DORA, or the Digital Operational Resilience Act, stands as the EU’s newest framework governing digital capabilities for financial entities. Its objective is to provide a uniform set of regulations across Europe, aiding financial institutions in maintaining resilient operations amidst an increasing reliance on ICT services.

DORA – At a Glance 

Proposed by the European Commission in 2020, DORA received the official approval from the EU in November 2022, with the framework’s final touches expected by 2024. Relevant parties are expected to adhere to the regulations by 16/1/2025, which is just under a year from now. 

While certain specific technical standards of the act are still under consultation, what we do know is that DORA concentrates on five pivotal aspects, each addressing facets of a financial entity’s Information and Communication Technology (ICT) related operations.

ICT Risk Management 

With the new act in action, the responsibility falls upon the executive leadership for orchestrating the organisation’s ICT management. Their duties extend to formulating risk management strategies and ensuring an effective implementation of them. If things go wrong, individual executives can be held personally accountable for their shortcomings in the delivery of the above. 

Financial entities are mandated to establish and sustain a comprehensive ICT risk management framework, which includes mapping out their ICT systems, pinpointing crucial assets and functions, documenting dependencies across assets and providers, conducting routine risk assessments, and crafting mechanisms for continuous learning and evolution, exemplified by the development of disaster recovery plans. 

Incident Response and Reporting 

Entities must establish structured processes for overseeing, logging, managing and reporting ICT incidents. The recorded incidents will undergo classification based on forthcoming criteria, drafted by the authorities.  

Depending on severity, entities may be required to formulate reports in specific formats for notifying users, clients, and authorities. These documents will be used in facilitating in-depth causal analyses to prevent future incidents. 

Resilience Testing 

All tech services and systems used will need regular check-ups for vulnerabilities. Outcomes must be handed over to the governing body for validation. Any identified deficiencies require immediate rectification.  

Organisations deemed critical to the financial system, along with their critical ICT providers, will undergo Threat-led Penetration Testing (TLPT) every three years in addition to the regular assessments, in favour of addressing the higher stakes of risk exposure.

Third-party Risk Management 

Entities will play a more proactive role in managing risks tied to third-party ICT services. If the company’s crucial functions rely on these outsourced elements, the negotiation of specialised contractual arrangements – such as exit strategies and audits – is imperative. A meticulous mapping of third-party ICT dependencies is also vital for ensuring firms are not disproportionately relying on external providers 

ICT service providers failing to meet the requirements will be ineligible to enter into contracts with any covered entities. Critical third-party providers, additionally, will be subject to direct oversight by the governing authority. 

Information Sharing Arrangements  

For the timely lowdown on the latest from both internal and external ICT incidents, structured processes need to be in place to make sure that entities can swiftly prepare for any emerging challenges. 

In line with DORA’s principles, organisations are strongly encouraged to participate in a voluntary threat intelligence sharing arrangement. The collaborative effort aims to enhance the efficiency of information sharing among financial institutions, fostering a collective approach toward addressing upcoming threats in the ICT landscape. 

Who will be affected? 

DORA applies to all kinds of financial entities within the EU, e.g. banks, insurance companies, investment firms, credit institutions, crypto asset organisations, fintech entities, and audit firms. Now, what sets DORA apart from other existing regulations is its wide net. It also covers ICT providers who supply their services to financial entities listed above.  

To those in the United Kingdom, if any of your financial market activities take place in the EU jurisdiction, DORA is still a legal obligation that executive leaders need to adhere to. Whether your organisation is under the umbrella or not, it’s the perfect time for an ICT system check. Compare notes with the UK Operational Resilience Regulation and your company’s current set up and see if there are any extra requirements to fulfil, such as measures needed for identifying important business services and scenario testing.   

ServiceNow and DORA 

For leaders guiding financial entities within the purview of DORA, the road ahead involves more than just compliance – it's about smart planning and seamless execution. Before the full application of the act in January 2025, identifying the compliance gaps between DORA and other resilience requirements like EBA and EIOPA is the strategic move. Crafting a step-by-step plan to bridge these gaps ensures smooth sail through the regulatory landscape.  

Mapping ICT services, devising tests for resilience control tests, and creating action plans for remediation can easily be a team’s full plate, especially with regulations constantly evolving. That’s why it's time for a tool that gets the job done without the extra fuss of endless spreadsheets.  If your team's already a user of ServiceNow, it is pragmatic to validate whether its functionalities can be expanded to ensure your company is DORA compliant. That way, you won't need to invest time and effort searching for and installing additional platforms and processes to replicate what you already have. For many customers, they find that ServiceNow fits perfectly with their DORA obligations. 

If any of the issues in this blog sound familiar and you’re looking to make the most of ServiceNow, we’d happily have a chat and share our experiences. Talk to our Head of Delivery and we’ll show you how we’ve assisted other customers in aligning with DORA.