The Digital Operational Resilience Act (DORA) was designed to address the potential systemic and concentration risks faced by the financial services sector, due largely to its close reliance on third party providers (TPPs). DORA requires entities to follow
and implement protection, detection, containment, recovery, and repair focused rules to prevent or minimise harm from ICT incidents.
What is the Digital Operational Resilience Act?
It is about more than just compliance. DORA was crafted with the goal of harmonising a patchwork of regulations across the EU which had been developed by nations seeking to strengthen cybersecurity in financial services. It seeks to add stability and confidence
within the increasingly digital and interconnected financial system.
The Act established technical standards that all financial institutions within the EU and their critical TPPs must implement. Importantly, DORA also applies to some institutions that are typically not included in financial regulations. For instance,
IBM explains that third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centres —must follow DORA requirements. DORA also covers firms that provide critical third-party information
services, like crediting rating services and data analytics providers.
When will DORA come into force?
DORA entered into force on the 16th of January 2023, and compliance with the rules will be required from January 2025.
Source:
EY
EY explains that from January 2025 when the Act will be enforced, European Supervisory Authorities (ESAs) will expect the mandatory reports outlined by DORA to be available upon their request, and will use them to assess any gaps in the market. During this
timeframe, companies should focus on maturing the Digital Resilience Framework. They should also be prepared to perform the mentioned annual evaluations, testing and reports. By the end of 2025, mandatory penetration testing will come into force, and certification
by ESAs will have to be obtained. Regulators have confirmed that DORA will by default precede any overlapping regulatory texts such as NIS or ESA guidelines. Companies should keep this in mind when performing an internal check of their regulatory compliance
and use DORA as the main reference to avoid further unforeseen gaps when DORA comes into force in 2025.
How will DORA be enforced?
Once the January 2025 deadline has passed, enforcement responsibilities will be delegated to regulators in each EU member state, which are referred to as "competent authorities." These authorities have the power to require specific security measures and
the remediation of vulnerabilities from financial entities. Additionally, they have the power to impose administrative, and in certain cases, criminal penalties on entities that do not adhere to the regulations. The specific penalties for non-compliance will
be determined by each member state.
ICT providers categorised as "critical" by the European Commission will be subject to direct supervision by "lead overseers" from ESAs. Similar to competent authorities, lead overseers can demand security measures and remediation, as well as impose penalties
on non-compliant ICT providers. Under DORA, lead overseers have the ability to impose fines on ICT providers equivalent to 1% of the provider's average daily worldwide turnover in the preceding business year. These fines can be applied daily for a period of
up to six months until compliance is achieved.
Why is DORA such a significant regulation in financial services?
Chrysostomides
Advocates & Legal Consultants explains that while major types of financial risk such as credit risk, market risk, counterparty credit and liquidity risk, and market conduct risk were dealt with by previous Union acts, nonetheless, these did not fully address
all aspects of operational resilience at the time of their implementation. As a result, the DORA aspires to fill in the gaps or remedy inconsistencies in some of the prior legal acts, including in relation to the terminology used. The DORA explicitly refers
to ICT risk and introduces rules on ICT risk-management capabilities, ICT-related incident reporting, operational resilience testing and ICT third-party risk monitoring.
In a long read published on
Finextra, Jolanda Schekermans, head of product, Europe, Form3, explained that as financial institutions are increasingly moving their operations onto the cloud, and given the global presence of certain large cloud providers, there is also a need for them
to consider how they would respond to technical failures by their providers which may impact services across entire countries or regions.
“Tackling this issue of concentration risk is a significant challenge for financial institutions, and while regulators appreciate the scale of the project, FIs should look to technology providers offering multi-cloud solutions as partners to assist them
meet these standards in keeping with the incoming deadlines. Diversification of suppliers is likely to become an increasingly important factor for financial institutions which interact with these organisations, as they seek to ensure that they spread their
dependence over multiple network providers. This is particularly important for disaster recovery scenarios.”
Schekermans stated that financial institutions are not only going to be weighing up the advantages of working with a number of providers, but also considering the value of working with providers that are diversified and resilient themselves. In order to
effectively diversify, institutions will need to allocate sufficient financial and human resource toward pushing DORA readiness to the top of the agenda.
How can firms best prepare for DORA?
In a recent Finextra blogpost, Aare Reintam, chief operating officer at CybExer Technologies explained that the capabilities of financial institutions to detect, respond, recover and protect themselves from breaches, cyber-attacks, data compromise and other
serious IT incidents has traditionally varied substantially from organisation to organisation.
“A key area organisations may want to consider exploring as they embark on their preparations to meeting compliance with DORA is to ensure they are armed with the necessary skills and capabilities. There are a number of avenues to explore here, including:
- “Regular training - financial organisations will need to implement a programme of regular training, not only for staff specifically responsible for IT and security, but also the board/management team. IT security and best practice should be embedded as
a compulsory part of all staff training, including senior management. There are a number of training exercises that may prove valuable to help with this, including threat hunting, capture-the-flag and live-fire.
- “Resilience testing - establishment of a digital operational resilience testing programme is a key requirement as part of DORA. This programme will vary in terms of its scale and complexity depending on the organisation’s risk profile, size and nature of
business. However, all financial firms will need to ensure their IT systems and applications are tested at a minimum of once a year by an independent party. Furthermore, more advanced threat-led penetration testing (also known as red/purple team assessment)
has to be carried out at least every three years.”