What Does DORA Mean in Practice? A Guide for Compliance Teams

Introduction

In 2023, the European Union reached an important milestone with the adoption of the amendments to Regulation (EU) 2019/2034, also known as the Digital Operational Resilience Act (DORA). This regulation aims to improve the IT and operational resilience of European financial service providers by requiring a comprehensive approach to risk assessment and management. Article 6(1) of DORA mandates financial companies to maintain an information and communication technology risk management system (ICT risk management), which is often seen as a simple tick-box exercise. However, this superficial interpretation can expose your organization to significant compliance risks and potential fines of up to €2 billion*.

The significance of DORA goes far beyond a mere compliance tick-box exercise. It affects all aspects of the financial services industry and threatens the stability of the entire European economy. Compliance with these regulations is therefore crucial for any organization providing financial services in the EU. This guide will help you implement the requirements of DORA in practice and avoid potential compliance issues.

*Source: BaFin

The Core Problem

The challenges associated with implementing DORA are complex and far-reaching. Many companies interpret the requirements as a mere compliance task that is only meant to meet the minimum regulations. However, DORA demands much more than just compliance. It requires a fundamental review and overhaul of your organization's ICT infrastructure and processes.

This has brought enormous costs to companies. A study by the Federal Office for Information Security (BSI) found that enforcing DORA could increase compliance and risk management costs in the financial sector by up to 30%. This corresponds to an additional burden of up to €2.1 billion per year* for the industry.

However, the costs are not just financial in nature. Implementing DORA also requires a significant investment of time and resources. Enforcing the ICT risk management framework alone can take several months, and inadequate implementation can lead to a significant loss of market trust and reputation. Moreover, compliance violations can lead to operational disruptions that may impair your organization's business capabilities.

However, it is not just the financial burden that companies should consider. Article 45 of DORA requires financial companies to document and retain their compliance with the regulations. This means they must prove that they meet the requirements of DORA, which requires additional efforts.

*Source: BSI

Why This Is Urgent Now

The need to implement DORA in practice is becoming increasingly urgent. Firstly, the European Union identified several violations of existing regulations in 2023 and imposed fines of up to €20 million. These cases have shown that the financial sector still struggles to effectively meet the EU's requirements. Secondly, the demands for compliance and security in the financial sector have increased due to digitalization. Customers increasingly expect their financial service providers to comply with international standards such as SOC 2, ISO 27001, and GDPR.

Implementing DORA is also a matter of competitiveness. Financial companies that do not meet the requirements of DORA are at a competitive disadvantage. They risk not only fines and penalties of up to €2 billion* but also the loss of customers and market share. Finally, companies that comply with DORA can demonstrate their strength and reliability, which is a crucial factor for customers seeking safe and trustworthy financial services.

In light of these challenges, it is time for compliance teams to take the requirements of DORA seriously and develop a well-informed strategy for implementation. In the next sections of this guide, we will delve into how you can do this to ensure compliance with DORA and minimize risks for your organization. Stay tuned to learn more about implementing DORA in practice and preparing your organization for the future.

*Source: BaFin

The Solution Framework

In practice, dealing with the Digital Operational Resilience Act (DORA) means taking a thorough and proactive approach to information and technology risks. A step-by-step approach based on compliance requirements is crucial for the successful implementation of DORA. In this article, we provide you with a guide that can help you meet the requirements of DORA and manage risks effectively.

Step 1: Risk Assessment

As the first step, you should conduct a comprehensive risk assessment based on Articles 6(1) and 29(1) of DORA. In this assessment, you should identify and evaluate all relevant ICT risks, including technological, operational, and strategic risks. This assessment should also consider the potential impacts on your company's business processes and strategies, as well as the potential effects on the European economy and consumer protection.

Step 2: ICT Risk Master Data

After the risk assessment, you should establish an ICT risk master data system based on Article 6(1) of DORA. This system should be capable of storing and retaining all relevant risk information. It should also include mechanisms for monitoring and evaluating ICT risks, which need to be updated continuously.

Step 3: Risk Management Strategy

The third phase involves developing a comprehensive risk management strategy in accordance with Article 29(1) of DORA. This strategy should include specific measures for identifying, assessing, monitoring, and controlling ICT risks. It should also clearly define responsibilities and roles within the company and clarify communication and escalation pathways.

Step 4: Audit and Monitoring

In the fourth phase, regular audits and monitoring should be conducted to assess the effectiveness of DORA implementation. This includes reviewing compliance with DORA requirements and evaluating identification and assessment mechanisms. You should constantly keep an eye on new technologies and potential risks that may develop.

A good example of implementing DORA, as opposed to a mere "pass rate," would involve a consistent integration of compliance measures into your company's business processes. This means that compliance is not only seen as a reactive measure to legislative changes but as an integral part of strategic planning and decision-making in your organization.

Common Mistakes to Avoid

It is important to understand the common mistakes companies often make when trying to implement the requirements of DORA. Here are the most common mistakes and recommendations on how to avoid them:

Mistake 1: Inadequate Risk Assessment

Many organizations conduct a superficial risk assessment and fail to identify all relevant risks. This can lead to important aspects of ICT risks being overlooked. Instead, you should conduct a comprehensive risk assessment that covers all aspects of your business operations, as required by Article 29(1) of DORA.

Mistake 2: Lack of or Inadequate Risk Communication

In some cases, companies do not effectively communicate their risk assessments and strategies to relevant stakeholders. This can lead to misunderstandings and inadequate compliance. As required by Article 6(1) of DORA, you should develop a careful communication strategy that considers all stakeholders.

Mistake 3: Inadequate Monitoring and Audit

Another common mistake is the inadequate monitoring and auditing of DORA implementation. Companies that make this mistake often fail to establish mechanisms to verify the effectiveness of their compliance measures. Due to the requirements of DORA, you should set up regular audits and monitoring to ensure that your arrangements comply with legal requirements.

Tools and Approaches

The decision on which tool or approach to use to meet the DORA requirements depends on various factors, such as the size of your company, the complexity of your business operations, and the available resources.

Manual Approach

The manual approach has the advantage of being flexible and adaptable. It allows you to address specific requirements and incorporate a personal touch into compliance measures. However, it also has its downsides, such as potential inaccuracies and the high time and cost intensity of manual compliance measures.

Spreadsheet/GRC Solutions

Spreadsheet or Governance, Risk and Compliance (GRC) solutions offer a more automated method than a purely manual approach. They allow you to store and manage data centrally. However, their main limitation is that they often cannot fully cover the dynamic requirements of DORA, especially when it comes to managing technology risks and integrating into operational processes.

Automated Compliance Platforms

Automated compliance platforms like Matproof offer a variety of advantages. They can, for example, enable the automation of compliance measures and the collection of compliance evidence from cloud providers. They also provide 100% data retention in the EU and are specifically tailored to the needs of the European financial services industry. Important aspects to consider when selecting an automated compliance platform include user-friendliness, the ability to integrate into your existing systems, and the capability to implement regulatory changes quickly and effectively.

In summary, it is crucial that you make your decision based on your specific requirements. Automated tools can be a tremendous help, especially when it comes to reducing complexity and increasing efficiency, but they should not be seen as a one-size-fits-all solution for all compliance challenges. The best compliance strategy is one that combines both manual and automated tools tailored to your individual needs.

Getting Started: Your Next Steps

To successfully begin implementing DORA, you have a clear action plan with five steps that you can take this week:

1. Familiarize Yourself with the Requirements: Read the official EU and BaFin publications on DORA to understand the legal requirements. Here are some resources that can help you:

• The official DORA regulation on the EU website to capture the details of the legal provisions.
• The DORA guidelines from BaFin for implementation instructions and best practices.

2. Compliance Frameworks: Assess your current ICT risk assessment methods and ensure they comply with DORA requirements.

3. Identify Critical Areas: Look for vulnerabilities in your current compliance system and identify areas that require immediate action.

4. Needs Analysis for External Support: Evaluate whether you need external expertise to accelerate implementation and increase efficiency.

5. Create a Detailed Compliance Plan: Develop a roadmap that includes specific goals and timelines for meeting DORA requirements.

As a quick win, you can initiate a rapid audit of your current compliance status and identify immediate actions to align with the DORA regulation within the next 24 hours.

Frequently Asked Questions

Question 1: Which areas of our organization should we prioritize in implementing DORA?

Answer: You need to review your ICT risk assessment and ensure that it meets all the requirements of the DORA regulation. This includes IT security, data protection under GDPR, business continuity, and organizational structure. You should also assess the impact of a potential crisis or cyber-attack and have a crisis management plan in place.

Question 2: How can I ensure that my organization complies with DORA's data protection regulations?

Answer: Article 28 of DORA is significant for data protection. You must appoint a responsible data protection officer who is responsible for compliance with data protection laws and advising the organization on potential breaches. Additionally, you must appoint a data protection officer if your organization has more than 250 employees or if the processing of data poses a risk to the rights and freedoms of the affected individuals.

Question 3: Should I seek external consulting or can I handle this internally?

Answer: The decision to seek external consulting or handle implementation internally depends on your organization's size, current compliance policy, and resources. If your organization has previously worked with similar compliance frameworks and has sufficient internal expertise, you can organize the implementation internally. Otherwise, it is advisable to hire external experts who have specialized knowledge regarding DORA requirements and can help you complete the process efficiently and on time.

Question 4: How can I improve collaboration between compliance teams and IT departments in implementing DORA?

Answer: Effective collaboration between compliance teams and IT departments is crucial for successfully implementing the DORA regulation. Establish an interdisciplinary communication channel that allows teams to share their concerns, challenges, and progress with each other. Organize workshops and training sessions to improve understanding of DORA requirements in both the compliance and IT departments. Ensure that both compliance and IT have clear roles and responsibilities and that they work closely together in strategic planning and implementation.

Question 5: How can I increase the efficiency of compliance reviews and assessments?

Answer: The efficiency of compliance reviews and assessments can be improved by leveraging technology, particularly through automated tools like Matproof's compliance automation system. With AI-driven policy creation, automated evidence collection from cloud providers, and endpoint compliance agents for device monitoring, you can optimize your compliance workflows and save time. Especially for smaller organizations or when working with limited resources, such tools can significantly simplify and enhance compliance reviews and assessments.

Key Messages

To successfully implement the DORA regulation, it is crucial to thoroughly understand the legal requirements and develop a clear action plan for implementation. Collaboration and communication between compliance teams and IT departments are essential. Technological assistance like that from Matproof can help you optimize compliance workflows and make meeting DORA requirements more efficient. If you need help implementing DORA, Matproof offers a free assessment.