Capgemini: The challenges and opportunities DORA presents

Emerging technologies are reshaping the ways businesses and individuals interact with financial services, paving the way for fintechs to offer solutions that improve the customer experience and promote inclusion. 

But as new technologies emerge, new avenues are created for fraudsters to compromise consumer data and launch cyber attacks against financial institutions. 

In step the Digital Operational Resilience Act (DORA), the EU’s latest regulation designed to ensure all participants in the financial system have adequate measures in place to address cyber-attacks and other risks to financial firms and consumers, which is set to come into full effect in 2025. 

What is DORA?

But what exactly is DORA, and what must financial organisations and fintechs do to make sure they are fully compliant by 2025?

Capgemini’s Global Head of Cloud for Financial Services, Ravi Khokhar, has the explainer: “The Digital Operational Resilience Act (DORA) is designed to guarantee all participants in the financial system have the required measures in place to mitigate and address cyber-attacks and other potential risks. 

“Introduced by the European Commission, DORA is aimed at bolstering the financial resilience of the sector in the European Union (EU). The act was presented as a response to the 2008 financial crisis, where the EU adopted measures to strengthen capital resources and liquidity while reducing market and credit risks.

“DORA is expected to be fully effective by 2025 to broaden the focus on operational risk management and to ensure that infrastructure and software resilience are integral components for financial institutions and critical information and communication technology (ICT) providers operating within the EU. 

“Simply put, it requires organisations to conduct comprehensive risk assessments and predict potential problems in their system, plus report any incidents that do happen so that they can be tracked, controlled, and stopped from occurring again.

“It is important to highlight that DORA is a binding regulation applying directly to all EU Member States eliminating the need for transposition into national law and the complexities associated with national alternatives and discretions.

“The hope for this cross-industry supervisory approach to compliance is its ability to prevent illegal activities and disruptions to digital services, ultimately safeguarding society and the economy.”

However, do all firms that need to comply with DORA have the right capabilities in place today? And what are the challenges to get there? 

DORA: The challenges and opportunities

Indeed, some organisations will need to make more changes than others, across a multitude of technological and digital aspects. The need to adapt and comply is apparent, and it needs to be done in the space of a year. 

“For financial institutions, the challenge will be standardising resiliency requirements, mandating active cyber risk management and emphasising regular testing and reporting of IT systems,” notes Khokhar.

“At its core, DORA establishes uniform requirements for the financial services sector that prioritises a robust level of resilience for swift service restoration following cyber incidents,” he adds.

“Within this, DORA also requires the implementation of advanced disaster recovery and business continuity measures. Companies are obligated to establish and regularly update an Information and Communication Technology (ICT) risk management framework.”

The challenges don’t stop there either. “Next is cyber risk management, which is a growing challenge across the industry,” adds Khokhar. 

Indeed, at the World Economic Forum 2024 in Davos, JP Morgan shed light on the scale of the issue when its Head of Asset and Wealth Management, Mary Erdoes, said the bank suffers 45 billion hacking attempts every day.

“Rising to this challenge and effectively managing cyber risks calls for active processes, encompassing risk classification, monitoring, documentation and reporting. Of course, alongside this, it’s essential to implement response and recovery along with business management strategies,” Khokhar advises.

“Regular testing of IT systems might also pose challenges. Ongoing reviews and continuous updating of the testing strategy are needed to ensure compliance. The test should involve vulnerability scans, network assessments and penetration assessments.

“As previously mentioned, incident tracking and reporting are crucial under DORA to take preventative measures. 

“Organisations are required to promptly report cyber incidents to authorities. It will also be helpful for companies to establish collaborative alliances within the industry to facilitate the sharing of cyber-threat intelligence and information.”

Indeed, IT contractual obligations will also shift as part of ICT resilience under DORA. Khokhar expands: “Third-party ICT providers will undergo contractual modifications with their ICT resilience evaluated under DORA. 

“The regulation underscores the importance of entities actively managing and monitoring external risks, requiring a thorough review and potential revision of contracts to align with DORA rules and discontinuing collaboration with non-compliant providers.”

While the challenges may seem extensive, particularly in such a short period of remaining time before DORA comes into full effect, the impending regulation does provide opportunities too. 

Khokhar says: “DORA presents opportunities for institutions through the establishment of a unified and comprehensive ICT risk management framework. Beyond promoting synergies within the EU, DORA may also exert sufficient influence to drive the global adoption of a digital single market in the financial services sector.

“To paint a bigger picture, DORA offers clear legal guidance on ICT risk regulations, especially for multinational financial institutions. It simplifies regulatory complexity and lowers the administrative and financial burdens associated with diverse rules that apply to financial entities.”

The to-do list by 2025

With these positives in mind, it is up to organisations to position themselves for secure future operations in the EU. But, DORA is expected to go into full effect on January 17, 2025, and for some, the to-do list may be extensive. Below, Khokhar gives his top tips for organisations that need to enact transformative change. 

“I encourage organisations to start early and take comprehensive actions to comply with regulations to ensure that they’re not left behind.  

“DORA is based on five pillars of resilience: ICT risk management, ICT incident reporting, digital operational reliance testing, ICT third-party risk, and information and intelligence sharing –  preparations need to be centred around them.

“ICT risk management is crucial for minimising the chances of unexpected cyberattacks by requiring thorough risk assessments to proactively prevent and detect potential threats. This pillar urges each firm to implement appropriate measures, safeguarding risk management, and establishing a robust ICT risk management framework. 

“To accomplish this, institutions need to first develop a comprehensive framework for identifying, classifying, and managing risks; define strategies for risk prevention, response and recovery; and plan for educating management and staff.

“ICT incident reporting mandates companies to provide detailed reports on incidents, capturing information on affected users, data loss, severity of system impact, geographical spread, service criticality and economic impact. 

“This allows effective incident monitoring, management, and continuous improvement for enhanced recovery. Companies should look to update their incident classification methods, as well as establish internal and external notification channels.

“Next is probably the most challenging of the pillars. Digital operational resilience testing requires financial institutions to undergo threat-based penetration testing every three years. 

“And as this process takes a while – up to two years – this means organisations need to be equipped early for the regulator-authorised testing deadline by the end of 2024. 

“The ICT third-party risk pillar mandates organisations to integrate third-party risk management into their risk framework. Organisations must formulate a well-defined strategy and policy. 

“They will need to develop a comprehensive third-party register and conduct regular third-party audits regularly to avoid risks of noncompliance.

“Finally, and to facilitate collaboration among financial services organisations, companies are encouraged to implement automation solutions for efficient information sharing with other institutions, as well as establishing internal communication mechanisms for processing.

“The first set of final draft technical standards under DORA were issued on January 17 this year and submitted to the Commission for adoption. 

“While the standards are not yet finalised and still require review by the European Parliament and Council before being published in the European Union's Official Journal, these technical standards offer a strong foundation for categorising ICT incidents, a regulatory framework for ICT third-party service contracts, standard templates for information registration and risk management tools and processes. 

“Gaining full DORA readiness by January 2025 will not be easy, but it is necessary for true operational resilience. It will certainly be no small lift for any enterprise and may even require some rebuilding of technology architecture for some players in addition to all other workstreams. 

“While the journey to DORA readiness will pose challenges, the rewards for businesses and the sector at large will be substantial.”

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024. 

**************

FinTech Magazine is a BizClik brand.