DORA, the Digital Operational Resilience Act, is currently keeping the entire European financial sector on tenterhooks. The European Commission's regulation is accompanied by extensive requirements for digital resilience and there is less than a year left to implement them in your own company. This is because DORA becomes fully applicable on January 17, 2025 and requires that the most important processes and systems meet the listed requirements by this date.
For financial institutions and companies that provide ICT services for the financial sector, this means aligning business processes with the requirements of DORA as quickly as possible and developing a roadmap for implementation. But what are sensible first steps?
We asked Dr. Christian Schwartz, Head of Security in Finance in the Security Consulting Team at usd AG, what he recommends to companies affected:
„With DORA, these companies are facing a lot, and I don't want to gloss over that. But it can be managed with timely preparation. I always advise my clients to proceed in three steps: Start with a Preliminary Analysis, followed by a Gap Analysis and then carry out a Harmonization Project based on these results.
Let's compare the preparation for DORA with the plan to hike to the top of a mountain - or at least to a plateau with a really good view. While we are still down in the valley, i.e. before we even set off on our hike, we should study our destination and the expected terrain. We do this in the Pre-Analysis. In terms of your DORA project, this means that we get an overview of the requirements with all stakeholders. We transfer the definition of "critical and important functions" from DORA to the functions of your company. If you are a large corporation, we also need to clarify which business units fall within the scope. And finally, we examine which other security standards and national regulations affect your company. In most cases, the systems and processes implemented to comply with ISO 27001 or the BaFin regulations such as BAIT or KAIT can be used as a basis. Mappings to these requirements may already be available and can be used.
As a result, we have clarified what the destination looks like, who is coming with us and what we already have in our bagpack or, even more figuratively, at which points the climb will be made easier by stairs or lifts.
Now we want to know even more precisely which route we choose, what challenges we may encounter and how well prepared and equipped the hiking group is. To do so, we are carrying out a Gap Analysis based on the DORA requirements. This involves document reviews and interviews with those responsible. The results of this detailed analysis provide a good picture of the expected effort. And especially it provides implementation options that can be used to set the direction for implementation at the highest management level (Action Plan).
However, it is important to remember that preparations for DORA must always be approached with a certain degree of flexibility. Just as it can always happen on a mountain hike that something blocks our path or the weather changes, DORA requirements may change between now and January 2025. For example, through the finalization of the Implementing Technical Standards (ITS) and Regulatory Technical Standards (RTS).
After a detailed briefing for the management and with a proper Action Plan for Harmonization in our backpack, the actual preparations can now begin. Of course, my colleagues and I will not leave you to do this alone. Because now the hard part begins. But we are always at your side as guides and fellow hikers. Feel free to contact us.“
Critical or important function according to DORA
The majority of DORA requirements are based on ICT systems that support critical or important functions. An important lever for the efficient and effective implementation of DORA is therefore the correct identification of critical or important functions.
According to DORA a "critical or important function" means a function,
DORA, Article 3 (22)
- the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities,
- or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation,
- or with its other obligations under applicable financial services law;
