Amba Zeggen: DORA is of chief importance

July 16, 2024

_{This column was originally written in Dutch. This is an English translation.}

By Amba Zeggen, Lead Risk Culture and Behavior at Probability & Partners

If you are working in the financial sector, you cannot have missed the arrival of DORA (Digital Operational Resilience Act). Financial institutions have until January 17, 2025 to comply with this EU legislation, which aims to strengthen the digital resilience of financial institutions against cyber threats.

It is certainly not new that an organization must protect itself against IT risks. What is new is that these regulations are much more detailed and stricter than the current standards framework (including the DNB Good Practice 2019/2020 and 2023), with more direct rules and principles.

In preparation for a webinar on this topic, I asked a number of organizations about their most pressing questions concerning DORA. In addition to questions about the differences with current regulations and the requirements for IT suppliers (who must also comply with DORA), the question arose where in an organization the responsibility for DORA implementation should lie. Is that the IT department, or risk management, or perhaps compliance? A logical question. And I'll be very honest, my reflex was to answer IT or risk management. But it is something different.

Management's turn

In addition to the fact that the DORA describes very precisely how one should manage all kinds of risks and what minimum controls one should have, they are also crystal clear about the role of management. For example, management is responsible for:

• developing and implementing a robust operational resilience framework;
• establishing IT incident management procedures, including detection, response, recovery and timely reporting of significant incidents;
• developing a risk management strategy that takes into account all possible IT risks
• drawing up plans and tests for business continuity and recovery in the event of IT incidents;
• ensuring regular training and awareness among employees about cybersecurity and operational resilience, so that everyone in the organization is aware of the correct procedures and the importance of cybersecurity.

Lead by example

In short, it is clear that DORA views management as an important link. This goes further than just providing a budget or making decisions in a steering group. Management must be truly involved in the DORA implementation and ensure that the measures taken in the context of DORA are really effective.

This certainly requires management to sharpen knowledge about IT risks and take a proactive attitude towards cyber security. Through their involvement, management can not only ensure compliance with legal requirements, but also promote the importance of cybersecurity to the organization.

The carrot and the stick

In my opinion, encouraging behavioral change is much more effective with a carrot than with a stick. The regulator thought differently. DORA holds management fully responsible if insufficient action has been taken to implement appropriate measures. Depending on the degree of negligence and the impact of the violation, financial penalties may be imposed on both the entity and the individuals within management. The amount of the fines can be significant.

Competent authorities may also impose restrictions on the entity's activities. This can range from limiting certain services to temporarily or permanently withdrawing permits to carry out certain activities. In serious cases, individuals within management may be held personally liable for non-compliance with the law. This may result in disciplinary action, dismissal, or even legal action.

In short, DORA is of chief importance in all facets!

More columns by Amba Zeggen