How DORA is bringing structure to incident management and reporting

With the upcoming publication of the second wave of the Digital Operational Resilience Act (DORA) policy standards, we’re taking a detailed look at one of its underlying pillars. But, before we do so, it’s important to provide some context.

Why DORA?

Since the pandemic, the financial sector has become increasingly dependent on digital technologies provided by external service providers. This is making financial institutions more vulnerable to cyber-attacks and other disruptions. DORA is a piece of EU legislation that aims to promote the robustness and resilience of their operations, while at the same time fostering a sustainable digitalization of the financial sector.

DORA was adopted in December 2022 and entered into force on 16 January, 2023. Some Regulatory Technical Standards (RTS) are still under development so the contents of this article may be subject to change.

Who does DORA affect?

DORA applies to a wide range of financial institutions, including banks, investment firms, insurance companies, and payment service providers. DORA also applies to some non-financial institutions that are critical to the financial system. These institutions are known as critical third-party service providers (CTTPs). CCTPs are entities that provide essential services to financial institutions, such as cloud service providers, and data centers. These different types of financial institutions are now subject to harmonized standards on digital operational resilience.

One of DORA’s main pillars is to strengthen the digital operational resilience of the financial sector by standardizing how financial institutions identify, manage, and report major information and communication technology (ICT) incidents across EU member states and different sectors. This includes the ability to classify cyber threats that could cause the disruptions and the reporting thereof and allows competent supervisory authorities to adopt definitions and processes that are applied consistently across member states.

Preparing for DORA compliance – incident reporting

While established incident management processes exist within many mature financial institutions' risk management frameworks, DORA introduces new requirements for ICT-related incident management, classification, and reporting.

DORA imposes enhanced regulatory obligations for incident management that are significantly more onerous than those in existing regulations. With the level of detail in this new rule-based framework, financial institutions will have to fully re-establish how they deal with incidents. The visual below offers a more in-depth representation of DORA’s incident management process.

In preparation for DORA's incident management framework, several key recommendations have been outlined:

• Ensure a dedicated setup for incident management is in place, including relevant roles and responsibilities to ensure institutional-wide coverage, consistent incident management and reporting – based on exhaustive policy, conventions and procedures.
• A full sanity check of the current incident management process: this includes the examination of existing incident management processes, procedures, and tools, to identify potential shortcomings, gaps, or inconsistencies in the current incident management framework.
• Identify and prioritize most critical gaps and risks: based on the sanity check, the most critical gaps and risks are identified that need to be addressed (to ensure compliance with DORA).
• Develop an implementation plan based on prioritized gaps and risks: creating a comprehensive implementation plan that outlines the specific steps, timelines, and resources required to address the identified gaps and risks.

Synechron supports clients with these topics, through enhancing incident management. We conduct a thorough assessment, identify critical gaps, and create an implementation plan tailored to their characteristics.

Proportionality

In further technical standards the European Commission has urged for an eye to proportionality in applying incident classification criteria, steering financial institutions to look at incident reporting pragmatically. If the classification exercise leads to disproportionate incident reporting, they should adjust accordingly. At the same time financial institutions should also assess incidents qualitatively as cyber attacks or if numerous small interuptions may not meet materiality thresholds, they however can be indicative to serious or structural shortcomings in risk management.