Are you looking for expert insights, timely updates, and valuable resources? Subscribe to our newsletter today!
Recently, the European Union (EU) has introduced legislation aimed at enhancing individual organisational resilience, thereby strengthening the overall resilience of the EU. One such initiative is the Digital Operational Resilience Act (DORA). DORA aligns with other EU regulations, such as the Network and Information Security (NIS) directive, and specifically targets the financial sector (FS). It is binding for all FS entities and FS ICT third party service providers, significantly impacting how they manage digital operational resilience beyond traditional IT-focused continuity measures. Simultaneously, DORA presents an opportunity for leaders to drive competitiveness through improved resilience practices and the resulting increase in customer trust.
On the 25th of March 2024, the MFSA released its minimum supervisory expectations for 2024 in relation to the level of DORA compliance that it expects financial entities to achieve in the current year. In light of these requirements, the MFSA has been actively engaging with Financial Entities through letters addressed to board members mandating DORA Reviews within a strict deadline of 6 months from receipt of the letter.
Organisations affected by this regulation have been given a grace period until January 2025 to achieve complete compliance.
DORA encompasses five essential pillars: ICT Risk Management, ICT-related Incident Management, Digital Operational Resilience Testing, ICT Third Party Risk Management, and Information Sharing Arrangements.
Under DORA, additional RTS/ITS documents will be issued by the ESAs, providing detailed guidelines and practical requirements on the implementation of DORA.
DORA is considered a “lex specialis” for the financial sector where its requirements take precedence over any overlapping regulations in the realm of digital finance.
Penalties for non-compliance can equate up to 2% of total annual worldwide turnover or a maximum fine of EUR 1,000,000.
The MFSA continues to expect management bodies to ensure that their respective Financial Entities are on track and undertaking concrete action to ensure compliance with the DORA Regulation by its date of applicability. In addition, the authority will be engaging with in-scope businesses using any of the different supervisory tools available to it, such as within the context of a Supervisory Inspection, a Thematic Review, an ICT Risk Questionnaire, or a separate Dear CEO letter, to assess the Financial Entity's progress against the 2023 and 2024 Minimum Expectations. It is important to note that while DORA introduces stringent requirements for operational resilience, it also offers leaders with a strategic opportunity to push their businesses towards greater competitiveness by future-proofing their operations.
The DORA regulation is a comprehensive regulation with intricate details and depth. Deciphering the text and integrating it into your organisation's operational processes within the enforcement timeframe can pose challenges, especially for smaller to medium-sized organisations. Considering this and the MFSA's 2024 expectations, our team has developed a DORA Readiness Asessment Compliance Checklist that aims to offer an overview of your current compliance status and pinpoint areas of non-compliance and potential risks.
The assessment will be conducted using our AI-powered GRC Automation Tool, equipped with robust analytics and reporting capabilities. The resulting dashboards can then be shared with senior management and board members, providing a clear view of the company's current state and facilitating communication with stakeholders to align compliance efforts.
