The Digital Finance Strategy is a European directive that aims to support and develop digital finance in Europe whilst maintaining financial stability and consumer protection. There are three main components to the package:
In this blog post, we’ll attempt to summarise the 113-page DORA proposal, highlighting how it will apply to incident management at financial entities.
The proposed Digital Operational Resilience Act (DORA) was published by the European Commission to address the ever-increasing information and communications technology (ICT) risks inherent in the financial services sector. It aims to mitigate risks by enforcing a framework for operational resilience. More specifically, DORA aims to:
To frame why this is important, the European Commission estimates the cost of incidents in the EU financial sector to be up to €27 billion per year.
The answer is likely yes if you operate in the financial services sector.
DORA will apply to various financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and reinsurance undertakings.
It will also apply to firms operating in the financial services that fall under "critical ICT third-party service providers" (e.g. cloud resources, data analytics, and audit).
DORA is expected to be published at the end of 2022, although no confirmed date exists.
Let’s dive into the two key chapters (Chapter 2 and 3) from the proposal and break down what they mean in the context of incident management.
Chapter 2 details changes to ICT risk management processes. In summary, it asks financial institutions to:
The most relevant article (Article 10) clearly defines the proposed response and recovery requirements. More specifically, it highlights the importance of recording, responding, and communicating all incidents within the organisation.
Financial entities shall implement the ICT Business Continuity Policy referred to in paragraph 1 through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aimed at:
These core principles extend beyond responding to an incident and include frameworks for the post-incident learning process (such as post-mortems). The motivation is that with an increased focus on analysing root causes, financial entities will reduce the likelihood and severity of similar incidents going forwards.
Financial entities shall put in place post ICT-related incident reviews after significant ICT disruptions of their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT Business Continuity Policy referred to in Article 10.
Finally, DORA sets the expectation that senior management is involved with incident management. They will be required to report on incidents every year. In other words, the proposal highlights the need for accessible tooling for the entire organisation (and not just SREs), allowing more parties to participate in the response process.
Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.
Chapter 3 gives tactical information on how the incident response process should be structured and covers topics such as classification and reporting. It details how financial intuitions should:
The most important article in this chapter (Article 15) outlines the critical functions of the incident management process, building on the high-level framework in Chapter 2. Essential requirements include priority and severity, role assignment, and communication plans.
The ICT-related incident management process referred to in paragraph 1 shall:
More specifically, DORA asks for very detailed information for the classification of incidents. The criteria heavily focus on capturing the impact (number of customers, financial implications) and severity.
Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:
There is an increased requirement for reporting incidents. Not only should this happen within incident teams, but incidents that fall under specific criteria should be reported to the relevant authority. There will be a standardised format for these reports, which aims to decrease administrative overheads (for the competent authority) whilst increasing cross-entity learnings by capturing and analysing common themes.
Financial entities shall submit to the competent authority as referred to in Article 41: [an initial notification, an intermediate report, and a final report].
The repercussions of not complying with the proposed changes are significant. At the extreme, this can result in temporary or permanent cessation of any practice or conduct that the authority considers necessary to prevent a repetition of the incident. Competent authorities will have supervisory, investigatory, and sanctioning powers.
For third-party ICT suppliers, DORA states that it could impose a non-compliance fine of up to 1% of daily worldwide turnover for no more than six months.
incident.io is a tool for managing all of your incidents. It's designed to be used across business functions. An incident can be quickly declared (by anyone, not just those with specialist knowledge!), decreasing the chance that things go unnoticed. incident.io encodes best practices into your communication tools, allowing you to keep internal parties updated via Slack and external parties updated via integrations with shortcuts to tools such as Statuspage (and more). You can also track actions and follow-ups as you're responding to ensure nothing gets missed.
Several features are particularly applicable to the DORA proposal:
DORA will significantly change how financial services are required to operate their incident management processes. From asking senior management to be more involved to ensuring that a plan exists for mitigating and responding to ICT-related incidents, DORA toughens the requirements for how financial entities must respond when things go wrong. More specifically, the ask is to supercharge processes for identifying, tracking, logging, categorising, and reporting incidents to the relevant regulators.
At incident.io, we believe in operational excellence and organisational resilience. These changes allow many financial organisations to review and improve their existing procedures, and we're here to help!
If you’re keen to discuss DORA in more detail, reach out to email@example.com.
Enter your details to receive our monthly newsletter, filled with incident related insights to help you in your day-to-day!