While DORA is widely built on already existing reforms (GDPR, NIS2 Directive and MiFID II, for example), the novelty of this regulation is that it is the first regulation to harmonize ICT risk management standards in Europe. DORA was adopted on 16 January 2023, and will apply to all member states on 17 January 2025, leaving a period of two years for involved entities to adapt changes in order to comply with the regulation. In the meantime, what could financial institutions put in place to prepare for DORA?
Which firms are affected by DORA?
DORA has a rather large scope. It includes all financial institutions across the European Union (EU). By that, we mean all the traditional financial institutions, such as banks, insurance companies, investment firms and credit institutions.In brief, the regulation will affect any ICT providers of financial services, financial technology businesses and businesses designated as critical vendors operating in Europe, whether those suppliers are based in Europe or anywhere else in the world.
What about “Operational Resilience”?
Before we get deeper into what DORA is, we need to explain one of the terms the regulation focuses on. The term “Operational Resilience” implies that whatever the critical situation may face a company, the information system must be able to withstand the “shock” and continue its activity. IT resilience is the ability of an organization to ensure the continuity of its information system, even in the event of hardware failure, overload, hacking or other incidents.What is DORA?
The regulation is to ensure firms’ financial resilience and to maintain operation, even if any incidents were to occur. DORA has five main pillars:
-
ICT risk management: This entails establishing a comprehensive framework for managing ICT risks, encompassing essential principles and requirements tailored to financial entities' risk management practices.
-
ICT incident management classification & reporting: The aim is to standardize and simplify reporting procedures, expanding reporting obligations to all financial entities, and broadening the spectrum of reportable incidents. Additionally, the framework allows for voluntary reporting of significant cyber threats alongside major ICT-related incidents.
-
Digital operational resilience testing: Financial entities undergo either basic or advanced testing to assess their digital operational resilience. Advanced testing, mandated by DORA, employs threat-led penetration tests (TLPT) for designated entities falling within its scope.
-
Managing ICT third-party risk:This involves implementing principle-based guidelines for monitoring third-party risk, outlining crucial contractual provisions, and establishing an oversight framework for critical ICT Third-Party Providers (TPPs).
-
Information sharing: Encourages voluntary exchange of information and intelligence concerning cyber threats among financial entities. The objective is to fortify the digital operational resilience of financial institutions through collaborative sharing of cyber threat information and intelligence.
Why is DORA needed?
As of today, traditional, and especially digital financial institutions heavily rely on technology and tech services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector. The financial sector is becoming more exposed to underlying issues with technology, like cyberattacks.The Covid-19 pandemic and the increase of remote access use for financial services created a growth in cyberattacks, as reported by the European Commission, which stated an increase of 38% since the beginning of the pandemic.
What actions could the financial institutions take to be compliant with DORA?
What happens in case of noncompliance?
Each member state will lay down rules establishing appropriate administrative penalties and remedial measures for breaches of the regulation and will ensure effective implementation. Competent authorities, which will be assigned by the member states, will have the power to apply at least the following administrative penalties or remedial measures for breaches of this regulation:
-
Capacity to command individuals or entities to stop any behavior that violates the regulation and to abstain from repeating such behavior.
-
Enforce discontinuation of any practices conflicting with the regulation’s provisions, either temporarily or permanently, and ensure non-repetition.
-
Implement diverse measures, including financial penalties, to uphold compliance among financial entities.
-
Request access to existing data traffic records from telecommunication operators, within national legal constraints, when there's reasonable suspicion of breach of the regulation and relevance to investigations.
-
Publish public notices, including statements disclosing the identity of the individual or organization and the details of the violation.
It is also possible that member states chose to not lay down administrative penalties for breaches that are subject to criminal penalties under their national laws.
In conclusion, strict adherence to the Digital Operational Resilience Act is a mandatory duty essential for financial institutions as they confront the challenges of digital transformation and cybersecurity risks. Through proactive risk assessment, robust incident response planning, and investment in cybersecurity measures, institutions can fortify their operational resilience.
Furthermore, fostering a culture of compliance via training, encouraging collaboration, and strengthening already existing structures will further reinforce resilience efforts. Ultimately, by prioritizing operational resilience, financial institutions can not only meet regulatory mandates but also safeguard their operations, reputation, and customer confidence amidst the increasing digitalization of the industry. However, the cost of compliance might be at an all-time rise. Therefore, financial institutions must be strategic in their priorities in effort to comply with this new regulatory framework.