the European Commission’s effort to put in place a uniform framework for an effective and comprehensive management of cybersecurity and ICT risks on the financial markets. The emphasis is shifted from previously focussing on guaranteeing financial firms’ financial resilience, to also ensuring the maintenance of resilient operations in the event of a severe business interruption that could threaten the security of the network and the information systems.

With growing numbers of cyberattacks, it is more important than ever to prepare for incidents and to take measures to strengthen cyber-resilience. Adjustments and additional expenses are expected. However, at the same time we also see DORA as a huge opportunity for financial firms to achieve a significantly higher level of security by becoming more resilient, and by achieving a consistent level of maturity, when it comes to cybersecurity.

What we represent

Professional competence

We deploy a cross-functional team that brings together sound knowledge in the fields of IT and cybersecurity risks and proven professional expertise in supervisory, business and legal topics relating to DORA.

EU wide network of DORA specialists

PwC has established an international network of 120 experts in end-to-end operationalization with a focus on the DORA topics of operational resilience, technology risks, cyber and third party risk management.

Identifying and using synergies

We are well practised at identifying interfaces between DORA and internal IT and our clients’ cybersecurity measures, and with other (inter)national legal regulations, and effectively applying synergy effects.

Strategic partner

As well as its technical expertise in relation to DORA, PwC offers the technical implementation of the requirements that flow from DORA (including Threat Intelligence).

The key facts about DORA

Why DORA?
What does DORA comprise?
By when are companies required to implement the requirements introduced in DORA?

Why DORA?

By introducing a uniform, coherent supervisory approach for all relevant sectors, DORA guarantees the harmonisation of security and resilience practices in the EU. The emphasis is shifted from previously focussing on guaranteeing financial firms’ financial resilience to also ensuring the maintenance of resilient operations in the event of a severe business interruption that could threaten the security of the network and the information systems.

What does DORA comprise?

DORA introduces a holistic framework for effective risk management, ICT and cybersecurity functions, the treatment and reporting of errors, and for the management of external providers, thereby guaranteeing the consistent provision of services across the entire value chain. Five core topics play a particular role: ICT risk management, management of ICT incidents, digital operational resilience testing, management of third parties and information exchange.

By when are companies required to implement the requirements introduced in DORA?

A period of two years is allowed for the implementation of the DORA regulations, which took effect on 01.16.2023. Despite the implementation period until January 2025, we are already seeing strong pressure on financial firms to identify and implement their required actions arising from the DORA requirements. Currently, we are seeing a particular focus on the introduction of a comprehensive ICT risk management system.

First half of 2024: Publication of the first series of RTS/ITS, among other things for the ICT risk management framework, operational security, classification of ICT incidents and ICT third party risk management

Second half of 2024: Publication of the second series of RTS/ITS, among other things to report ICT incidents, criteria, methodologies and requirements for testing digital operational resilience and requirements for designing sub-outsourcing arrangements

2025: The DORA requirements must be implemented 24 months after DORA entered into force. It is therefore expected that financial firms will have to meet the DORA requirements by January 2025.

You have further questions?

Contact us

Flyer (PDF) (PDF of 386.52kb)

Our view of DORA for German companies

We see DORA both as a challenge and as an opportunity for financial firms. DORA’s uniform EU-wide requirements mean that financial firms must ensure a consistent level of maturity in terms of cybersecurity and operational resilience in respect of all of their activities in the EU.

However, with a “preparatory period” of two years, which is already well under way, there is a huge amount to consider, to implement and to verify. Financial institutions should already undertake comprehensive GAP analyses now, in order to evaluate their degree of maturity with respect to DORA and identify areas, in good time, that require further investment and appropriate prioritisation. This will put your company in a better position to meet more complex requirements such as third party risk management, threat intelligence and more advanced security tests and thereby protect itself proactively against possible shortfalls.

Given DORA’s broad scope of application, it is likely that the regulations will address many topics that have already been covered by existing provisions in Germany. Nevertheless, certain topics such as threat intelligence and threat-led penetration tests are novel and closer attention must therefore be paid to them. We see a further challenge in the ability to develop overall control, and an understanding for all of the key dependencies between your company and your service providers. Given the heavy focus on third-party risk management, companies are expected to satisfy themselves as to the resilience of their service providers. This requires close interaction and collective efforts with the relevant third-party ICT providers – particularly if these support the provision of critical or important business services.

Our recommendation for all affected companies is therefore as follows: Irrespective of where you are with respect to the maturity of your digital and operational resilience, DORA should be the catalyst for beginning, or improving, your resilience. An initial gap analysis and maturity assessment provide an excellent starting point. Generally speaking, companies that apply current regulatory requirements in keeping with current audit practices may be in a better position to implement most DORA requirements. Nevertheless, our experience from supporting many clients in their cyber security and resilience efforts clearly shows: There is no such thing as “too resilient" or “too secure”. Consider this: The more resilient you are compared with your competitors, the greater your competitive advantage will be.

Operational resilience and risk management

Financial firms are obliged to put a comprehensive ICT risk management system in place, including:

Establishment and maintenance of robust ICT systems and tools that minimise the effects of ICT risks,
Key elements such as the identification, classification and documentation of critical functions,
Continuous monitoring of all sources of ICT risks, in order to put protection and prevention measures in place,
Immediate identification of abnormal activities,
Introduction of special and comprehensive business continuity guidelines and contingency and recovery plans, including annual tests of those plans, all of which cover supporting functions,
Establishment of mechanisms in order to learn both from external events, and from internal ICT incidents, and to continue to develop.

Management of ICT incidents and cyber security

Financial firms are obliged:

To develop a proven method to log/classify all ICT incidents and to determine serious incidents pursuant to the criteria listed in the regulation and further specified by the European supervisory authorities (EBA, EIOPA und ESMA),
To present an initial, interim and concluding report about ICT-related incidents,
To harmonize the reporting on ICT-related incidents based on the standard templates developed by the ESAs.

Digital Operational Resilience Testing

The regulation obliges all establishments to:

Conduct fundamental tests of ITC tools and systems each year,
Identify, attenuate and eliminate any weak points, gaps or deficiencies without delay, by taking countermeasures,
Regularly undertake advanced threat-lead penetration tests (TLPT) for ICT services impacting critical functions. Third-party providers of ICT services are obliged to take part in the tests and to cooperate fully.

Governance and management of third parties

The financial firms are obliged:

To ensure the solid monitoring of risks arising from employing third-party ICT service providers,
To provide a full register of outsourced activities, including internal group services and all changes to the outsourcing of critical services to ICT service providers,
To consider the IT concentration risk and the risks arising from sub-outsourcing activities,
To harmonize key elements of the service and the relationship with third-party ICT service providers in order to achieve “complete” monitoring,
To ensure that agreements with third-party ICT service providers contain all necessary details for monitoring and accessibility, such as a full description of the scope of services, providing the locations where the data is processed, etc.,
Critical ICT service providers will be subject to an EU supervisory framework that can issue recommendations to mitigate ICT risks that have been established. Financial firms must take account of their service provider’s ICT third-party risks if it does not observe the recommendations that have been laid down.

Information exchange

The regulation allows financial firms to reach agreements among themselves on the exchange of information and insights in relation to cyber threats.
The supervisory authority will provide financial firms with relevant anonymised information and insights in relation to cyber threats. Companies should therefore put mechanisms in place to examine the information that has been passed on by the authorities and take measures accordingly.

How can PwC support your company?

PwC can fully support your company along the road to adhering to the DORA regulations, from evaluating your current preparedness, to supporting you in implementing measures to meet the statutory requirements and embedding these within your risk management, security management, resilience management and compliance management system.

Financial Entities

Following the adoption of DORA, financial institutions must seriously plan for the implementation of this regulation.

ICT service providers

Digitisation has deepened the linkages and dependencies within the financial sector and with infrastructure and service providers.

Our insights and webcast recording on DORA

What objectives does the DORA regulation seek to pursue? And why should banks and insurance companies choose now to tackle these issues intensively? We discussed this, and much more, in our recent webcast. You weren’t able to join us? No problem! Register directly for our recording and ensure that you obtain all the relevant insights. More valuable facts on the new guidelines, including our recommended actions across the DORA pillars, are available on top for download.

Assets