Skip to main content

Implementing DORA: Strengthening ICT Governance and Risk Management in Financial Institutions

The Digital Operational Resilience Act (DORA) marks a significant regulatory advancement in enhancing the digital resilience of financial institutions within the European Union. It aims to address growing concerns around ICT risks, cyber threats, and the reliance on third-party service providers in a rapidly evolving digital landscape. This article delves into the critical components of DORA, focusing on governance, ICT risk management, third-party oversight, and operational security, offering clear insights and practical guidance for financial institutions to ensure compliance and bolster their resilience.

Why is DORA important for financial institutions?

1. Governance and Organisation in DORA: Strengthening Digital Resilience

The implementation of DORA places a strong emphasis on governance and organisation within financial entities to ensure digital operational resilience. A key change is the introduction of a Digital Operational Resilience (DOR) strategy, which aims to address ICT risks and third-party risks in a comprehensive manner. Unlike previous frameworks such as BAIT, DORA requires the development of a governance framework specific to ICT, focusing on the prudent management of ICT risks and enhancing digital resilience.

A significant expansion of the responsibilities of the management body is also introduced. Under DORA, the management body is required to have a thorough understanding of ICT risks and ensure that policies related to information security, ICT continuity, and third-party risk management are regularly updated and approved. This shift represents a more integrated approach to ICT governance, making it a core element of operational risk management.


2. Information Risk and Security Management: From Security to ICT Risk Management

DORA represents a shift in focus from traditional information security to a broader ICT risk management framework. While previous regulations like BAIT emphasized safeguarding information assets, DORA integrates these aspects into a more comprehensive approach to ICT risks, addressing not just security, but also risks associated with legacy systems, third-party dependencies, and new technologies.

Financial institutions are now required to implement ICT risk control functions to oversee ICT risks. This function goes beyond the role of an information security officer, covering all ICT-related risks. Additionally, DORA mandates more rigorous testing and analysis of ICT systems, with a focus on identifying vulnerabilities and responding to incidents efficiently. A new emphasis is placed on regular reviews and reporting of ICT risk management frameworks to ensure continuous improvement.


3. IT Operations: Ensuring Stability and Resilience

IT operations are critical under DORA, with increased focus on operational stability and the resilience of ICT systems. DORA requires financial entities to ensure their ICT systems remain up to date, reliable, and resilient, even during market disruptions. ICT systems must be regularly assessed, with all changes documented, tested, and approved. This goes beyond traditional change management practices by requiring that all changes—not just material ones—be subjected to rigorous evaluation.

Data management practices are also enhanced under DORA. Segregated data retention and reconciliation procedures are mandated to ensure the integrity of backups and reduce the risk of data loss. Regular data restoration testing is now required, and systems must be physically and logically segregated to enhance security during data recovery operations.


4. ICT Business Continuity Management: Policies and Scenarios

DORA introduces more detailed requirements for ICT business continuity management, expanding the range of mandatory scenarios that must be addressed in continuity plans. Financial institutions are now required to consider scenarios such as climate change impacts, insider attacks, and political instability, reflecting the evolving landscape of operational risks.

In addition to the broader scope of scenarios, DORA mandates regular reviews of ICT continuity plans by senior management. Crisis management functions are reinforced, and financial entities must establish clear communication strategies for internal and external stakeholders during incidents. These requirements aim to enhance the overall resilience of financial institutions, ensuring they can maintain critical functions even in the face of extreme disruptions.


5. ICT Project Management and Application Development

Under DORA, ICT project management is subject to analogous requirements as seen in previous regulations, but with more detailed stipulations. Financial entities must now ensure that all ICT projects adhere to a formal methodology that evaluates their impact on critical functions. Additionally, DORA expands requirements for system development and maintenance, emphasizing the need for secure coding practices, rigorous testing, and source code analysis, especially for systems exposed to the internet.

One of the key changes is the removal of the materiality threshold for ICT change management, meaning that all changes—whether large or small—must be recorded, tested, and verified. This ensures that even minor changes are subject to scrutiny, reducing the risk of introducing vulnerabilities into critical systems.


6. ICT Third-Party Risk Management: A Comprehensive Framework

DORA introduces stringent requirements for managing risks associated with ICT third-party providers. This framework goes beyond traditional outsourcing regulations by requiring financial entities to conduct extensive risk analyses and due diligence on all third-party providers that support critical or important functions. Contracts with third-party providers must now include provisions for regular reviews, audits, and termination rights.

DORA also introduces new rules for subcontracting, mandating that financial entities maintain oversight over any third-party services that are subcontracted. This includes ensuring that subcontractors meet the same stringent security and resilience requirements as the primary third-party providers.


7. Operational Information Security: Strengthening Defenses

DORA enhances operational security by introducing more stringent requirements for network security and encryption. Financial institutions are now required to encrypt data not only at rest and in transit but also while it is being used, significantly raising the bar for data security. This requirement may necessitate the adoption of protected environments for data processing where encryption is not feasible.

Additionally, DORA mandates timely identification and handling of vulnerabilities through automated scans and prioritization of patch management. Financial entities must establish clear processes for addressing vulnerabilities, particularly in critical systems, to ensure they can respond swiftly to emerging threats.


8. Identity and Access Management: Enhancing Control

DORA introduces explicit requirements for identity management, mandating that each individual accessing a financial institution’s systems be assigned a unique identity. This principle ensures that access can be effectively controlled and audited, reducing the risk of unauthorized access. Additionally, DORA requires the recertification of access rights every six months for critical functions, ensuring that access is continuously monitored and updated.

A new “need-to-use” principle is introduced, complementing the traditional “least privilege” and “need-to-know” principles. This principle limits access to systems and data strictly to those who require it for their work, further strengthening the overall security posture of financial institutions.

This article provides a concise summary of the key changes introduced by DORA and their implications for financial institutions. Each section highlights the practical steps that need to be taken to ensure compliance and enhance digital resilience.