Banks and other finance firms will need to update and change their operating procedures, risk assessments and testing capabilities if they wish to be fully compliant with the EU’s new DORA framework.
In fact, the Digital Operational Resilience Act (DORA), which will come into force in January of 2025, will also require operational reviews, system evaluations, more training and frequent audits, according to a leading voice in the IT security consultancy space.
Fabio Colombo, head of Global Cybersecurity for Financial Services at Accenture, the professional services giant that is specialised in IT services and consulting, warned banks and other financial services firm should not underestimate the changes that are needed ahead of DORA.
Milan-based Colombo pointed out that DORA’s first pillar, ICT risk management, “outlines the need for financial institutions to fortify their digital defences.”
He said the new regulation emphasises not merely new standard cybersecurity measures, but also robust administrative procedures, internal controls, and risk assessments.
“In simpler terms, it’s about ensuring the digital infrastructure is solid, secure, and resilient against potential threats,” Colombo wrote in World Finance magazine.
He stressed that incident management, the second pillar, mandates a swift and organised response to any digital incidents.
“In an interconnected financial world, where borders are porous, DORA sets a precedent for cybersecurity practices.”
– Fabio Colombo
Financial entities are required to report incidents consistently and aligned with the seven classifications detailed in the legislation, proposed in the draft technical standard, and promptly, fostering a culture of transparency and learning from each disruption.
“It’s not just about addressing the immediate challenges but also about building resilience through experience,” Colombo continued.
In fact, “firms will need to update their SOPs and the systems for detection, management and resolution of incidents include operational reviews, system evaluations, training, frequent audits, and regular repetitional risk assessment due to the additional disclosures – this may also require regular updates of competitive positioning,” he added.
Moreover, Colombo is convinced additional resources will be required for development, implementation, and regular auditing.
“It should not be forgotten that these procedures and their oversight need integration with other managerial tasks, which will add to operational complexity,” Colombo continued.
Risk management
Finally, a third pillar in DORA evolves around third-party risk management, acknowledging “the interconnected nature of the financial ecosystem,” as Colombo put it.
The expectation is the financial service entity becomes responsible for the management of ICT by their digital supply chain; ‘back-to-backing’ their obligations in contracts with third party suppliers.
“Not only does this require changes within procurement, but breaches of sub-contracted legal obligations become the responsibility of the FS entity, as they are still accountable, you cannot contract away a compliance obligation.”
Effectively, it means that “this will require FS firms to be more prescriptive with suppliers around their risk management approach and will require reviews and audits by the FS firm,” Colombo analysed.
“Financial institutions need to move away from siloed risk management.”
– Fabio Colombo
Finally, since DORA is principle-based it is required that each financial institution will set up a good governance model that will be able to keep pace with new threats and countermeasures.
As two good examples Colombo singled out Post Quantum Cryptography and Gen AI.
“This requires a paradigm shift from current isolated risk management practices to using an Integrated Risk Management (IRM) approach,” he continued.
As a result, financial institutions need to “move away from siloed risk management and embrace an integrated strategy that considers the interconnected nature of risks,” Colombo concluded.
