Understanding the Digital Operational Resilience Act (DORA)

Source:Pixabay

In today’s interconnected world, the financial sector relies heavily on digital infrastructure to deliver services efficiently. This increased dependence on technology also exposes financial entities to cyber threats and operational disruptions. Recognizing the need to bolster the resilience of the European financial sector, the European Union introduced the Digital Operational Resilience Act (DORA), which came into force on January 16, 2023, with application starting on January 17, 2025.

Coverage of DORA. (ICT: Information and Communication Technology)

Background:
The Digital Operational Resilience Act (DORA) addresses the growing vulnerability of financial entities, including banks, insurance companies, and investment firms, to cyber-attacks and operational disruptions. With the increasing reliance on technology and third-party service providers, unmanaged ICT risks can lead to widespread disruptions in financial services, impacting not only the financial sector but also other industries and the broader economy.

Objectives:
The primary objective of DORA is to strengthen the IT security of financial entities and ensure the resilience of the European financial sector. By harmonizing rules related to operational resilience for financial entities and ICT (Information and Communication Technology) third-party service providers, DORA aims to mitigate the risks associated with cyber threats and operational disruptions.

Here’s a practical breakdown of what compliance with DORA entails:

1. ICT Risk Management: Implementing robust ICT risk management frameworks to identify, assess, and mitigate risks associated with digital operations. This includes identifying critical ICT systems and services, conducting risk assessments, and developing strategies to address identified risks.
2. Third-Party Risk Management: Establishing processes and procedures to monitor and manage risks associated with third-party service providers that provide critical ICT services. This involves assessing the security and resilience of third-party systems, negotiating contractual agreements with service providers, and implementing measures to ensure continuous oversight and monitoring of third-party activities.
3. Digital Operational Resilience Testing: Conducting regular testing and exercises to evaluate the resilience of digital systems and processes. This includes both basic and advanced testing scenarios to simulate various cyber threats and operational disruptions and assess the effectiveness of response and recovery mechanisms.
4. Reporting of ICT-related Incidents: Implementing mechanisms for the timely reporting of major ICT-related incidents to competent authorities. Financial entities must have procedures in place to detect, assess, and report incidents that may have a significant impact on their operations or the broader financial sector.
5. Information Sharing: Participating in information-sharing initiatives and exchanging intelligence on cyber threats and operational disruptions with relevant authorities and industry stakeholders. This collaboration enables financial entities to stay informed about emerging threats and enhance their resilience through collective action.
6. Oversight of Critical Third-Party Providers: Establishing an oversight framework for critical ICT third-party providers to ensure their compliance with DORA requirements. This involves monitoring the activities and performance of third-party providers, conducting regular assessments, and taking corrective actions as necessary.

Roadmap:
DORA outlines a comprehensive roadmap for implementation, involving:

• Consultation with stakeholders and the development of policy products by the European Supervisory Authorities (EBA, EIOPA, and ESMA).
• The timeline includes public consultations on criticality criteria, policy products, and oversight activities leading up to the application of DORA on January 17, 2025.

Impacts on Business:
The implementation of DORA will have significant impacts on businesses operating in the European financial sector.

• Financial entities will be required to enhance their IT security measures, including ICT risk management and third-party risk management.
• They must undergo digital operational resilience testing and establish robust incident reporting mechanisms.
• Compliance with DORA may necessitate investments in cybersecurity measures, staff training, and technology upgrades.

Fines:
Non-compliance with DORA could result in fines equivalent to a percentage of the company’s global annual revenue. While specific fine amounts are not disclosed, fines for serious violations under similar regulations like GDPR can reach up to 4% of the company’s global annual revenue or €20 million, whichever is higher. It is imperative for financial entities to prioritize compliance with DORA to avoid potential fines and safeguard their operations and reputation.

The Digital Operational Resilience Act (DORA) represents a significant step towards strengthening the IT security of financial entities and mitigating the risks posed by cyber threats and operational disruptions. By adhering to the principles and requirements outlined in DORA, financial entities can enhance their resilience and contribute to a more secure and stable financial ecosystem in Europe.

Your comment?

Do you think that DORA will strenghten the resilience of the european financial entities or will bring more challenges to their Digital Transformation?

Source: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en