Skip to main content

Making Market Operations More Resilient with DORA

By Elaine McConnell, DTCC Director, Business Information Security Officer | 3 minute read | August 7, 2024

Firms are increasingly subject to new rules and regulations aimed at providing greater resilience in industry operations and the oversight of critical third-party providers. I was on a panel with other industry security experts at FIA’s International Derivatives Expo (IDX) to discuss how firms across the European Union are preparing for the challenges of complying with the new requirements under the EU Digital Operational Resilience Act (DORA) and where these firms may need to focus to drive compliance. The discussion between our panel was robust with many tangible takeaways to share.

Related: Industry experts assess today's cyber threats

Challenges

DORA is designed to create minimum cyber and IT resilience expectations across the EU by establishing a framework with a comprehensive focus on cyber risk, incident reporting, third-party risk management and governance. The three present challenges for firms adhering to this regulation include:

  1. Time to Comply: The target date for the European Commission to adopt the final batch of technical standards is September 2024, giving firms a shortened window to finalize their gap analyses and complete implementation to close identified gaps by January 2025. Depending on the number of gaps a financial institution has with the regulatory text, this could extend compliance activities through 2025.
  2. Alignment of Regulatory Requirements: DORA requirements may impact shared services delivered by an organization’s entities operating in the EU. Ensuring that these new requirements are integrated into these shared services can take considerable time and effort.
  3. Third-party and Supply Chain Risk Management: DORA obligations may require institutions to commit to ongoing activities to identify and manage third party and supply chain risks. Some may require changes to employee roles to oversee third party arrangements.

Focus Areas

  1. Register of Information: Under DORA, financial entities are required to maintain a Register of Information for all third-party contractual arrangements utilizing Information Communication Technology (ICT) services. Completing and maintaining this Register may be a new requirement for some financial entities and could require data from different functional areas within the financial entity.
  2. Third-Party Risk Management: DORA lays out requirements for contractual arrangements between ICT third-party service providers and financial entities. This may require the financial entity to modify existing contractual terms to obtain compliance. Also, DORA requires designation of a senior management member to be responsible for overseeing any potential risk exposure from pre-contract tasks to ongoing monitoring.
  3. Incident Reporting: DORA defines new classification criteria to determine if an ICT incident is reportable to the financial authorities as well as new timelines and templates to adhere to the new reporting obligations. Additionally, there are templates designed to facilitate the new information sharing arrangements for cyber threat information and intelligence.

    While some financial entities may currently comply with stringent incident reporting requirements, it is still likely that this reporting will need to change as DORA may require financial entities to consider new data elements that were previously not required.

    Lastly, financial entities must balance reporting and addressing an incident. As currently drafted, financial entities must definitively conclude that an incident is major within twenty hours of detection. Given the time and effort necessary to gather and assess the potential impacts to the financial entity and the other EU member states, it may not yield a definitive result within this time frame.
  4. Extraterritoriality of DORA: ICT third-party providers with clients located in the EU have the obligation to support these clients where they provide ICT services including renegotiating contracts, participation in threat-led penetration testing and enhanced due diligence requirements.
  5. 2025 Implementation Journey: Given the volume of legal and operational work required to comply and the challenges that the industry faces, there is a need for a clear understanding of day one expectations. Where there is evidence that a financial entity is taking a risk-based approach to what is required to achieve compliance, a transitional arrangement may be beneficial for all.
Elaine McConnell

DTCC Director, Business Information Security Officer

post
DTCC Connection
Jul 03, 2024 Demystifying Generative AI Frameworks
post
Industry Connection
Jun 12, 2024 Assessing the Latest Systemic Risk...
post
Industry Connection
Feb 13, 2024 Today’s Cyber Threats: Same Tactics of...
Back to DTCC Connection
dtccdotcom