The to-do list by 2025
With these positives in mind, it is up to organisations to position themselves for secure future operations in the EU. But, DORA is expected to go into full effect on January 17, 2025, and for some, the to-do list may be extensive. Below, Khokhar gives his top tips for organisations that need to enact transformative change.
“I encourage organisations to start early and take comprehensive actions to comply with regulations to ensure that they’re not left behind.
“DORA is based on five pillars of resilience: ICT risk management, ICT incident reporting, digital operational reliance testing, ICT third-party risk, and information and intelligence sharing – preparations need to be centred around them.
“ICT risk management is crucial for minimising the chances of unexpected cyberattacks by requiring thorough risk assessments to proactively prevent and detect potential threats. This pillar urges each firm to implement appropriate measures, safeguarding risk management, and establishing a robust ICT risk management framework.
“To accomplish this, institutions need to first develop a comprehensive framework for identifying, classifying, and managing risks; define strategies for risk prevention, response and recovery; and plan for educating management and staff.
“ICT incident reporting mandates companies to provide detailed reports on incidents, capturing information on affected users, data loss, severity of system impact, geographical spread, service criticality and economic impact.
“This allows effective incident monitoring, management, and continuous improvement for enhanced recovery. Companies should look to update their incident classification methods, as well as establish internal and external notification channels.
“Next is probably the most challenging of the pillars. Digital operational resilience testing requires financial institutions to undergo threat-based penetration testing every three years.
“And as this process takes a while – up to two years – this means organisations need to be equipped early for the regulator-authorised testing deadline by the end of 2024.
“The ICT third-party risk pillar mandates organisations to integrate third-party risk management into their risk framework. Organisations must formulate a well-defined strategy and policy.
“They will need to develop a comprehensive third-party register and conduct regular third-party audits regularly to avoid risks of noncompliance.
“Finally, and to facilitate collaboration among financial services organisations, companies are encouraged to implement automation solutions for efficient information sharing with other institutions, as well as establishing internal communication mechanisms for processing.
“The first set of final draft technical standards under DORA were issued on January 17 this year and submitted to the Commission for adoption.
“While the standards are not yet finalised and still require review by the European Parliament and Council before being published in the European Union’s Official Journal, these technical standards offer a strong foundation for categorising ICT incidents, a regulatory framework for ICT third-party service contracts, standard templates for information registration and risk management tools and processes.
“Gaining full DORA readiness by January 2025 will not be easy, but it is necessary for true operational resilience. It will certainly be no small lift for any enterprise and may even require some rebuilding of technology architecture for some players in addition to all other workstreams.
“While the journey to DORA readiness will pose challenges, the rewards for businesses and the sector at large will be substantial.”