DORA preparations need to be taken to the next level, DNB warns

The importance of cyber resilience

The high degree of digitization, combined with current geopolitical tensions, has left the financial sector increasingly exposed to cyber risks, according to DNB. As technology advances and cyber attacks grow more sophisticated, building a cyber-resilient financial sector demands sustained effort. Emerging threats, such as quantum computing, only heighten the urgency.

To address these risks, the financial sector must not only work to reduce vulnerabilities through enhanced cybersecurity measures and regular testing but also develop the resilience to swiftly and securely restore services after a cyber incident.

Getting ready for DORA

The importance of increasing cyber resilience is also underlined by the Digital Operational Resilience Act (DORA). This EU regulation aims to ensure that financial institutions can handle and quickly recover from disruptions, particularly digital or cyber-related.

The DORA regulation entered into force on January 17, 2023. Institutions have until January 17, 2025, to comply with the regulation. However, DNB notes in its report that according to a July 2024 survey, pension funds and insurers still have a lot of work to do to meet the regulation requirements. In July, the main problems included:

• Delays in gap analysis: Many organizations were still working on performing the gap analysis, or had not even started yet. This analysis aims to provide insights into which steps still need to be taken with regard to the adjustment of policy, processes, control measures and contracts with service providers. Considering that implementing changes may require a long time, organizations should start the gap analysis as fast as possible, DNB noted.
   
• No overarching overview: Organizations were often lacking an overview, which includes the required information register. Additionally, they were also delayed on tasks such as making contracts with IT service providers DORA compliant. In order to record the required information about IT contracts in the information register, data is required from various existing administrative systems. This is often not centrally located in the organization. In many cases, systems will need to be adjusted, which takes time and resources.
   
• Delays in implementation programs: The survey also showed that institutions which had already completed the gap analysis were running behind on implementing their programs. A lot of effort still needed to be made to close the gaps that have already been identified, DNB warned.

What happens after January 17, 2025?

After the implementation deadline of January 17, 2025, institutions must comply with both the DORA regulation and the underlying RTS/ITS. This means that DNB should be able to request organizations’ information registers which include all contractual agreements on the use of IT services by third-party providers. At the same time, DNB expects institutions to have set up a process for reporting IT incidents, which meets the DORA requirements.

However, requests and investigations by DNB will be implemented proportionally and in a risk-based manner, DNB says.