Source: Charco & Dique (ProjectiveGroup)
Authors: Nienke Moek & Niels Huijpen
DORA, the Digital Operational Resilience Act, aims to end the fragmentation of IT compliance legislation. And in January 2025, DORA will become applicable. From this date, financial entities must be compliant with DORA and the technical regulatory standards still being developed by the European Supervisory Authorities (ESAs). Although the effective date is still some time away, we recommend organisations to get started with DORA now. In this article, we give you more insight into this timeline and offer tools to assess your level of compliance with DORA.
The Commission’s original proposal dates back to September 24, 2020. After opinions from the European Central Bank, European Data Protection Board and European Cyber Security Challenge, the Council approved the negotiating mandate on November 24, 2021. The proposal was then altered by the European Parliament and the Council.
With the Council’s approval on November 28, 2022, the legislative process is now complete. Because of the complexity, the standard implementation period of 12 months has been extended to 24 months. That means DORA will be applicable as of January 17, 2025.
Further interpretation through RTS
Now that the law has been passed, the relevant ESAs – such as EBA, ESMA and Eiopa – can develop Regulatory Technical Standards (RTS). These provide further interpretation and detail on certain points of the law and prescribe the use of certain standards or formats.
The figure below lists the RTS that are yet to be developed and when they will be ready.
What can you do to prepare?
The figure above illustrates that many details are still unknown. Moreover, 2025 still sounds far away. Nevertheless, we advise you to get started with the implementation of specific requirements from DORA, for example by making your internal processes and requested controls compliant.
DORA is a complex legal framework that contains many different topics and requirements, from IT Risk Management to contract and SLA management. In addition, DORA contains a proportionality principle. This means that the requirements described should be implemented in a way that is appropriate to the size, overall risk profile and nature, scale and complexity of the organisation.
We recommend tackling the implementation of DORA project based, by breaking it down into several steps, starting with an identification of the people responsible and/or involved in the topics from DORA. Who within the organisation is responsible for ICT Risk Management (art. 5)? Who should be involved in determining the impact of DORA on the organisation on this topic? Answering these questions first directly identifies the stakeholders and involved parties for the (possible) change process.
Next, an Article 6 analysis should reveal what, in terms of ICT Risk Management framework, applies. Next, you can start determining what “gaps” are present between DORA and the current setup of the organisation. Technically, you have 24 months to fill these gaps, but don’t forget: the RTS must also be incorporated within the existing processes and procedures. In total, this brings us to four steps:
- 1. Determine who is responsible and needs to be involved within your organisation.
- 2. Analyse per specific topic and DORA article what applies to your organisation and to what extent.
- 3. Determine which processes and controls your organisation already has in place and implement what is still needed to meet the requirements from DORA.
- 4. Adopt the prescribed templates and other requirements from the RTS and make them part of the processes and procedures.
Schematically, the steps you can take before DORA becomes applicable look like this:
A preview of DORA’s content
DORA is divided into several chapters. In the coming months, we will use a number of articles to discuss the topics in more detail and explain the main provisions.
DORA has the following chapter structure that are applicable for financial entities that will be subject to DORA:
- Chapter II art 5 – 16 ICT Risk Management
- Chapter III art 17 – 23 Management, classification and reporting of ICT-related incidents
- Chapter IV art 24 – 27 Testing of digital operational resilience
- Chapter V art 28 – 30 ICT risk management of third-party providers
In anticipation of our next article, you can get started on “identifying,” by identifying who within your organization is responsible for or involved in:
- The ICT risk management and ICT risk framework;
- The ICT incident process;
- The availability and continuity of applications and systems;
- Contract management and control of IT outsourcing risks;
These will also be the people who will have to provide input for step 2.
Want to know more?
Do you have questions about DORA and the impact on your organisation? Our IT Compliance consultants are happy to help. Please feel free to contact us.