Digital technologies are pivotal for global financial and capital market firms to support complex systems, it is critical for the delivery of typical business functions and revenue-generating activities. Digitalisation and the resulting interconnectivity enable greater efficiency and cost savings but also amplify Information and communication technology (ICT) risks and increase the financial system’s vulnerability to cyber threats or disruptions.

Despite targeted policy and legislative initiatives at the national level, the European Union (EU) recognises the critical need to harmonise and bolster operational resilience across its member states to protect the integrity and efficiency of the internal market, particularly considering escalating cyber threats¹ and disruption incidents². A view recently echoed by Liquidnet³:

 “The industry is only as strong as its weakest link […] 2024 will not only represent greater regulatory scrutiny of compliance, risks, and controls as well as technology interoperability, but individual responsibility in making the eco-system function optimally.”

Addressing the ongoing resilience challenges, the EU introduced the Digital Operational Resilience Act (DORA) to fortify ICT security and operational robustness for financial entities.

What Is DORA and Its 5 Focus Areas?

DORA was adopted by the European Parliament and the Council on the 14^th of December 2022, with compliance required by January 17^th, 2025. The regulation aims to consolidate and enhance digital operational resilience across the financial landscape that has, up to this point, been addressed separately in various Union legal acts via a common framework⁴ for the digital operational resilience of financial entities to better withstand and recover from breaches and ICT incidents.

DORA's 5 Areas of Focus:

1. ICT Risk Management.
2. ICT-related Incident Management, Classification & Reporting.
3. Digital Operational Resilience Testing.
4. ICT Third-Party Risk Management.
5. Information Sharing Arrangements.

Why Is DORA Important?

DORA builds on and supersedes earlier industry-specific guidelines to overcome disparities and consistently consolidates guidelines for key areas across the entire value chain. It is unique because it introduces a union-level common oversight framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs)⁵.

With the financial sector reliant on digital ICT systems and as interconnectivity grows, ICT risks and vulnerabilities will have an increasingly disruptive cross-border impact across the union, which amplifies the effect of operational disruptions and cyber threats at financial firms. DORA acknowledges that digitalisation now encompasses critical financial functions⁶ like payments, securities clearing, algorithmic trading, and back-office operations. It aims to bolster the operational resilience of these functions to maintain overall financial stability and protect consumer trust within the internal markets. DORA aims to preserve market confidence by ensuring the seamless provision of financial services even during challenging scenarios.

Who Does DORA Apply To?

DORA applies to all financial institutions in the EU and the ICT third-party service providers supplying services to support them. A recent insight¹⁰ addressed this. The EU’s DORA regulation introduces specific and prescriptive requirements for all financial market participants.

DORA – Financial Entities

To comply with DORA, financial entities must enhance ICT risk-related management practices, which include identifying, assessing, and mitigating risks associated with digital operations. DORA also introduces prompt ICT incident reporting obligations to the relevant authorities for critical function disruptions. Also, institutions must regularly simulate various disruptions to test operational resilience and recovery capabilities.

Notably, DORA emphasizes that financial entities must assess and manage the third-party ICT risk of their service providers and ensure contractual arrangements address operational resilience. This relates to the concentration of risk (DORA Article 29¹¹) and follows incidents like the OPRA outage¹², and cybercrime targeting critical suppliers in the financial supply chain like the Ion Group hack last year¹³ or cloud computing vendors¹⁴, where a single incident potentially impacts multiple financial entities.

It should be noted that the impact of outages is not limited to firms and end-users, with repercussions potentially overflowing onto personal finances as demonstrated by DBS bank¹⁵ earlier this year.

DORA –Third-Party Dependencies and Operational Resilience

Financial entities have increasingly relied on third-party providers to deliver critical parts of their operations and services, subsequently, DORA also significantly affects third-party dependencies. These third parties include cloud service providers, data vendors, software developers, and other technology partners. Outsourcing certain functions can enhance efficiency and reduce costs, but as we saw with Ion, it also introduces new risks. Authorities must now look beyond the resilience of individual regulated firms and assess the sector’s wider operational resilience.

DORA emphasizes the importance of robust risk management practices for third-party dependencies aiming to bolster the overall resilience of the financial sector in the digital age. These include:

1. Broad Scope of ICT Third-Party Risk – To enhance operational resilience across the financial services sector DORA casts a wide net to define ICT third-party risk. For example, DORA Article 3 (18)¹⁶ defines ICT third-party risk as any ICT risk – Article 3 (5)¹⁷ – that may arise for a financial entity derived from using ICT services provided by a third-party service provider, subcontractors, or outsourcing arrangements.
2. Risk Management Practices for Third-Party Vendors – DORA mandates appropriate risk management practices for third-party vendors to reduce operational risks associated with third-party relationships and ensure resilience. It also aims to implement a harmonised regulatory framework for third-party vendor risk management across the EU (Article 15¹⁸).
3. Critical ICT Third-Party Providers – DORA recognises the critical role of ICT service providers in financial services. If a third party is deemed critical, like CJC in some instances, they must comply with DORA’s requirements. Notably, critical third parties outside the EU are required to establish a subsidiary within the EU – Article 31 (12)¹⁹ – although preamble (82)²⁰ notes the requirement “should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union.”

Speaking about operational resilience and DORA compliance, Gina Wee, Chief Information Officer at CJC said, "From implementing robust encryption and strict access control to conducting regular audits, CJC upholds high levels of compliance to ensure data security. Combined with proactive planning, adaptive procedures and a culture of continual improvement, we ensure uninterrupted services to our clients. We hope our commitment to information security, operational resilience and accountability provides our clients peace of mind and confidence in our managed services."

DORA Compliance vs. Non-Compliance

The Risk of Non-Compliance

Not complying with DORA may lead to reputational damage, financial losses, and regulatory penalties. Firms that fail to comply with DORA’s requirements risk operational disruptions, customer dissatisfaction, and potential legal consequences.

DORA Compliance – 3 Considerations & Best Practices

To comply with DORA, financial institutions must comprehensively map existing third-party dependencies and involve understanding the services of outsourced functions to identify critical dependencies. Step 2 assesses the resilience of the mapped dependencies to evaluate their service provider’s operational capabilities, security measures and disaster recovery plans. Finally, contractual agreements with third parties should specifically address operational resilience requirements. This includes provisions for incident reporting, business continuity, and recovery time objectives.

To stay compliant, financial institutions can take several steps to implement best practices to ensure continuous compliance with DORA. These include:

1. Due Diligence – When selecting third-party providers, conduct thorough due diligence by considering their record of accomplishment, financial stability, and operational resilience.
2. Scenario Testing – Simulate various scenarios with third parties to test the effectiveness of recovery plans. This should include cyberattacks, system failures, and natural disasters.
3. Continuous Monitoring – Monitor third-party performance and compliance regularly, being prepared to adapt should resilience postures change.