DORA's ICT-risk framework: who's responsible for what?

In an increasingly digitized world, financial entities face a growing array of information and communication technology (ICT) risks. To address these challenges, the European Union has introduced the Digital Operational Resilience Act (DORA) regulation. DORA aims to establish a robust and comprehensive ICT risk management framework to ensure the security, stability, and continuity of financial services. In this blog, we will delve into the key components of DORA and its significance for the financial sector.

The Digital Operational Resilience Act outlines a broad and far-reaching framework designed to address various ICT risks faced by financial entities. The regulation encompasses a wide range of aspects, including ICT risk management, backup policies, detection mechanisms, response and recovery procedures, communication strategies, and more.

At the heart of DORA lies the ICT risk management framework. Financial entities are required to establish a sound, comprehensive, and well-documented approach to address ICT risks efficiently. This framework shall protect both information and ICT assets, including computer software, hardware, and sensitive infrastructures, from unauthorized access, damage, and usage.

Responsibility for: Senior Management, Chief Information Officer (CIO), Chief Technology Officer (CTO), IT Security Team, Risk Management Team

Financial entities must employ and maintain updated ICT systems, protocols, and tools appropriate to the scale of their operations. These systems shall be reliable, capable of processing data accurately and promptly, and technologically resilient to handle adverse situations.

Responsibility for: IT Department

To promptly detect anomalous activities and potential threats, financial entities must identify and classify all ICT-supported business functions, information assets, and dependencies. Detection mechanisms shall enable multiple layers of control, define alert thresholds, and trigger incident response processes.

Responsibility for: IT Security Team, Incident Response Team, IT Operations Team

DORA mandates the implementation of ICT business continuity policies and response and recovery procedures to ensure the continuity of critical functions. These measures include backup and restoration methods and secure data management.

Responsibility for: Business Continuity Manager, Incident Response Team, IT Operations Team

Financial entities must have crisis communication plans to responsibly disclose major ICT-related incidents to clients, counterparts, and the public. They shall also establish internal and external communication policies, ensuring timely and relevant information is conveyed to staff and stakeholders.

Responsibility for: Crisis Communication Team, Public Relations (PR) Team, Senior Management

A learning culture is essential in managing ICT risks effectively. Financial entities must gather information on vulnerabilities, analyze cyber threats and incidents, and conduct post-incident reviews for improvement.

Responsibility for: Incident Response Team, Risk Management Team

Certain small and non-interconnected financial entities are exempted from the comprehensive DORA requirements. Instead, they follow a simplified ICT risk management framework tailored to their needs, emphasizing quick and efficient risk management while maintaining system security and resilience.Certain small and non-interconnected financial entities are exempted from the comprehensive DORA requirements. Instead, they follow a simplified ICT risk management framework tailored to their needs, emphasizing quick and efficient risk management while maintaining system security and resilience.

The DORA regulation represents a significant step forward in securing the digital landscape for financial entities. By implementing a comprehensive ICT risk management framework, organizations can safeguard their operations, protect sensitive data, and ensure the continuity of critical functions. The simplified framework for eligible entities also fosters adaptability and resilience, enabling them to navigate the digital realm confidently. Through collaborative efforts and continuous learning, the financial sector can embrace DORA as a catalyst for stronger digital operational resilience.