Making Sense of DORA - Opportunity for Differentiation

The EU’s Digital Operational Resilience Act (“DORA”) deadline is fast approaching and affects many of us in the Irish funds industry, including delegated third party providers. Marcos Zubrzycki (PwC) interviews PwC Ireland’s Moira Cronin and Neil Redmond to explore the key aspects of the new legislation as it impacts the funds industry.

DORA comes into force in January 2025 and while it is a huge compliance endeavor, it brings big opportunities to catapult firms to new levels of risk resilience and differentiation. Boards are ultimately responsible for DORA compliance and need to get up to speed. PwC Ireland’s Moira Cronin, Digital Risk Assurance Partner, and Neil Redmond, Cybersecurity and Privacy Competency Lead, explore the key aspects of the new legislation as it impacts the funds industry.

Moira, tell me what is DORA and why now?

The whole purpose of DORA is to ensure convergence and harmonization of security and resilience practices across the EU but it requires a step-up. That step-up includes, amongst other aspects, the information and communications technology (ICT) third parties that support the funds industry.  Basically, the same rigor needs to be applied to ICT third parties as is the case internally within the organization. DORA brings the rules of ICT risk together into one single piece of legislation.

As to why now, requirements on firms to address ICT risks are fragmented and inconsistent between different countries.  It is very important to manage the ICT and cyber risks, particularly as third parties now are a huge part of our industry and there has been such an increase in the threat landscape.

Neil, what are the key elements of DORA?

DORA is structured around a number of fundamental pillars: governance and ICT risk management, ICT related incident reporting, digital operational resilience testing, third party risk management, and information sharing.

Moira, who does DORA apply to and who is enforcing it?

DORA applies to firms regulated in the EU market and their third party providers which may operate within or outside the EU. Where they are supporting the funds industry in the EU market from outside of the EU, they are in scope.

In Ireland, DORA will be enforced by the National Competent Authority responsible for registration and supervision, which will be the Central Bank of Ireland for most of our clients in the funds industry.

Neil, is there a chance that the deadline will be extended beyond 17 January, 2025?

The short answer is unfortunately, No, so organizations in the funds industry really need to start planning now, if not already.

Moira, so who has to comply with DORA?

DORA applies to the FS sector in its widest form including third parties supporting important functions to a regulated entity which clearly includes the funds industry. Some examples include investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, administrators of critical benchmarks, and securitisation repositories. While there is a long list of organizations listed as in scope in the Act itself, some organizations may, in fact, be a delegated third party to another FS organisation and therefore come into scope.

Neil, what exactly does DORA mean for third party ICT providers?

Where an ICT provider is supporting an organization in the funds industry, it will need to collaborate with the entity to ensure they can meet the contractual provisions laid down by DORA. The Act also covers the concept of Critical third party providers, organizations which have a high concentration across the FS sector at a European level. These organizations, for example, include certain cloud providers, which will be subject to regulatory oversight by the European Supervisory Authorities.

Moira, what if the ICT service providers have a Service Organisation Controls 2 (SOC2) report? Is that enough?

The short answer is that these certifications and frameworks will complement your DORA journey but will not get you to complete compliance. The expectation is that we will still have a SOC2 (this report is to ensure that third-party service providers store and process client data in a secure manner) which adds on the additional DORA requirements and an ISAE3000 report specifically to meet the requirements of DORA.

Neil, given that Boards are ultimately responsible for compliance with DORA, what is the one question management companies and even fund Board directors should ask at their next Board meeting?

The most important question they should ask is has a DORA programme been set up followed by who is responsible that full compliance will be met by this coming January.  Other questions the Board should ask include:

• Does DORA apply to our entity?

• Have we identified our Critical or Important functions in relation to DORA and have we performed a mapping to include our third/fourth parties and beyond?

• Have we performed a gap assessment against the DORA legislation to determine how well prepared we are for DORA?

• Do we have a training and awareness session arranged for the Board/ Management Body and/or the employees?

• What timelines are we working towards?

• How do you manage third parties and critical ICT third parties?

Moira, where do you start, and is DORA a one-time project?

We recommend starting with a 4-step approach.  Firstly, set up a governance structure to support your DORA programme with all stakeholders; Secondly, identify your “Critical or Important functions” and map the IT systems and infrastructure supporting these functions end to end (including third parties). Thirdly, perform a gap analysis against the DORA legislation and finally, develop a roadmap to achieve compliance outlining how each gap will be addressed using a risk-based approach to determine the sequence of implementation.

And No, DORA is not a one-time project. As noted, managing ICT/Cyber risk and building digital resilience is a key topic now for all firms and the ongoing management and monitoring of DORA will continue. In fact, the rigor it demands will require more assurance over these risks as we move forward.

Moira, How is DORA different from the Cross Industry Guidance on Operational Resilience (Op Res) - is it just the IT side of this?

Op Res is a great starting point for DORA and we note a good level of cross over in relation to the  governance requirements, mapping of systems, dependencies, resilience testing, etc. However, DORA requires a slightly different lens and it goes beyond the requirements in the Op Res guidance. Op Res focuses on the “Important business services” of which most organizations have 3 to 5, DORA focuses on critical or important functions which have a greater reach and therefore DORA has a much broader scope. Op Res is more customer focused whereas DORA looks at your financial impact, ability to meet your obligations under authorisation, robustness, and ability to provide services to your customers and the market impact.

Neil, can you give us one example of what is challenging firms as they get their arms around DORA?

The most significant aspects include the identification and mapping of your critical and important business functions. The DORA definition is very wide reaching.  This exercise should be fully documented outlining what is in and out of scope and the rationale to support each determination. Third party management is also a key area of concern given how interconnected our market is in this space.

Moira, this sounds like DORA is not just about compliance, but about business survival. Any final words?

Definitely, and it is also an opportunity.  We encourage organisations to embrace DORA not as an additional regulatory constraint but as an opportunity for financial entities to differentiate themselves by strengthening their operational resilience to IT, cybersecurity, business continuity and risks related to third parties. DORA covers much more than just IT, it has implications for many areas of your business, including those responsible for governance, risk and third party risk management, so start now.