1. What are the costs of implementing DORA?

The answer is not straightforward. DORA efforts can be reduced drastically if your financial institution has already implemented all the best practices in terms of security, ITIL, and project management. To give concrete examples, if you have:

• Change management in place.
• A ticketing tool following ITIL and a follow-up on problems management.
• A backup policy written and tested.
• Monitoring of your application/infra.
• An updated target operational landscape.
• An internal audit on access and rights.
• KPIs with your ICT providers.
• Strong documentation.
• …

You are already one step closer to complying with the DORA Pillar ICT Risk Management. If your financial entity is not yet up to date on the above, I believe you should consider working on it today and not wait until 2025. I can provide more information if needed. Feel free to reach out to me at cpietz@lux-at.com.

The ICT risk management pillar is not only what I mentioned. You will still need to:

• Create a management body.
• Designate an ICT risk manager.
• Produce and review documentation on ICT risk.
• Adapt criticality criteria to DORA.
• Set up communication channels according to DORA rules.
• …

On top of that, you have costs from other pillars, but this cost will be absorbed by appointing an ICT risk manager and with the creation of the management body. Digital operational resilience testing will need specific skills that might increase costs.

To conclude, DORA comes with a cost. The more advanced you are in best practices, the less costly DORA ‘implementation’ will be. Unfortunately, implementation cost is not the only one, and other pillars such as digital operational resilience testing and incident reporting will need to have a budget allocated yearly.

2. Is an IT project  impacted by Dora?

Yes, a project must foresee and allocate a budget to comply with DORA for each project:

• ICT risk documentation will need to be reviewed in some cases.
• Target application landscape to be updated in some cases.
• New technical users should be documented.
• Define a testing strategy for the Digital operational resilience testing.
• Monitoring of the critical function will need to be implemented.
• Support for the management body and ICT manager to be prepared for review/approval.

While projects might not be directly responsible for implementing these actions, allocating a budget is crucial. Project teams and management should be ready for slightly higher offers from third-party providers to cover DORA requirements.

3. Will Dora impact the way I select my third-party provider?

What changes a lot, is the way you treat your third-party provider especially If they support a critical function. Dora brings new concepts and splits third party providers in 4 categories.

• Third party providers supporting non-critical functions
• Third party providers supporting critical functions
• Critical third-party providers supporting critical functions
• Critical third-party providers supporting non-critical functions

At the end, the financial entity is always responsible for the services it provides to its client. If your third-party providers are not a critical one, financial entities must audit their third-party providers (TPP). For critical third-party providers, European authorities will follow up closely and appoint a lead Overseer for each critical TPP. Lead Overseer can fine critical TPP on their worldwide turnover hence we can assume that critical TPP are complying with DORA fully.

Third parties must be communicated to the ICT management body and the financial entity headquarter must centralize all third parties providing ICT services.

Dora defined rules to cancel contracts with your third-party provider if they don’t comply with the regulation (article 27). Also, you will need to think about exit consequences and find alternative plans.

Dora recommends having more than one third party provider on critical services. Hence your institution should select a second third party. This would help to define exit clause plans and comply with Dora.

In summary, Dora significantly influences the dynamics of financial institutions’ relationships with third-party providers. Large financial entities are inclined to favor Critical third-party providers, given the stringent oversight from European authorities. On the other hand, for non-critical third-party providers, financial entities must ensure strict compliance with all articles outlined in Dora, leading to heightened auditing and scrutiny.

To mitigate risks, there is a noticeable trend towards diversification, where financial entities may engage with more than one provider for a specific task.