top of page
Writer's pictureJames Ross
Jul 193 min read

DORA Pillar 1: The Blueprint for Robust Digital Operational Resilience in Finance

The financial sector increasingly relies on technology to deliver essential services in the ever-evolving digital landscape. This reliance, however, also exposes firms to a myriad of cyber threats and operational risks. Enter the Digital Operational Resilience Act (DORA), a new EU regulation to fortify the financial sector's digital defences.



Part 1 of this blog post will explore Pillar 1 of DORA, which focuses on Governance and Risk Management. We'll discuss the key articles and their implications for your organisation, helping you understand how to build a robust foundation for digital operational resilience. Part to will consider Pillar 2 ICT Incident-Related Reporting.


Article 1: Setting the Stage for Resilience


The Goal: DORA aims to set a high standard for digital operational resilience across the entire EU financial sector. This means all financial entities (banks, insurers, investment firms, etc.) need to have safeguards in place to prevent and respond to ICT-related disruptions.


What to Expect:


  • Strong ICT Risk Management: You'll need a comprehensive approach to identifying, assessing, and managing risks related to your IT systems and processes.

  • Third-Party Risk Oversight: Managing risks from third-party technology providers (like cloud services or software vendors) is crucial.

  • Incident Reporting: Reporting major incidents and cyber threats to authorities will become a standard practice.

  • Information Sharing: Collaboration with others in the sector to share threat intelligence will be encouraged.

  • Oversight of Critical Providers: New rules will govern the oversight of crucial technology service providers.

  • Cooperation and Supervision: DORA outlines how authorities will work together to supervise and enforce these new rules.


Article 2: Who's In, Who's Out?


The Goal: DORA clearly defines which financial entities fall under its scope and which are exempt.


What to Expect:


  • Inclusion: A comprehensive list of covered entities, including credit institutions, payment institutions, and more.

  • Exclusions: Specific exemptions for certain entities, like small insurance companies or some investment firms.

  • Flexibility: Member states can exclude smaller, less complex entities.


Articles 5 & 6: Laying the Groundwork


The Goal: These articles establish the core governance and risk management structures required under DORA.


What to Expect:


  • Governance Framework: You'll need a robust internal framework for managing ICT risks, including clear roles and responsibilities for your board and management.

  • Risk Management Framework: This outlines the strategies, policies, procedures, and tools you'll use to identify, assess, and mitigate ICT risks. It should be integrated with your broader enterprise risk management (ERM) efforts.

  • Digital Operational Resilience Strategy: You'll need a documented plan detailing achieving and maintaining digital operational resilience.


Articles 7, 8, 9, & 10: Technology, Risk Identification, Protection, and Detection


The Goal: These articles delve deeper into the specifics of your ICT systems, risk assessment processes, protective measures, and detection mechanisms.


What to Expect:


  • Reliable ICT Systems: Your technology must be fit for purpose, dependable, and have sufficient capacity.

  • Risk Identification: You'll need to identify and assess all your ICT-related risks and dependencies systematically.

  • Robust Protection: Data protection and security measures, like access controls, encryption, and change management processes, are crucial.

  • Early Detection: Implement mechanisms to identify anomalies or potential security breaches quickly.


A 6-Month Pillar 1 Implementation Roadmap


To get started, consider this high-level plan:


  1. Month 1: Conduct a gap analysis to see where your current practices stand compared to DORA requirements.

  2. Month 2: Design your governance structure and ICT risk management framework.

  3. Month 3: Implement the necessary ICT systems and security measures.

  4. Month 4: Identify and assess all ICT-related risks.

  5. Month 5: Set up continuous monitoring and testing of your systems.

  6. Month 6: Review and refine your frameworks and processes based on your findings.


Conclusion


DORA Pillar 1 establishes the foundation for a resilient financial organisation in the digital age. By understanding and implementing these requirements, you'll be well on your way to protecting your business from the ever-present threat of ICT-related disruptions. Part 2 of this blog will consider Pillar 2 ICT Incident-Related Reporting.




Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page