The EU’s Digital Operational Resilience Act (DORA) dragon is getting ready for flight in 148 days (business days as at June 26). Leave your castle walls in disrepair over the summer holidays at your peril.

This regulation has taken a far deeper, broader and more prescriptive approach to derisking the end-to-end Information Communication and Technology (ICT) risk than ever imagined by any sitting Chief Information Officer, Chief Risk Officer or Management Committee.

By January 17, 2025, a “great repapering” needs to be completed for your policies, contracts, procedures, control logs, regulatory reports and supplier databases. To tame DORA, SMEs will need an interdisciplinary approach to satisfy many stakeholders.

150 days to deliver to new standards

There are 22,000 financial entities that should be conducting gap analyses and making tough decisions about how they intend to secure their critical or important functions now.

Lawyers report that we’re at the start of a DORA repapering juggernaut, as the ESAs have 4,000+ people registered for their voluntary “dry run” for new regulatory reports.

However, DORA is about far more than tweaking a few supplier contracts. Policies,  procedures, control logs, regulatory reports and supplier databases need to fall in line with very prescriptive obligations for which there are few standards and no legal precedent.

DORA’s 12 documents and 785 pages contain a number of new ramparts to protect the resilience of the financial system, including these:

• “critical or important function” means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities … under applicable financial services law – Art 3(22);
• financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers – Art 28(3);
• “critical ICT third-party service provider” means an ICT third-party service provider designated as critical in accordance with Article 31, Art 3 (23);
• financial entities shall minimize the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request. – Art 6(3);
• financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important. – Art 28(3).

DORA penalties

Despite claims to the contrary on the internet, Article 50 enables each country to determine what happens if your DORA defences are breached:

• Member States to establish appropriate, effective, proportionate and dissuasive administrative and potentially criminal penalties.
• Could require temporary or permanent cessation of any practice or conduct considered contrary to DORA.
• Issue public notices, indicating the identity of the natural or legal person and the nature of the breach.

The DORA ‘so what’ for a financial entity

As JWG wrote last summer, with tough new risk controls and thousands of suppliers in your technology supply chain, implementation programmes will struggle to keep pace with the breadth and depth of the challenges.

Today’s financial services businesses are under pressure. On one front their customers are pushing toward ever more interconnected, digital platforms. On the other, regulators want firms to control the systemic risk of the technology itself. Both these pressures are now roaring their way across the financial value chain and IT supply chain.

Current governance and oversight roles will change and hundreds of new questions will need to be asked, answered and evidenced. A few of the areas where DORA’s teeth bite are illustrated in the table below:

JWG analysis of Dragonish DORA questions by owner

Who	Dragonish DORA questions for critical or important functions
Management Committee	Does the management body bear full responsibility for governing and resourcing the ICT risk management strategy? Does your ICT third-party risk policy on the use of ICT supporting services apply on a sub-consolidated and consolidated basis? Does your ICT third-party risk strategy include multiple FMIs and complex third parties (for example market data)?
CRO	Have your “severe but plausible” ICT risk scenarios included market infrastructure such as CCPs, CSDs, payments, trading venues? Have you conducted ICT concentration risk assessments including substitutability and the concentration impact of sub-contracting? Do your exit strategies take risks into account that may emerge at the level of ICT third-party service providers?
CIO	Do your transition plans enable transfer of ICT services and the relevant data to alternative providers or reincorporate them in-house? Are your exit plans comprehensive, documented, sufficiently tested and reviewed periodically? Do your control data, source code and open-source pose security risks?
IT Leadership	Can you notify your regulator within four hours of a major incident? Do ICT projects for critical or important functions share risk assessments with the management body on a periodic or event-driven basis? Can you spot anomalous network activity across the SDLC – including failure measures and clock synchronization?
Legal / Compliance	Do your contracts ensure third parties and their subcontractors align to your ICT strategies, objectives and procedures? Have you clearly assigned responsibilities for contract management to people with requisite knowledge and can your supplier comply? Are ICT contracts in line with DORA’s 15 clauses?
Procurement	Have you prepared a report of contractual risks for ICT services supporting critical or important functions? Does your consolidated register of ICT third-party contracts include the 118 items including supplier Legal Entity Identifiers?
Critical third parties	Can you provide your new regulator with market information including market share per type of service/market and financial statements? Are you able to share internal governance documents, including accountability rules, board minutes and incident logs? Can you describe your customer data and application portability mechansims?

This is by no means a comprehensive or exhaustive list of questions. It is meant to illustrate the level to which firms and their suppliers will need to upgrade current risk governance and control frameworks to mitigate operational resilience risk.

As with most EU regulation, transparency is the answer. Ominously, in addition to the information register and other reports, the regulation stipulates that the competent authorities can “have access to any document or data held in any form that the competent authority considers relevant for the performance of its duties and receive or take a copy of it.” That’s a lot of dragon training footage!

As with most regulation, a risk-based approach is required and your documentation needs to clearly identify any gaps which you have to close. When you do have an incident, there will be little time to go back to the rule books as regulators need to be notified within four hours, followed by an intermediate and final report.

Conclusion

The EU’s Digital Operational Resilience Act (DORA) dragon may have seemed like a distant threat, but it is now only 148 days away from taking flight.

And as the saying goes, summer holidays leave no castle walls safe from peril. This revolutionary regulation has not only caught the attention of Chief Information Officers and Chief Risk Officers, but also the entire management committee.

It has presented a much deeper, broader, and more prescriptive approach to managing end-to-end ICT risk than anyone could have imagined. But fear not, for there is still time to fortify your defences against this formidable creature.

However, to do so successfully, an interdisciplinary approach between firms and their service providers is crucial.

Be sure to tame your DORA dragon before January 17, 2025, rolls around.