The European Commission has published a wide-ranging draft regulation on Digital Operational Resilience for the financial sector (DORA) as part of a new EU Digital Finance Package in September 2020.

The aim of DORA

DORA aims to establish a comprehensive EU framework with rules for all regulated financial institutions by streamlining and upgrading existing financial legislation and introducing new requirements where gaps exist for better aligning their business strategies and performance of ICT Risk management, harmonising and streamlining the reporting of ICT-related incidents, applying testing requirements proportionately, strengthening their oversight and ensuring their sound monitoring of third-party ICT providers to better manage risks stemming from dependency on providers, raising awareness of ICT risk and minimising its spread though information sharing and creating more coherent and consistent incident reporting mechanisms.

Timeline

Timeline

Continuous Improvement

According to DORA proposal, for keeping pace with a quickly evolving cyber threat landscape, it is important to set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.

For this purpose,

  • identify on a continuous basis all sources of ICT risk
  • set-up protection and prevention measures
  • promptly detect anomalous activities
  • put in place dedicated and comprehensive business continuity policies and disaster recovery plans as an integral part of the operational business continuity policy
  • place capabilities and staff, according to size, business and risk profiles of the organisation, for gathering information about vulnerabilities, cyber threats, ICT-related incidents and cyber-attacks, and analyse their likely impacts on digital operational resilience 
  • implement communication policies and have in place communication plans that enables responsible disclosure of ICT-related incidents or major vulnerabilities 
Continuous Improvement

Which entities are impacted by the regulation?

There are a wide range of entities that are affected by DORA. It covers banks, payment institutions, investment firms, crypto assets service providers and more. 

Additionally, critical third-party ICT providers are also regulated under the regulation. Each critical ICT service provider will be designated a Lead Overseer (either EBA, ESMA or EIOPA).

Impacted Entities are summarised in the following diagram.

Entities impacted by the regulation

What are some of the key obligations under DORA?

The regulation requires a comprehensive ICT Risk Management Framework for managing ICT risks. A summary of the key requirements for financial entities are divided into the following areas of cyber security and operational resilience.

Key obligations under DORA

How can KPMG help?

Financial entities and ICT Service Providers are advised to start familiarising themselves with the vast range of proposed requirements of the regulation.

Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.

KPMG can assist with:

Gap analysis for checking readiness for compliance with DORA

 

Review of strategies, policies, procedures, ICT protocols and tools Defining a well-documented ICT Risk Management Framework

 

Establishing an information security management system to protect confidentiality, integrity and availability of information assets

 

ICT Third party risk management

 

Reviewing and enhancing Security Incident Management procedures

 

Implementing policies, procedures and controls for ICT change management

 

Establishing and reviewing ICT Business Recovery Mechanisms (e.g., BCP, DR, BIA)

 

Security Awareness Training

 

We at KPMG frequently provide cross-functional professional advice in the field of ICT risk management, cyber security and data protection and are used to bringing together different stakeholders in our client organisations.