The Digital Operational Resilience Act (DORA) aims to protect the EU financial sector from ICT disruptions. By January 17, 2025, all financial entities must comply with its rules, including ICT risk management, incident reporting, and third-party oversight.
Key Points:
- ICT Risk Management: Establish policies, conduct regular risk assessments, and implement controls.
- Incident Reporting: Report major incidents within 4 hours, with follow-ups in 72 hours and a final report in 1 month.
- Third-Party Oversight: Maintain detailed registers of ICT service providers and conduct resilience tests.
The RTS defines what needs to be done, while the ITS provides templates and formats to ensure consistency across the EU. Compliance requires proactive planning, technology integration, and regular reviews to meet the strict standards.
Deadline Alert: Financial entities must act now to avoid penalties - there’s no grace period.
Main Requirements of DORA's Draft RTS
ICT Risk Management Framework
The draft RTS outlines detailed expectations for how financial entities should manage ICT risks effectively.
Entities are required to create an Information Security Policy that addresses several critical components:
| Component | Requirements | Implementation Focus |
|---|---|---|
| Governance | Clear management oversight and role clarity | Accountability structure with independence |
| Risk Assessment | Annual reviews (or periodic for micro firms) | Identify vulnerabilities and threats |
| Internal Controls | Documented procedures and protocols | Safeguard ICT assets and sensitive data |
| Continuous Improvement | Ongoing updates based on audits and incidents | Leverage findings to refine systems |
The principle of proportionality ensures that smaller entities can adopt simpler systems suited to their size and complexity, while larger institutions must implement more extensive frameworks.
In addition to risk management, DORA introduces strict guidelines for incident classification and reporting.
Incident Classification and Reporting
DORA sets clear rules for classifying and reporting incidents. Major incidents must be reported within four hours, with follow-up reports due within 72 hours and a final report within one month.
Incident classification is based on key factors like:
- Impact on service availability
- Number of affected clients
- Financial consequences
- Length of disruption
- Severity of any data breaches
This structured reporting framework enhances operational resilience by enabling faster responses and recovery efforts.
DORA also emphasizes the importance of resilience testing and managing risks related to third-party ICT providers.
Resilience Testing and Third-Party Risk Oversight
The RTS requires financial entities to conduct regular resilience testing, including methods like threat-led penetration testing (TLPT) and vulnerability assessments. The frequency of these tests depends on the complexity of the ICT systems and the entity's risk profile.
For managing third-party risks, financial entities must:
- Maintain a detailed register of ICT service agreements
- Establish clear monitoring standards for service providers
- Include contractual terms that ensure access, control, and audit rights
"DORA requires rigorous management of third-party ICT risks." [2]
These measures are designed to bolster digital resilience across the EU financial sector, ensuring operational continuity even in the face of disruptions.
Understanding DORA 01 – ICT Risk Management
sbb-itb-107f699
DORA's Draft ITS
The RTS explains what needs to be done for compliance, while the ITS outlines how to do it. By providing practical templates and formats, the ITS helps ensure uniformity in reporting and documentation across the EU's financial sector.
ICT Third-Party Information Registers
Financial institutions are required to maintain detailed digital records of their ICT third-party service providers. These records, stored in a machine-readable format, allow regulators to efficiently analyze and compare data across entities. The ITS provides specific templates to capture key details, including:
| Information Category | Required Details |
|---|---|
| Contract Information | Service descriptions, start/end dates, jurisdictions; updated when changes occur |
| Risk Assessment | Service criticality, risk ratings, dependencies; reviewed quarterly |
| Performance Metrics | SLAs, performance indicators, incidents; monitored monthly |
| Control Measures | Security certifications, audit rights, exit strategies; reviewed semi-annually |
Tools like DORApp can automate the management of these registers and streamline regulatory reporting. By standardizing how third-party information is handled, the ITS improves oversight and simplifies compliance for financial institutions.
Incident Reporting Forms
The ITS also introduces standardized templates for reporting major ICT-related incidents. These templates ensure that financial entities provide consistent and detailed information to authorities. Reports are divided into initial, intermediate, and final submissions, covering fields like incident classification, response actions, and recovery efforts.
Key requirements include:
1. Incident Classification Details
Reports must clearly define the type, severity, and impact of the incident. This includes metrics such as the number of affected customers and estimated financial losses.
2. Response and Recovery Documentation
Entities must provide:
- A timeline of when the incident was detected and addressed
- Resources allocated to manage the situation
- Communication efforts with stakeholders
- Steps taken to restore normal operations
- Updates made to risk management frameworks
- Adjustments to third-party agreements
"The ITS requirements for incident reporting forms contribute to overall digital operational resilience by ensuring that financial entities report significant ICT-related incidents in a timely and standardized manner" [5][6].
While incident reporting focuses on operational disruptions, third-party registers address the underlying relationships that support ICT resilience.
Compliance Strategies for Financial Entities
To meet compliance demands effectively, financial entities should combine thoughtful planning, smart use of technology, and solid risk management practices.
Creating Compliance Strategies
The first step is to assess current ICT risk management practices. This involves identifying gaps in areas like incident reporting, oversight of third-party vendors, and resilience testing. These insights lay the groundwork for aligning with DORA requirements.
To stay organized, organizations should develop a detailed roadmap:
| Component | Timeframe | Key Activities |
|---|---|---|
| Preparation Phase | Q1-Q3 2025 | Gap analysis, updating policies, resource planning |
| Implementation Phase | Q3-Q4 2025 | Training staff, testing controls, assessing third-party risks |
With a roadmap in hand, the next step is to integrate technology to make compliance processes more efficient and manageable.
Using Technology for Compliance
Technology plays a big role in making compliance easier. Tools like automated reporting systems, third-party risk management platforms, and incident management software can simplify workflows and improve accuracy. For instance, automated tools can pull data from public sources to keep third-party records accurate and current.
However, even the best tools won't guarantee success unless organizations also address common stumbling blocks.
Avoiding Compliance Pitfalls
Even with a strong strategy and advanced tools, challenges can arise. Addressing these proactively is key to staying on track.
| Challenge | Mitigation Strategy |
|---|---|
| Resource Underestimation | Conduct a thorough resource assessment and keep a contingency budget |
| Inadequate Training | Offer role-specific training and provide regular updates |
| Poor Documentation | Set clear documentation standards and review them regularly |
| Technology Gaps | Invest in the right tools and ensure systems work together seamlessly |
"Financial entities should understand the importance of DORA's RTS and ITS, and the need for comprehensive compliance strategies. Regular monitoring and review of compliance strategies are crucial to ensure ongoing adherence to DORA's requirements" [3][4].
Finally, documenting every step - whether it's incident management, control implementation, or policy updates - is essential to prove compliance to regulators.
Conclusion: Preparing for DORA's RTS and ITS
Key Takeaways
DORA's RTS and ITS introduce new standards for managing digital resilience in financial entities. According to Deloitte's study spanning 20 European countries, only 29% of financial entities surveyed had clear plans for DORA compliance [1]. This highlights an urgent need for action, especially since effective resilience strategies can save organizations $48 million annually by reducing downtime [2].
Financial entities must move quickly to meet the January 2025 deadline.
Next Steps for Financial Entities
The European Supervisory Authorities emphasize that DORA provides no grace period, making timely compliance essential [5].
To prepare, organizations should:
- Complete third-party registers by April 2025, focusing on critical providers.
- Ensure ICT risk management systems align with DORA's requirements.
- Develop and implement resilience testing protocols.
