The Digital Operational Resilience Act (DORA) is a regulatory framework proposed by the European Union to strengthen the operational resilience of the financial sector against digital disruptions. It aims to ensure that all financial institutions, including banks, insurance companies, and investment firms, can withstand, respond to, and recover from technology-related risks.

DORA sets out requirements for firms to identify, manage, and report cyber threats, test digital defenses, manage third-party risks, and maintain continuity in the face of ICT (Information and Communication Technology) disruptions. This legislation represents a unified strategy to bolster the financial industry’s defences against cyber incidents and IT failures.

With the introduction of this legislation, the EU acknowledged that the financial services legislation put in place a single rule book governing large parts of the financial markets risks did not go far enough to address digital operational risks and resilience.

One of the challenges that organisations have faced in managing operational resilience is in the choice of tools used to model critical business services. Governance, Risk and Compliance (GRC) tools are not designed to model business processes and provide visibility of how business processes, people, and technology interact.

In the realm of operational resilience, having clear visibility and the ability to accurately discover, model, and simulate business processes are indispensable. These capabilities are essential for effectively preparing for and responding to various challenges, such as crises, disasters, and unexpected disruptions. Without the ability to accurately model and simulate scenarios reflecting these challenges, maintaining operational and business resilience becomes a daunting task.

Therefore, it is no surprise that as the clock ticks towards the January 2025 deadline, the spotlight turns to the role of process management in operational or business resilience.

The DORA regulation covers a lot of ground and includes the following:

1. Scope: DORA applies to all financial entities operating within the European Union, whether they are banks, stock exchanges, or insurance companies

The scope is massive when you consider the full list of categories of organisations that include financial services firms and associated service providers:

•  Credit institutions
•  Payment institutions
• Electronic money institutions
• Investment firms
• Crypto-asset service providers
• Central securities depositories
• Central counterparties
• Trading venues
• Trade repositories
• Managers of alternative investment funds & mgmt companies
• Data reporting service providers
• Insurance and reinsurance undertakings
• Insurance intermediaries
• Reinsurance intermediaries and ancillary insurance intermediaries
• Institutions for occupational retirement pensions
• Credit rating agencies
• statutory auditors and
• Audit firms
• Administrators of critical benchmarks and
• Crowdfunding service providers

2. Operational Resilience: Financial entities must establish a framework to ensure operational resilience. This includes risk management, incident reporting, and business continuity plans

Reading through the EU legislation, the focus is clearly on digital infrastructure and risks associated with it, and the outcome is better resilience at the operational and business level.

3. ICT Risk Management: Entities are required to implement Information and Communication Technology (ICT) risk management processes. This covers everything from software to hardware and even human factors.

The risk management processes include all standard ones such as risk identification, risk protection and prevention, detection, response and recovery et al.

So, DORA attempts to bring together the world of GRC and the world of processes together in one comprehensive legislation.

That is where I foresee challenges for the industry, as those two worlds – GRC and processes – have their own set of software solutions and the twain rarely meet, as I commented at the beginning of the article.

4. Testing and Reporting: Regular testing of digital resources is mandated. This includes ICT protocols, cybersecurity measures, and other digital systems.

DORA mandates a robust testing framework for Europe’s financial sector to bolster its cyber defenses. Its essence is a continuous, rigorous testing regime that ranges from traditional vulnerability assessments to sophisticated simulations mimicking real-world attacks.

Beyond testing, it requires precise reporting of vulnerabilities and incidents to regulatory bodies, ensuring a cycle of perpetual strengthening.

5. Oversight: A supervisory framework is established to oversee the operational resilience of financial entities. This involves both national and European bodies.