The Digital Operational Resilience Act and the role of IT consultancies

26 June 2023 Consultancy.uk 5 min. read

The Digital Operational Resilience Act is the latest piece of regulation to be introduced to ensure that businesses in the financial sector are resilient enough to withstand a cyber-attack. AJ Thompson from Northdoor, explains how IT consulting partners can help firms adhere to the new law, by examining systems for vulnerabilities, and ensuring proactive defence against hackers.

The Digital Operational Resilience Act (DORA) is an EU wide regulation – but it is still relevant to UK businesses, and is likely to be brought into UK law in the near future. DORA provides a very specific set of criteria and instructions that will shape how organisations in the financial sector manage ICT and cyber risks.

The financial sector in particular is under an increasing threat from cyber-criminals. The nature of the data held by businesses in the sector means that it is an incredibly tempting target and any loss of data can be hugely damaging for both organisations and their customers.

How consultants can help firms abide by Digital Operational Resilience Act

The monitoring of this regulation is also likely to be more stringent than others that have been introduced in the past. There is a large emphasis placed on reporting, communication and assessments that will take at regular intervals. This is not to be then a one-time tick-box exercise, but an ongoing process.

This takes five key pillars in its stride: ICT risk management; ICT-related incident reporting; digital operational resilience testing; ICT third-party risk; and information sharing.

While all of these elements should be high up on the priority list of any financial sector organisation, this regulation is designed to ensure that companies are constantly checking each of them regularly and reporting back on their effectiveness. Even as risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third parties.

We have seen cyber-criminals target supply chains to hit organisations, through the ‘back-door’ and the relationship ICT companies have with their clients means that key systems are connected. The information sharing element is also interesting for this reason.

Sharing experience and information about cyber threats is increasingly important. Cyber-criminals are constantly changing and increasing the level of sophistication of their attacks. Therefore, organisations in the same sector, securely sharing information about what these approaches look like can only be helpful in keeping the criminal out. 

Be ready for 2025

DORA came into force at the beginning of 2023 and over the next few months the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA) which draws up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. 

By next year the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025. 

Although this seems a long way off, companies need to start to work now in order to ensure that they are ahead of the game. This is after all about ensuring resilience in the face of an increasingly sophisticated threat and so can only be a good thing for the financial sector to ensure the right processes are in place sooner rather than later. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one days trading. There is also, unlike some other regulations, a criminal element with charges likely to be brought against companies and individuals who do adhere to the regulation. 

This of course takes it to new levels and should act as a real warning to the financial sector to get their house in order or face the most serious of consequences. 

Preparing for DORA 

Depending on the size and perceived risk of cyber-crime to the organisation financial companies have between a year and two years to ensure adherence to DORA. Although companies should have many of the elements of already in place, the scope, regularity of scrutiny and the potential results of non-adherence makes the task a daunting one for many, especially for those who have so far been unaware of the impending regulation. 

In order to ensure adherence and more importantly the ongoing adherence to the regulation, some are turning IT consultancy and cyber security specialists. Not only does this take the pressure off in-house teams but with partners able to offer whole teams of experts it means that there can be confidence that adherence is achievable. 

It is key also to remember that the whole point of DORA is to ensure that financial institutions are able to withstand a cyber-attack or IT incident. Putting in place policies and strategies that ensure adherence will as a result also ensure that companies are better protected from attack and resilient enough to carry on business even if a cyber-criminal gets through. 

An IT consultancy can keep a constant eye on the threat landscape as well as any vulnerabilities within systems helping to keep cyber-criminals out, ensure adherence to DORA and helps the financial sector to protect itself from an increasingly sophisticated threat. 

Northdoor is an IT consultancy based in London. The firm was recently ranked among Consultancy.uk’s Top Consulting Firms in the UK, where it received a Gold rating for Data Science.