In recent years, the European Union has enacted pivotal regulations to bolster the resilience of its financial system against escalating digital threats. Foremost among these is the Digital Operational Resilience Act (DORA), designed to standardise and fortify the digital operational resilience within the EU's financial sector.
Given Luxembourg's status as a significant financial centre within the Union, the implementation of DORA presents a dual-natured prospect, encompassing both very real challenges but also strategic opportunities for governance within its financial institutions. Here I would like to delve into these aspects, focusing on the enhanced responsibilities and strategic implications for Directors and governance bodies in Luxembourg.
Understanding DORA
DORA is a regulatory framework designed to ensure that all financial market participants can withstand, respond to, and recover from operational disruptions originated in their Information and Communication Technology (ICT) and data infrastructure or supply chain. This objective is to manage and achieve operational and ICT resilience. The legislation sets out requirements for ICT governance, ICT risk management, incident reporting, and digital operational resilience testing and third-party provider management.
DORA is directly applicable to Management Companies, Banks, Investment Firms, and other financial institutions by imposing stringent compliance and resilience requirements on their operations. Funds themselves are indirectly impacted as they do not possess their own infrastructure; instead, these responsibilities are delegated to Management Companies, Professional of the Financial Sector (PSF) and other related entities.
How does DORA impact the Governance?
For Directors and governance bodies of both the Service Providers (Financial Institutions) and Suppliers (Supply Chain) at different levels.
The first duty is to implement a Digital Operational Resilience Strategy as well as an ICT Risk Management Policy. Also, every financial institution subject to DORA needs to establish a register of its ICT supply chain (the ‘Register’).
These duties come jointly with enhanced responsibilities and the need for a higher degree of compliance and vigilance as well as an enhanced segregation of duties by imposing a more pronounced split between the two lines of defence for operational and ICT controls.
For executive and non-executive Directors, it triggers the question as to whether they now must become IT experts, which is not necessarily the case. What is essential however, is that Directors learn how to navigate the main duties of DORA, i.e., strategy, risk framework and register. More overarchingly, since financial services are subject to a very intense technology and supplier transformation, the Directors are recommended to better understand the impacts from technological competition, operational vulnerabilities, and the evolving threat landscape to ensure the resilience and security of the critical business functions.
Establishing and maintaining strong defences against operational and ICT risks is becoming a major business imperative for both the competitiveness as well as the resilience of the business functions. In leveraging DORA as a catalyst for strategic foresight, businesses empower themselves to reinforce their digital bedrock, but it is far more than just an IT exercise. It is also about enhancing innovation, efficiency, and forming a relevant defence against emerging threats.
What are the main governance challenges?
Increased compliance burden
One of the primary challenges posed by DORA is the increased compliance burden on financial institutions. Directors must ensure that their organisations adhere to the stringent requirements set forth by the regulation. This includes implementing comprehensive risk management frameworks, conducting regular resilience testing, and establishing robust incident response protocols. The complexity of these tasks can be daunting and requires regular touchpoints and reviews of implementation status.
Cybersecurity threats
The evolving landscape of cybersecurity threats poses a significant challenge for Directors. As digital operations become more integral to financial services, the risk of cyberattacks increases. Directors must be proactive in safeguarding their institutions' digital infrastructure and data. This requires staying abreast of the latest cybersecurity trends and threats and fostering a culture of cyber awareness within the organisation (upskilling).
Supply chain management
Operational disruptions, whether due to cyberattacks, technical failures, or other incidents, can be originated within the ICT or operational infrastructure of financial institutions themselves or within their supply chain. Directors must achieve an understanding of the supply chain risks and concentration of dependencies with critical providers. These risks are documented by the 1st Line of Defense in the DORA Register to ensure that their organisations have robust business continuity and disaster recovery plans in place. This involves provider selection management, provider due diligence and regular KPIs monitoring. Directors should oversee these documentation and management duties, in particular since the DORA Register is subject to CSSF disclosure.
But what are some of the governance opportunities?
Enhanced risk management
We must not forget the reason for DORA. It presents an opportunity for financial institutions to strengthen their risk management practices. By complying with the regulation, Directors can foster a more resilient and secure operational environment. This not only enhances the institution's ability to withstand disruptions but also builds trust with clients and stakeholders. A robust risk management framework can serve as a competitive advantage in an increasingly digital and interconnected financial landscape. And rather than seeing it as a mere compliance matter, financial entities should view it as an opportunity to enhance their digital operational resilience and proactively ready themselves for upcoming regulations pertaining to other facets of the digital realm, namely Artificial Intelligence.
Improved incident response
Effective incident response is a key component of digital operational resilience. DORA's requirements for incident reporting and response protocols can help institutions better prepare for and mitigate the impact of digital disruptions. Directors can leverage this opportunity to establish streamlined and efficient incident response processes, ensuring that their organisations can quickly recover from incidents and minimise downtime.
Strategic investment in technology
The implementation of DORA necessitates investments in advanced technologies and infrastructure. While this may pose a challenge in terms of initial costs, it also presents an opportunity for strategic investment. Directors can guide their institutions in adopting cutting-edge technologies that enhance digital resilience and operational efficiency. This includes investing in cybersecurity solutions, data analytics tools, and automation technologies that can streamline compliance and risk management processes.
The Luxembourg context
Luxembourg is a key financial centre within the EU, known for its robust banking sector, investment fund industry, and fintech ecosystem. The implementation of DORA is particularly relevant in this context, as the regulation directly impacts the operations of financial institutions in the country. Directors in Luxembourg now will have to navigate the unique challenges and opportunities posed by DORA within the framework of the nation's financial landscape.
The Grand Duchy has a strong tradition of aligning its regulatory framework with EU directives and regulations. The implementation of DORA will require Directors to ensure that their institutions are fully compliant with the new requirements. This involves close collaboration with regulatory authorities, such as the Commission de Surveillance du Secteur Financier (CSSF), to ensure that compliance efforts are in line with national and EU standards.
Governance shift
The successful implementation of DORA in Luxembourg will necessitate a cultural shift within financial institutions. Directors must champion a culture of resilience and compliance, emphasising the importance of digital operational resilience at all levels of the organisation.
This involves promoting ongoing training and awareness programmes, encouraging proactive risk management, and ensuring the financial entity has a robust internal governance and control framework to manage ICT risk effectively, adhering to regulations like the NIS Directive and GDPR.
It is the ultimate responsibility of the managing committee to ensure adequate investment for digital resilience, as well as a clear assignment of ICT-related roles. Other key recommendations include providing regular training for management, and the implementation of policies for ICT continuity, audits, third-party services, reporting, and incident management.
Over the next two years, European supervisory authorities will focus on clarifying DORA's secondary regulatory aspects and expectations for operational resilience. Boards and their Directors will be key in ensuring a strong commitment to operational resilience during DORA’s implementation. Regulatory bodies, investors, and stakeholders will closely watch this commitment due to increasing operational threats in the financial sector.
In the context of our country’s dynamic financial landscape, the successful implementation of DORA will require a concerted effort to align with regulatory standards and foster a culture of resilience. Through proactive governance and strategic leadership, Directors can navigate the complexities of DORA and position their institutions for long-term success in the digital age.
If you want to know more, PwC Luxembourg has created a handy guide to navigate the intricacies of the new regulation: DORA What Matters Now for Your Business Resilience.
Olivier CARRÉ
Technology & Transformation Leader, PwC Luxembourg