The Digital Operational Resilience Act for Financial Services: A Comparative Gap Analysis and Literature Review

The Digital Operational Resilience Act for Financial Services: A Comparative Gap Analysis and Literature Review

연구 분야: Strategies

학회: European, Mediterranean, and Middle Eastern Conference on Information Systems

Regulatory bodies, driven by enhanced speed of digital transformations, seek to strengthen the resilience of information and communication technologies (ICT) to ensure their operational integrity. As a result, The Digital Operational Resilience Act (DORA) was recently proposed to unify and enhance ICT risk management of financial institutions by recommending stricter rules. ICT risk management has to date been mainly governed by ISO 27001:2013 standard in the context of information security governance. Based on qualitative content analysis, we firstly mapped ISO 27001:2013 to DORA and identified nine gaps in ISO 27001:2013 in relation to six general DORA requirements. While we find sufficient support in academic literature for six of the nine extensions suggested by DORA, three areas seem less supported: Threat-led penetration testing, major incident management, and ICT third-party risk management. We argue that these topics should serve academic interest to further our understanding of digital operational resilience in theory and practice.