The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities for financial entities.

DORA was introduced on January 16, 2023, and will be enforced by EU member states commencing January 17, 2025.

Much like rules around financial stability and soundness, DORA seeks to ensure the financial services industry is resilient in the event of a severe operational disruption. It recognises the interconnectedness of the modern financial services industry, with firms relying on numerous suppliers all of which can affect its resilience.

This could be caused by cyber security and information and communication technology (ICT) issues, including ransomware attacks that cause services to shut down, or a DDOS (distributed denial of service) attack. However, the rules go further, demanding business continuity plans that consider service availability and other related market risks, such as supplier takeovers and business insolvency that could affect a firm.

The issue of operational resilience was brought sharply into focus by the recent mass outages caused by cyber firm CrowdStrike. A software update issued by the company forced Microsoft’s Windows operating system to crash, causing travel chaos around the world, with bank and healthcare services also badly hit.

The EU has prioritised these reforms because the financial services sector is increasingly dependent on technology and tech companies to deliver its products and services. DORA introduces a single, consistent supervisory approach across a wide range of financial market participants, including credit institutions, payment institutions, electronic money institutions, investment firms, and exchanges and clearing houses.

DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The regulation introduces specific and prescriptive requirements for all financial market participants.

Under DORA, banks such as ClearBank are required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.

The five central provisions at the centre of DORA are:

• ICT Risk Management framework: Firms must guarantee an adequate level of separation and autonomy among their ICT risk management functions, control functions, and internal audit functions, based on either the three lines of defence model or an internal risk management and control model.

• ICT-related Incident Management, Classification & Reporting: Establishing an ICT-related incident management process and developing the necessary abilities to supervise, manage and track such incidents. Significant incidents must be reported to the appropriate competent authority.

• Digital Operational Resilience Testing: Establishing a digital operational resilience testing program including open-source analyses, vulnerability assessments, gap analyses and network security assessments. Critical ICT systems and applications must undergo yearly testing, and certain firms must conduct advanced threat-led penetration testing at least once every three years.

• ICT Third Party Risk Management: Establishing a strategy for managing and periodically evaluate third-party risk. This requires keeping records of all contractual agreements with ICT third-party service providers in a dedicated Register of Information.

• Information Sharing Arrangements: Permitting financial institutions to exchange cyber threat information and intelligence with one another provided that the sharing of information takes place within trusted communities, bolsters the digital operational resilience of financial entities and is conducted in compliance with relevant legislation.

DORA also requires conducting assessments of concentration risk related to the outsourcing of critical or important operational functions to external companies.

As a result, certain capabilities such as more detailed operational resilience testing around ICT (particularly threat-led penetration testing) and threat intelligence sharing require attention, while other areas (such as third-party risk management) need to be carefully aligned with existing and emerging UK regulatory requirements.

Then there are the severe penalties for firms that fall foul of the new rules. EU authorities will have the power to levy fines of up to 2% of their annual global revenues. Individual managers can also be held responsible for breaches within financial entities, with potential fines as high as €1 million.

For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance Third-party IT firms deemed “critical” by EU regulators could face fines of up to €5 million or, in the case of an individual manager, a maximum of €500,000.

In Q4 2023, ClearBank pulled together a cross-functional project team to oversee the implementation of DORA.

This working group was initially responsible for reviewing the legislation and translating all the requirements into clear, tangible actions that the bank must follow to meet full compliance.

Once complete, an extensive gap analysis was carried out to determine what existing controls and processes were in place that met DORA compliance and the gaps/ opportunities that needed to be addressed. Given that ClearBank has been established in the UK for seven years, the company has its operational resilience controls in line with UK Operational Resilience Legislation.

As a result, it was concluded that the majority of DORA requirements were already in place. Examples include the appropriate testing and controls on systems, data protection etc. In addition, ClearBank has extensive documentation on how it reacts to and deals with ICT related incidents should they occur.

Some of the gaps identified were in relation to Supplier Management, specifically reviewing existing contracts and ensuring that the bank has a detailed register of all ICT suppliers.

As referenced above, DORA covers five main elements. Ownership of controls and processes of these five elements are spread across various teams within the bank including Operational Resilience, Information Security, Incident Management and Procurement. Depending on the domain of expertise, the DORA requirements were assigned to a dedicated owner within the bank that was responsible for addressing any gaps and gathering the relevant evidence.

The DORA project management team used the Project and Roadmap capabilities within Teams and created individual tickets for each DORA requirement. Each individual ticket was assigned to the relevant owner along with clear actions and a deadline for completion. From there, it was the responsibility of the action owner to address the identified gaps and upload evidence to the relevant tickets within the agreed deadline.

The project team also put extensive reporting and governance in place to ensure the appropriate oversight and completion of DORA requirements. Every month the working group and action owners meet to provide progress updates and ensure continuous closure of all requirements. A reporting pack is subsequently shared with the management board for visibility and awareness.

A three-layer approval process has been put in place to certify all actions/ controls meet requirements and can be considered compliant.

The project team reviews and validates the evidence. Completion is also reflected in the monthly reporting pack. ClearBank’s EU Head of Compliance reviews completed actions and certifies that the evidence sufficiently confirms DORA compliance. Once requirements are deemed met by the 1st and 2nd line, final approval must be given by the Management Board.

As mentioned, we must comply with existing operational resilience legislation in the UK which has resulted in ClearBank already meeting compliance to approximately 50% of all DORA requirements. The actions assigned to dedicated owners for this group of requirements also involved gathering the relevant evidence.

Approximately 40% of additional DORA requirements were considered to be in place but not sufficiently documented. An example here is the forms of extensive penetration testing that is carried out on our systems but not sufficiently documented within our policies and procedures. The remaining 10% of requirements were specific to Supplier contracts and creation of a detail asset register.

As a result of the hard work across multiple teams within the bank, we aim to be DORA compliant on schedule for the legislation coming into effect in January 2025.

Ezequiel Canestrari is Chief Operating Officer of ClearBank Europe driving and executing our European expansion strategy. Before becoming Chief Operating Officer, he held several senior leadership roles within ClearBank, including Head of 1st Line Risk and Head of Strategic Execution. Ezequiel has a diverse range of experience spanning over a decade, with a deep understanding of operations, risk management, payments, programme management and treasury.