The European Union's Digital Operational Resilience Act (DORA) is set to launch next year, and deciphering all its intricacies can indeed be quite challenging. PwC experts, Patrice Witz and Michael Horvath, both Partners at PwC Luxembourg, offer valuable insights from both regulatory and technological perspectives. They shed light on the multifaceted landscape of DORA, providing guidance for navigating compliance and preparing for future cybersecurity regulatory developments.

What are the primary challenges organisations face in complying with DORA, and how can they best prepare for its implementation?

PW: Drawing from our experiences working with various entities, it's evident that one of the primary hurdles lies in deciphering the multifaceted requirements of DORA. DORA's expansive scope, intersecting with other regulations, adds layers of complexity, necessitating a nuanced approach to compliance efforts. Moreover, achieving a holistic understanding of DORA mandate collaboration and coordination across diverse stakeholder groups within the organisation. From the C-suite to operational teams, each entity must comprehend its role in the compliance journey and actively contribute to the overarching objectives.

MH: Once stakeholders grasp the intricacies of DORA, the next crucial step is to map out how the operating model of the company is set-up currently. This mapping exercise gives the company a detailed understanding of its operational landscape, including end-to-end processes, roles and technological and service provider dependencies. Armed with this comprehensive overview, organisations can make informed decisions regarding compliance strategies and resource allocation. Important to add, that this basic mapping exercise provides an opportunity for companies to reassess their operating model with respect to efficiency, use of technology and service providers with a view of scaling for the future and reaching a competitive advantage.

Furthermore, it's imperative to view DORA compliance as an ongoing initiative rather than a one-time task. Organisations need to integrate a mindset of resilience and regulatory adherence into their daily activities. This imply taking the shift from isolated efforts towards a unified commitment across the entire organisation, fostering a proactive approach to risk management and regulatory compliance.

How does PwC recommend businesses adapt their cybersecurity strategies to meet the requirements of DORA?

PW: The role of the Chief Information Security Officer (CISO) is pivotal in this landscape. They play a crucial role in informing leadership about major vulnerabilities, fostering a culture of risk awareness but also educating on ICT and security matters. It's imperative for the CISO to ensure that the allocated cybersecurity resources and investments are adequate with the evolving cyber threat landscape. This includes conducting annual testing and refining the cyber framework as necessary to address emerging threats.

MH: DORA provides a framework for testing mechanisms that organisations must choose from. Among these options are penetration testing and threat-led penetration testing. However, the regulation doesn't mandate a specific testing method universally. It's noteworthy that for larger and critical entities, threat-led penetration testing according to EU requirements will become mandatory. However, the exact entities falling under this category are yet to be definitively identified.

In our experience, we've observed that clients are more and more voluntarily opting for threat-led penetration testing to stay at the forefront of cybersecurity testing practices and also demonstrate to its client base how seriously cyber threats are taken into account.

From a regulatory point of view, it is also worth noting there is a specific requirement for ICT awareness training and upskilling for all staff, which emphasises the importance of incorporating cybersecurity awareness training into organisational learning and development initiatives to reinforce cybersecurity readiness.

What role do regulatory authorities play in supporting organisations with DORA compliance, and how can businesses collaborate effectively with them?

MH: Regulatory authorities play a crucial role in supporting organisations with DORA compliance by providing guidance, oversight, and enforcement of regulatory requirements. They support collaboration for example by providing resources or hosting information sessions to help organisations navigate DORA's requirements. For instance, the Commission de Surveillance du Secteur Financier (CSSF) has shown proactive engagement, increasing awareness and understanding of DORA's implications among financial institutions in Luxembourg. This includes distributing questionnaires to assess DORA readiness among market participants or even hosting informational sessions with industry associations.

PW: Collaboration between organisations and regulators aims to foster information sharing and resilience-building efforts. Regulators expect reporting on DORA compliance but also encourage knowledge exchange and collective learning across the industry.

Despite the competitive dynamics inherent in the financial sector, there's a recognition that resilience is not merely a competitive advantage but a shared responsibility. Organisations that prioritise resilience stand to gain a competitive edge, but there's a broader benefit in sharing insights, best practices, and lessons learned across the industry. PwC has organised multiple roundtable discussions in banking and insurance sectors to name a few to facilitate such exchanges.

Can you outline PwC's approach to assisting clients in achieving compliance with DORA?

PW: First and foremost, our approach emphasises raising awareness among institutions about DORA's significance and implications. Following awareness-building efforts, we engage with clients to conduct comprehensive gap analysis. These assessments entail evaluating the organisation's existing processes, systems, and practices against DORA's mandates.

The next phase consists in assisting clients in closing these gaps and achieving compliance. This often involves coordinating internal initiatives within organisations, both for local and within larger groups where alignment across various entities is crucial. We also provide guidance on implementing specific initiatives aimed at addressing compliance gaps, such as enhancing cyber resilience or adapting models to align with DORA's standards.

We work alongside our clients to ensure they are well-prepared to sustain compliance efforts beyond the initial implementation phase, anticipating continued regulatory evolution and emerging cyber threats. It is a transformation agenda and not only a compliance agenda.

MH: In addition to these core services, we offer managed services tailored to address specific compliance challenges. These services include structured testing plans, incident reporting support, and ICT third-party management, among others. By providing managed services, we aim to alleviate the burden on organisations and streamline their compliance efforts, particularly in areas where expertise or resources may be lacking internally, for example for the independent ICT risk function.

What emerging trends or developments in cybersecurity regulation should businesses anticipate beyond DORA?

PW: Several key trends are already shaping the development of resilience agenda and will continue to do so in the coming years.

Firstly, Cloud computing, while seen as a point of attention within DORA also offers significant advantages in terms of resilience, as cloud-based infrastructure tends to be inherently robust. However, organisations must ensure that their cloud strategies align with DORA requirements to maintain compliance while leveraging the resilience benefits offered by cloud platforms.

Secondly, AI technologies and more specifically GenAI technologies are increasingly integrated into various aspects of organisational operations, driving transformative changes. However, ensuring resilience in AI environments requires careful consideration and robust cybersecurity measures to mitigate emerging threats effectively.

Additionally, the evolving complexity and sophistication of cyber threats underscore the importance of maintaining vigilance and adaptability in cybersecurity practices.

Looking ahead, the regulatory landscape at the EU level is expected to undergo further evolution, with initiatives such as the AI Act and potential updates to GDPR influencing cybersecurity regulations. Moreover, geopolitical developments, such as elections and geopolitical tensions, may also shape regulatory priorities and requirements in the cybersecurity domain.

Want to know more? https://www.pwc.lu/en/digital-operational-resilience-act.html