Increasing digitization is making ICT (information and communications technology) and cyber security a key issue.
Maintaining this is particularly essential for industries that represent a critical infrastructure for society. Financial companies in particular are increasingly affected by cyber attacks. To ensure their digital operational resilience, the EU has now introduced a uniform and comprehensive set of regulations: The Digital Operational Resilience Act, or DORA for short. The regulation came into force on January 16, 2023, and foresees an implementation period of two years. The financial sector must therefore start preparing for compliance with the new requirements now.
What is DORA?
The new EU regulation (2022/2554) builds on existing cybersecurity regulations. These include various guidelines from the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) on ICT security and outsourcing.
The background idea behind DORA is to introduce a system that ensures that operations continue to be maintained even in the event of serious security disruptions. The newly established framework and the regulatory technical standards to be defined by the European Supervisory Authorities for further guidance are intended to enable financial firms to:
- Risk management that works across Europe,
- greater resilience in the event of a crisis, and
- comprehensive monitoring of the risks arising from services used by third-party ICT providers.
To which companies does DORA apply?
The Digital Operational Resilience Act applies to financial companies (e.g., banks, credit institutions, insurance companies or insurance intermediaries, pension funds, investment firms, payment service providers, e-money institutions, trading venues) and third-party ICT providers (such as data centers or cloud service providers) that deliver services to this sector. In total, more than 22,000 financial institutions and ICT service providers in the EU are affected.
What core objectives does the EU want to achieve with DORA?
- Uniform security standards at national and European level
- Identification and elimination of systemic cyber risks
- Establishment of a high level of operational stability
- Legal framework for controlling third-party ICT providers
What are the new features of DORA?
Compared to the previous regulations, DORA contains some important changes. For example, the new regulation now also affects crypto service providers due to its expanded scope. One exception are micro-enterprises with fewer than ten employees and an annual turnover of two million euros.
Important content from DORA |
|---|
Implementation of testing programs that regularly identify digital operational stability with respect to potential gaps, vulnerabilities, or deficiencies. Conducting mandatory reviews based on threat-led penetration testing (TLPT), depending on the size, risk and business profile of the financial enterprise. |
Standardization and transparency of ICT risk management through the development of common parameters, metrics and registers for risk classification. |
Oversight of critical ICT service providers through a coherent EU supervisory framework. Criticality designation and oversight of third party providers is performed by the European Supervisory Authorities. Financial supervisors are empowered to monitor risks arising from reliance on ICT third-party providers. |
Standardized classification of and reporting on cyberattacks to the relevant responsible national authority. In the event of serious incidents, the latter immediately passes on the report to EBA, ESMA or EIOPA, as well as to the ECB and other authorities concerned. |
Increased responsibility of management bodies with regard to ICT risk management and compliance with security regulations. This includes more audit plans and specialized training, as well as fewer opportunities for delegation. |
Facilitated exchange of anonymized information and experiences - both for financial firms among themselves and with supervisory authorities. |
Conclusion
Due to increasing cyber threats, it is more important than ever for financial companies to know their own risks in order to limit or eliminate them in advance and to be able to react in time if necessary. The new unified framework defined by DORA across Europe will help firms increase their cyber resilience.
With the implementation deadline of January 17, 2025 approaching, risk and compliance managers must take the necessary steps now to ensure rapid implementation. It is important not only to take the right actions to maintain resilience, but also to efficiently integrate the resulting reporting requirements into existing business processes.
