DORA - Key Requirements for Financial Entities

In our first article in the series, we explored which are the entities that fall under DORA’s scope.

ICT risk poses a challenge to the operational resilience, performance and stability of the EU’s financial system. In 2018 the EU Commission highlighted the paramount importance of making the EU financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents, and ultimately enabling the effective and smooth provision of financial services across the EU as a whole, including under situations of stress, while also preserving consumer and market trust and confidence.

How does DORA aim to tackle these challenges?

Internal Governance and Control Framework

One of the key aspects of DORA is the requirement for financial entities to establish an Internal Governance and Control Framework. This framework ensures that entities have clear policies, processes, and structures in place to manage ICT risks in an effective and prudent manner, in order to achieve a high level of digital operational resilience.

Financial entities must have a well-defined governance structure that includes roles and responsibilities for managing ICT risks. It is thus essential that clear roles and responsibilities for ICT-related functions are set, and appropriate governance arrangements are established to ensure effective and timely communication, cooperation and coordination among those functions.

It is important to note that the financial entity’s management body bears the ultimate responsibility for managing the entity’s ICT risk. Thus, apart from ensuring that the management body has the necessary level of knowledge and skills in understanding ICT risks, it is also important for financial entities to conduct a gap analysis to understand the current state of their internal governance and control framework.

The knowledge gap should also not be limited to members of the management body. It is thus also important that financial entities ensure that employees are aware of ICT risks and their roles in mitigating them. To this end, DORA mandates regular training programs to enhance employee awareness and preparedness.

As DORA’s implementation date looms closer, it is thus also expected that financial entities will have already allocated an appropriate budget for 2025 allowing the financial entity to fulfil its digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programs and digital operational resilience training and ICT skills for all staff.

ICT Risk Management Framework

The ICT Risk Management Framework (“ICT RMF”) is another pivotal component of DORA. Financial entities are required to have a sound, comprehensive and well-documented ICT RMF as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

The implementation of this framework includes strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, as well as to protect all relevant physical components and infrastructures, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage. To this end financial entities should conduct a gap analysis to understand the current state of their ICT RMF and also define an asset management policy.

Financial entities must conduct regular risk assessments to identify potential ICT threats and vulnerabilities. Based on the findings of the risk assessments, entities are required to implement appropriate risk mitigation measures.

As part of the framework, financial entities are also required to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

The ICT RMF also includes a digital operational resilience strategy setting out how the framework is to be implemented. This strategy includes methods to address ICT risk and attain specific ICT objectives by first and foremost establishing the financial entity’s risk tolerance level for ICT risk in accordance with its risk appetite and analysing the impact tolerance for ICT disruptions.

Continuous monitoring of the ICT environment is essential for detecting and responding to incidents in a timely manner. Entities must therefore establish monitoring mechanisms and reporting processes to track and report on ICT risks.

DORA also mandates that financial institutions have robust incident response and recovery plans in place. These plans should outline the steps to be taken in the event of an ICT incident, including communication protocols, remediation actions, and recovery procedures.

Digital Operational Resilience Testing

DORA implements a coordinated system of operational resilience testing that will lead to the mutual recognition of ICT testing results across different jurisdictions. To this end, financial entities are required to establish and maintain a comprehensive digital operational resilience testing program.

To reflect differences that exist across, and within, the various financial subsectors as regards financial entities’ level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of threat-led penetration testing, if applicable in line with DORA’s requirements.

The testing program must be risk-based and proportionate, ensuring that all ICT systems and applications are regularly tested for vulnerabilities and weaknesses.

Reporting Framework

DORA also introduces a comprehensive Reporting Framework that ensures transparency and accountability in managing ICT risks. This framework requires financial entities to report on various aspects of their ICT risk management activities.

To this end financial entities should define, establish and implement an ICT-related incident management process and procedures on how major ICT-related incidents are to be reported.

In addition to incident reporting, entities are required to submit regular reports on their ICT risk management activities, providing updates on risk assessments, mitigation measures, and any changes to the ICT environment.

Managing of ICT-Third-Party Risk

DORA also places significant emphasis on managing ICT third-party risk to ensure the resilience of the financial sector. Financial entities often rely on ICT third-party service providers, which can introduce additional risks.

Financial entities should thus ensure they have a strategy in place on ICT third-party risk as well as a due diligence procedure to be conducted before entering into any third-party arrangements. They should also undertake a review of contractual agreements with such ICT third-party service providers to ensure such agreements contain the necessary provisions in line with DORA’s requirements. Financial entities should have clear termination procedures, including plans for transitioning services, for ICT services supporting critical or important functions.

This is the second article in our series “Chartering DORA Compliance: A Guide for Financial Entities”. 

For information or assistance please contact us at info@gtg.com.mt

Author: Dr Cherise Abela Grech

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content