The European Commission had published a wide-ranging draft regulation on Digital Operational Resilience for the financial sector (DORA) as part of a new EU Digital Finance Package in September 2020.
On 27 December 2022 Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector was published on the EU Official Journal and entered into force on 16 January 2023.
The aim of DORA
DORA will create a regulatory framework whereby the financial firms will have to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats, with the objective to prevent and mitigate cyber threats.
Timeline
Continuous Improvement
According to DORA proposal, for keeping pace with a quickly evolving cyber threat landscape, it is important to set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.
For this purpose,
- identify on a continuous basis all sources of ICT risk
- set-up protection and prevention measures
- promptly detect anomalous activities
- put in place dedicated and comprehensive business continuity policies and disaster recovery plans as an integral part of the operational business continuity policy
- place capabilities and staff, according to size, business and risk profiles of the organisation, for gathering information about vulnerabilities, cyber threats, ICT-related incidents and cyber-attacks, and analyse their likely impacts on digital operational resilience
- implement communication policies and have in place communication plans that enables responsible disclosure of ICT-related incidents or major vulnerabilities
Which entities are impacted by the regulation?
There are a wide range of entities that are affected by DORA. It covers banks, payment institutions, investment firms, crypto assets service providers and more.
Additionally, critical third-party ICT providers are also regulated under the regulation. Each critical ICT service provider will be designated a Lead Overseer (either EBA, ESMA or EIOPA).
Impacted Entities are summarised in the following diagram.
What are some of the key obligations under DORA?
The regulation requires a comprehensive ICT Risk Management Framework for managing ICT risks. A summary of the key requirements for financial entities are divided into the following areas of cyber security and operational resilience.
How can KPMG help?
Financial entities and ICT Service Providers are advised to start familiarising themselves with the vast range of proposed requirements of the regulation.
Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.
KPMG can assist with:
Gap analysis for checking readiness for compliance with DORA
Review of strategies, policies, procedures, ICT protocols and tools Defining a well-documented ICT Risk Management Framework 
Establishing an information security management system to protect confidentiality, integrity and availability of information assets 
ICT Third party risk management
Reviewing and enhancing Security Incident Management procedures
Implementing policies, procedures and controls for ICT change management 
Establishing and reviewing ICT Business Recovery Mechanisms (e.g., BCP, DR, BIA) 
Security Awareness Training
We at KPMG frequently provide cross-functional professional advice in the field of ICT risk management, cyber security and data protection and are used to bringing together different stakeholders in our client organisations.
