Webinar Recap: Challenges in the implementation of DORA

On May 21, the webinar “Challenges in Implementing DORA” took place. Projective Group consultants Gert Jan Thierry and Nienke Moek guided participants through the expectations of the regulator regarding DORA and the challenges in its implementation. They also provided practical tips to overcome these obstacles. Below is an overview of the webinar’s content.

DORA overview

Cybercriminals are becoming increasingly sophisticated, and the number of cyberattacks continues to rise. This prompted Europe to adopt the Digital Operational Resilience Act (DORA) (REGULATION (EU) 2022/2554), aimed at making the entire financial sector more operationally resilient. Currently, various guidelines exist for different types of financial firms, but there is a lack of a unified legal framework. DORA addresses this by harmonizing ICT rules across the sector and raising the overall standards.

As the implementation of DORA approaches, it is high time to start working on it. During the webinar, Gert Jan and Nienke discussed seven implementation phases:

The 7 phases of DORA implementation

1. Define Scope
2. Gap Analysis
3. DORA and Existing Controls
4. Define Deliverables
5. Project Planning
6. Implementation
7. Communication

Before you start

A successful project setup begins with the agreement and approval of the board. Clearly aligning expectations regarding timelines, resources, and budget is crucial.

Gert Jan also advises setting up clear Terms of Reference and actively maintaining a RAID log to effectively monitor and manage Risks, Assumptions, Issues, and Dependencies.

Define scope

The first step is to determine the final scope. This is important because, without a clear scope, you do not know exactly which requirements apply, which definitions you use, and how you handle grey areas where the regulator has not yet provided sufficient clarity (such as external managers and custodians). When defining the scope, it is important to reason from your organisation’s license. If you make a decision regarding scoping, document it clearly. If the regulator questions you later, you can explain the choices made.

Gap analysis

DORA consists of two levels of regulation: level 1 (the regulation sets the framework) and level 2 (the details in the RTS and ITS). The latter level of regulation is expected to be finalised only in July. Nonetheless, Nienke and Gert Jan recommend considering both levels of regulation simultaneously in the gap analysis, even if the level 2 texts are still in draft form. In some cases, you may appear to comply with the level 1 regulation after an initial analysis, but the additional requirements from level 2 may reveal gaps.

You can conduct the gap analysis as follows:

• Gather all DORA requirements (at article and paragraph level) in an Excel document or use the regulatory change module in Ruler.
• Determine which requirements apply to your organisation and document this.
• Translate the legal text to your organisation.
• Determine if your organisation meets the requirements. If not, describe the gap. If yes, ensure good evidence.

Existing controls

Next, assess whether the existing controls cover DORA’s requirements. An important point during the implementation remains the evidence. Ensure that you add evidence for each gap and action (for example, by adding a column in an Excel file with links to relevant documents as evidence). Finally, ensure explicit approval of this evidence from the board. The lack of this is a common pitfall revealed during audits.

Define deliverables

Before starting the actual implementation process, it helps to concretise the identified gaps and associated deliverables. Make sure to define a (sub)deliverable for each gap and assign one or more actions to each (sub)deliverable. These actions should then be assigned in detail to a responsible person, with deadlines.

Project planning

Gert Jan advises working with two project plans. One at a high level, which you can use to demonstrate the status of the implementation to (internal) stakeholders, and a detailed plan. This detailed plan serves as a checklist and helps in planning the actions.

Implementation & communication

During the implementation process, transparency is important. Good communication helps management make the right decisions and set priorities. It also helps keep internal and external stakeholders engaged in the process. Gert Jan mentions the following internal and external stakeholders:

Internal:

• Steering Committee
• Board
• Employees
• Departments

External:

• Shareholders
• Clients
• Regulators

Challenges

In addition to discussing the implementation steps individually, Gert Jan and Nienke highlighted several challenges during this process. Here are three key points:

Phased approach

Gert Jan urges parties to be pragmatic during the DORA implementation. He advises against reinventing the wheel entirely but rather to start from the existing ICT security framework of the organisation. Look at how you can adapt existing policies, processes, and applications instead of striving for a complete overhaul of the policy structure.

Depending on the impact DORA has on your organisation, you can opt for a phased approach. In a later stage (e.g., in 2025), you can fully harmonize the policy, spreading out the work. However, ensure that you meet the requirements by January 17, 2025.

ICT Incident Management

ICT incident management under DORA is a second pitfall. Classifying incidents under DORA is quite complex. Additionally, the mandatory reports have more requirements. Depending on the size of your organisation, you may already have a system for ICT incident management. This new process requires system adjustments, which you need to start working on promptly.

Quality assurance

To ensure the quality of the process and view DORA from different perspectives, it is good to gather input from various angles. For example, if you write a memo about scoping for the board, ensure that the second, third, and possibly first lines also review it. This ensures that embedding within the organisation goes as smoothly as possible.

Additionally, involve the people in the project who will later perform the tasks, to secure knowledge about DORA within the organisation.

Want to know more?

In this article, we provided a brief recap of the webinar’s content. Are you curious about the other challenges or could you use some practical tips? Or do you have questions about the implementation of DORA within your organisation? Feel free to reach out.