Practical insights into DORA

DORA, the Digital Operational Resilience Act, affects companies in the financial sector. The requirements serve to review and confirm the resilience of the company at IT level and must be implemented by the affected organisations by 17.01.2025.

In addition to other very detailed requirements, analyses, for example, must in future take into account risks from third-party providers.

CIS network partner and BCM expert, Margit Mann, spoke to BCM Officer Lea Grösser, MA, and asked her for insights into how the topic is implemented in practice. Ms Grösser is part of the project team implementing DORA at Bank Gutmann AG. A graduate of the Integrated Risk Management programme, she has been working in risk management since 2020, having previously spent eight years in the banking sector.

 

Mrs Grösser, when did you join DORA?

Since around the beginning of 2023.

 

How did you approach the topic in general?

A cross-departmental project team was formed with specialists from various areas, such as legal, IT operations and IT security, risk management/BCM and other specialist areas. The focus was on analysing the various articles of the regulation in order to carry out a comprehensive GAP analysis and thus assess our level of maturity with regard to DORA. The individual task packages were then distributed and ongoing coordination was initiated.

 

What are the most important topics for you in summary?

Where are the greatest risks/opportunities for companies in the banking sector in the course of implementing DORA?
Opportunities lie in the increased monitoring of ICT service organisations; in the increased cooperation and exchange of information on cyber threats between financial companies; in the strengthening of internal cooperation between IT and control functions and, of course, in the strengthening of their own resilience and security.

Risks include the high time and resources required to analyse and implement all requirements and the costs of advanced testing (TLPT) and technology.

 

In your experience, which articles in DORA tend to be more complex to implement?

Fortunately, we already meet many of the requirements of the regulation and only need to make adjustments to the organisation or documentation for some points.

It will be somewhat time-consuming to bring all existing guidelines, policies, instructions etc. into a standardised risk management framework in accordance with Art. 6 of the regulation. However, this also gives us as a company the opportunity to standardise and aggregate our documentation, which will benefit us in the long term.

The identification and classification of all ICT-supported business functions, as required in Art. 8, will also be time-consuming. Some things will also become clear once these have been finalised.

 

What issues does business resilience have in terms of implementation from your perspective?

What industry-specific challenges do you see with implementation?
Every financial company must first determine what specific requirements apply to its own organisation, depending on the size of the company and the services it provides.

For companies that have not yet carried out thread-led penetration tests, preparing and conducting these in collaboration with external providers is likely to be a challenge. In addition, DORA requires even greater monitoring and control of third-party ICT service providers than was previously the case. In addition, there may be a lot of organisational and administrative work involved in fulfilling all documentary requirements.

 

What recommendations do you have for avoiding “stumbling blocks” and making rapid progress with implementation?

It is important to move away from the silo mentality that still prevails in some companies. For DORA to be implemented effectively, it is important that all departments involved work closely together and benefit from each other. It is also advisable to start analysing and implementing at an early stage. The regulation does not appear to be particularly complex, but there are some contents whose implementation, depending on the current status in the company, can take quite some time and human resources, also with regard to the management systems.

 

What do you mean by DORA triggering other standards, among other things?

DORA is intended to harmonise and expand various existing standards in the EU member states and close gaps. Standards related to DORA are, for example, EBA guidelines on outsourcing, EBA GL on the management of ICT security risks. §Section 25 BWG on outsourcing, Solvency II, NIS2 Directive, the Cyber Resilience Act, the Tiber Framework, various country-specific laws and standards, to name but a few.

 

Conclusion

DORA, in its complexity, harbours the opportunity to increase the maturity level of management systems, such as ISMS, IT/data security and BCM, in companies. Effective implementation requires close cooperation between the individual areas.