TECH NEWS
DORA launches next year but the time to act is now !
The European Union's Digital Operational Resilience Act (DORA) is poised to revolutionise the European financial sector, enhancing operational resilience, and streamlining legislation on digital operational processes. PwC Luxembourg has created a handy guide to navigate the intricacies of the new regulation entitled “DORA What Matters Now for Your Business Resilience”.
January 18, 2024
Press Release, Luxembourg, 18 January 2024
DORA aims to harmonise existing regulations, integrate information and communication technology (ICT) risks into comprehensive risk management policies, and increase transparency in dealings with ICT third-party providers. This landmark regulation, applicable to virtually all financial entities in Europe, is set to bring about significant changes in internal operations, necessitating strategic business decisions, updated operational and ICT setups, and increased training and upskilling efforts.
A key highlight of DORA is its extra-territorial reach, requiring entities outside the EU that provide ICT services to comply with its provisions if serving financial entities within the EU. With the compliance deadline set for the beginning of 2025, financial entities face a race against time, prompting urgent action from the C-Suite of the financial sector.
“In leveraging DORA as a catalyst for strategic foresight, businesses empower themselves to reinforce their digital bedrock, but it is far more than just an IT exercise. It is also about cultivating innovation, adaptability, and forming a formidable defence against emerging threats. As a professional services firm, we’re not immediately in scope ourselves, but we are endorsing the DORA standards on those parts of our company that service the financial services industry“. – Olivier Carré, Deputy Managing Partner, Technology & Transformation Leader
Digital transformation and geopolitical realities
The digital transformation has interconnected financial entities like never before, relying on a growing array of in-house and outsourced ICT. Geopolitical tensions, especially between the United States and China, have spurred technological rivalries, adding complexity to global ICT dynamics. In this multipolar environment, characterised by political and military uncertainties worldwide, vulnerabilities in global ICT supply chains have become apparent, necessitating change that remains largely invisible to financial entities and regulatory bodies.
Imperative for strong defences
As financial entities increasingly digitise, the threat of cyberattacks looms large. Geopolitical players utilise cyber capabilities for espionage and information warfare, while non-state players resort to attacks for various malicious purposes. Regulatory requirements for ICT resilience have evolved on both sides of the Atlantic, but the divergent nature of provisions remains region-specific. The European Commission addresses this through the introduction of DORA, applicable to EU-regulated financial entities, scheduled to come into force on 17 January 2025.
Opportunity for thoughtful examination
DORA is not merely a compliance exercise but an opportunity for financial entities to conduct a comprehensive assessment of their operational framework. The regulation calls for a proactive review of business functions and processes, adjustments to risk appetite and management approaches, and a shift from traditional reporting to dynamic oversight, especially concerning third-party ICT service providers.
“In a digital age, characterised by rapid technological advancement, increased cyber threats and complex operating models, the importance of resilience and hence of DORA cannot be minimised. Rather than seeing this as a burden, financial institutions should embrace it as an opportunity to transform. By simplify their landscape, enhancing their processes they can stand out from competition, maintain customer trust and prepare for future regulations. It’s more than just compliance; it’s about future-proofing our digital strategies..”Patrice Witz, Advisory Partner, Technology Partner and Digital Leader, PwC Luxembourg stated,
In a race against the clock, financial powerhouses find themselves on a mission: To achieve compliance with DORA by the dawn of 2025. The dynamic C-Suite of Europe’s financial realm must now act swiftly and with strategic skill to navigate this time-sensitive challenge. The stage is set, and the stakes are high in this compelling race against the compliance clock.
The C-suite titles and DORA roles:
- Chief Executive Officers (CEOs) play a crucial role in leading their companies to comply with DORA. They should see it as a chance for strategic business transformation and ensure comprehensive implementation across the firm. Providing guidance to all stakeholders is essential, including group functions and supervisory authorities. With DORA highlighting operational resilience incidents, CEOs must carefully assess opportunities and risks, especially when outsourcing ICT services.
- Chief Risk Officers (CROs) must incorporate and measure a company’s ICT risks comprehensively, integrating them into the overall risk assessment alongside other existing risks. Additionally, CROs should assess both internal and external risks, including reputational and legal concerns, especially in the event of a significant cyber-attack or operational incident.
- Chief Operating Officers (COOs) must examine current processes to identify opportunities for scaling operations. They should also assess existing ICT outsourcing chains, aiming to align operational resilience with efficiency and long-term scalability.
- Chief Information Officers (CIOs) play a crucial role in the early stages of DORA compliance by conducting the initial comprehensive risk assessment. They must also find ways to simplify their company’s ICT landscapes while enhancing operational resilience through resilient solutions and a resilient-by-design approach.
- Chief Information Security Officers (CISOs) hold the crucial responsibility of identifying and evaluating all cybersecurity risks. They inform the company’s leadership about these risks, create plans to address threats, and independently assess the company-wide risk treatment plan prepared by the CIO.
“Stakeholders must navigate the complexities arising from technological competition, operational vulnerabilities, and the evolving threat landscape to ensure the resilience and security of their operations. Within the financial sector, the digital transformation has amplified operational and ICT risks. Establishing and maintaining strong defences against operational and ICT risks has proven to be a major business imperative for financial entities.” Cécile Liégeois, Clients & Markets Leader, Regulatory Advisory Partner
Financial entities must strive for compliance by the start of 2025, leveraging DORA as a catalyst for digital resilience and robust operational frameworks. The time to act is now.
Read the PwC report: “DORA What Matters Now for Your Business Resilience”.