Third Party Risk Management - Consultancy, Assessment & Advisory

A Deep Dive into the Digital Operational Resilience Act (DORA)

Compliance and regulations cogs

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will also apply to the critical Information and Communication Technology (ICT) service providers they are working with. 

The timeframe for meeting compliance standards will be relatively short despite the complexity expected with the new framework.

Understanding the Digital Operational Resilience Act (DORA), as well as acknowledging DORA’s roadmap and timeline, is important for all eligible firms so that CIOs, CISOs, and compliance managers can start planning immediately.

The need for unified cybersecurity standards

Although the financial resilience of organisations has recovered across the EU since 2008, ICT risk has been addressed differently by the various member states’ financial supervisors. This has caused an inconsistent approach resulting in a proliferation of individual national regulatory initiatives.

In February 2020, the European Systemic Risk Board (ESRB) expressed deep concerns about the need to consolidate third-party risk management requirements in financial entities across Europe. This recommendation was sent out following a report published on cyber incidents, which identified cyber risk as being one of the sources of systemic risk to the financial system that could have serious negative consequences.

The report recognised one single event could trigger a systemic crisis threatening financial stability. As stated in a Cybersecurity Ventures report, global cybercrime costs are expected to grow by 15% per year over the next five years — reaching $10.5 trillion USD annually by 2025. Furthermore, we have been seeing an increase in the number and severity of cyber threats associated with ICT risks such as phishing, identity theft, and ransomware, which is further highlighted by vendor concentration that promotes the spread and effectiveness of cyber threats.

What does DORA mean for your organisation?

DORA will specifically focus on 20 types of regulated EU financial entities. These include not only banks, credit, payment, and electronic money institutions, but also investment firms, crypto-asset service providers and many other entities working as security depositories, central counter-parties, trading venues, trade repositories, alternative investment funds and management, data reporting, insurance and reinsurance, occupational retirement pensions, credit rating, statutory auditing, or crowdfunding, among others.

Both large and small financial firms and ICT vendors will be included within DORA’s guidelines, and while some firms will face less complex guidance from the legislation, others are sure to find it more burdensome than the current requirements in place. It is also expected that future Digital Operational Resilience Act regulation will establish further levels and timeframes of application, depending on the size and/or scope of activity of each eligible firm.

Regardless of future scope and criteria, DORA will require all organisations to implement secure technologies and processes to raise overall supply chain resilience. Cyber risk management strategies and  third-party risk management programs in particular need to evolve to address DORA’s five key pillars:

Despite Brexit, DORA will also align with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements. This means that the UK-specific framework will exist in parallel with the guidelines provided by the European Supervisory Authorities (ESAs) – which are the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

Download your guide to DORA

Learn more about the DORA regulations, how it will promote the need to establish robust measures and controls on systems, tools, and third parties, and how DVV Solutions and BitSight can help your organisation comply.

Download your copy of the DORA eBook now.

DORA Digital Operational Resilience Act banner

How can DVV Solutions and BitSight help your organisation comply with DORA?

Depending on how quickly potential third-party risk management requirements are addressed and agreed on by the EU regulatory body, it is expected that DORA should gain most of its form by the end of 2021. Firms should then have 12 (to possibly 18) months to comply with most of the requirements that will be announced in the first phase of the rollout.

The following subset of compliance standards is expected to give organisations another 1.5 years to get into compliance, including further secondary legislation and technical standards mapping the specific application of the rules being developed by the ESAs. The whole process should be running at full steam by the end of 2024.

This roadmap may seem to give generous time, but organisations and cybersecurity professionals should realise that the DORA timeline is aggressive, and needs to be urgently addressed – and one thing that will help your organisation stay on the right track from the very beginning is to take immediate action on assessing your ICT third-party providers by keeping all data registered and up to date.

We can help your organisation find the best path for this journey. With a suite of solutions based on BitSight’s industry-leading Security Ratings service, we help firms identify risk in their digital ecosystems, enabling security teams to prioritise resources and remediate the riskiest issues.

Helping you get on track with DORA, you will have access to:

And most importantly: We will be there with you every step of the way.

To learn more, contact us on +44 (0) 161 476 8700 or complete our Contact Form.