If your IT department works for a financial institution operating in Europe, you’ve come to the right place, since the Digital Operational Resilience Act (DORA) simplifies compliance and promotes a unified approach to managing IT risks, which is vital in an era of increasing cyber attacks.
This legislation introduced by the European Union (EU) aims to standardize and enhance cybersecurity practices across financial entities, ensuring they can withstand, respond to, and recover from IT disruptions.
DORA was officially published and entered into force on January 16, 2023, marking the beginning of a 24-month preparation period that will culminate in its full application on January 17, 2025. During this time, financial institutions, including banks, insurance companies, and other financial services providers, are required to align their operational resilience frameworks with the new regulations.
In this article, we will explore the importance of this groundbreaking framework, its implications for various entities within the financial ecosystem, and how it aims to maintain the stability and trust in the financial markets.
So join us as we break down the essentials of DORA and what it means for the future of financial operations in the EU!
Table of contents
- What is the Digital Operational Resilience Act?
- Why is the DORA framework important.
- DORA compliance: scope and applicability.
- The 5 pillars of DORA.
- Timeline to implement the Digital Operational Resilience Act.
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act (DORA) is a regulatory framework brought up by the European Commission as part of its broader digital finance package. The act aims to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber threats and to maintain operational resilience.
This includes a wide range of entities such as banks, insurance companies, and investment firms, as well as critical third-party service providers like cloud computing services.
The inception of DORA is rooted in the increasing dependency on digital technologies and the corresponding vulnerabilities that the financial sector faces.
Over recent years, the financial industry has experienced significant digital transformation processes, which, while beneficial, has also introduced new risks and challenges. The European Commission proposed DORA in September 2020, recognizing the need for a comprehensive approach to bolster the cybersecurity and operational resilience of the financial sector.
How to Build a Culture of Cybersecurity in Your Company
ISO 27001 vs. NIS2 vs. DORA vs. CIS
Each one of these frameworks focuses on enhancing cybersecurity and operational resilience. Although they sometimes share certain purposes, they are also tailored to specific sectors or general organizational practices.
Let’s take a look at them in a little more detail:
- ISO 27001: This is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a framework for organizations to manage their information security by addressing people, processes, and technology.
- NIS2 Directive: It is an update to the EU’s Network and Information Systems Directive, NIS2 focuses on improving cybersecurity across various sectors, including essential and important entities. It mandates Risk Management measures and incident reporting obligations to enhance national and EU-level cybersecurity.
NIS2 Directive: Understanding The EU Cybersecurity Legislation
- DORA: Specifically targets the financial sector, aiming to consolidate and upgrade ICT (Information and Communication Technology) security and governance across financial entities. DORA introduces requirements for digital operational resilience testing and oversight over critical third-party providers.
- CIS Controls: Developed by the Center for Internet Security, the CIS Controls are a set of actionable best practices for cyber defense that help organizations protect themselves from known cyber attack vectors. These controls are more practical and specific compared to the broad regulatory frameworks of DORA or NIS2.
Why is the DORA framework important – and who needs it?
DORA's importance extends beyond merely addressing cybersecurity; it is about maintaining the stability and trust in financial markets by ensuring continuous service during adverse events.
This is particularly significant as financial institutions handle sensitive data and their uninterrupted operation is crucial for market stability.
The framework facilitates cross-border collaboration in cybersecurity efforts within the EU, enhancing the security posture of the region's financial ecosystem and protecting consumer interests.
The scope of DORA covers a wide range of entities within the EU's financial system. This includes banks, investment firms, insurance companies, financial market infrastructures like stock exchanges and clearinghouses, and critical third-party IT service providers, including cloud services. These entities are pivotal to the financial system's infrastructure, and ensuring their resilience is essential for the overall health of the financial markets.
All that to say that DORA is a key legislative measure that addresses the pressing need for robust operational resilience and cybersecurity in the financial sector.
In this environment, creating a harmonized regulatory framework in the EU enhances the security and stability of financial services and protects consumers by ensuring that financial entities and their critical service providers can maintain operations and manage IT disruptions effectively.
Governance, Risk, And Compliance (GRC): A Deep Dive Into The Framework
DORA compliance: scope and applicability
Below, we outline the scope and applicability of DORA, detailing which entities are affected and what compliance entails. The act applies to a wide range of financial entities, explicitly listed in its Article 2. It is crucial for these entities to determine if they fall under DORA's regulations to implement appropriate compliance strategies.
The entities covered include:
- Credit Institutions: Traditional banks and financial institutions that offer credit facilities.
- Payment Institutions: Entities engaged in payment processing, including those exempt under Directive (EU) 2015/2366 (PSD2).
- Account Information Service Providers: Providers of consolidated information on one or more payment accounts.
- Electronic Money Institutions: Including those exempt under Directive 2009/110/EC (EMD2), these institutions issue and manage electronic money.
- Investment Firms: Firms involved in securities trading and related services.
- Crypto-Asset Service Providers and Issuers of Asset-Referenced Tokens: Entities dealing with cryptocurrencies and related financial products.
- Central Securities Depositories: Institutions that hold and administer securities and enable securities transactions to be processed.
- Central Counterparties: Entities that facilitate transactions between various entities in the financial markets.
- Trading Venues: Includes stock exchanges and other platforms where financial instruments are traded.
- Trade Repositories: Entities that maintain records of derivatives contracts.
- Managers of Alternative Investment Funds: Entities managing investments in alternative assets.
- Management Companies: Companies that manage investment funds.
- Data Reporting Service Providers: Entities providing data and reporting services in financial markets.
- Insurance and Reinsurance Undertakings: Companies involved in insurance and reinsurance businesses.
- Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Agents and brokers in the insurance market.
- Institutions for Occupational Retirement Provision: Entities managing occupational pension schemes.
- Credit Rating Agencies: Agencies that provide credit ratings for various financial entities.
- Administrators of Critical Benchmarks: Entities responsible for setting benchmarks critical to financial markets.
- Crowdfunding Service Providers: Platforms that facilitate crowdfunding for various purposes.
- Securitization Repositories: Entities dealing with the documentation and reporting of securitizations.
- ICT Third-Party Service Providers: Providers of information and communication technology services to financial entities.
The 5 pillars of DORA
DORA is designed around five foundational pillars, recognizing the critical role that Information and Communication Technology (ICT) plays in the smooth operation of financial institutions within the European Union.
Each pillar addresses a specific purpose, which are as follows:
1. ICT Risk Management
Looks to ensure that financial entities can effectively manage risks associated with their ICT systems. This involves establishing comprehensive plans and tools to protect, detect, and recover from technological disruptions.
10 Steps to Create a Risk Management Plan
2. ICT incident reporting
Financial entities are required to quickly report any ICT-related incidents to minimize potential damage. This necessitates having a robust system for efficiently identifying and managing these incidents.
3. Digital operational resilience testing
Regular testing of the resilience of ICT systems is mandated to confirm they can withstand and recover from operational disruptions. This includes a variety of tests such as penetration testing and scenario analysis.
4. ICT third-party Risk Management
Manage risks linked to external service providers, such as cloud computing firms, ensuring these third parties also comply with DORA’s stringent resilience standards.
5. Information and intelligence sharing
Encourage the sharing of information about cyber threats and vulnerabilities with other financial entities and regulatory authorities. This collaborative approach helps enhance the cybersecurity posture of the entire financial sector.
DORA requirements: How to prepare?
To comply with DORA, the affected entities must incorporate the following practices.
1. Risk Management
Requirement: Entities must establish and maintain a sound, comprehensive, and well-documented ICT Risk Management framework. This framework should cover all stages of ICT risk from identification and protection to detection, response, and recovery.
How to prepare:
- Develop a clear ICT Risk Management policy.
- Implement processes to continuously identify and assess ICT risks.
- Establish protective and preventive measures against identified risks.
2. Incident reporting
Requirement: Entities are required to establish and implement an ICT Incident Management process. They must promptly detect and report significant ICT-related incidents to the relevant authorities.
How to prepare:
- Set up an incident response team and define their roles and responsibilities.
- Develop procedures for the quick detection and classification of ICT incidents.
- Create a reporting mechanism to communicate incidents to regulatory bodies as required.
3. Digital operational resilience testing
Requirement: Regular testing of digital operational resilience is mandatory. This includes testing the entity's ability to withstand and respond to ICT disruptions and threats, using methods like vulnerability assessments, scenario-based testing, and penetration testing.
How to prepare:
- Plan and conduct regular testing exercises tailored to the entity's specific operations and risks.
- Engage external experts for independent testing when necessary.
- Review and update disaster recovery and business continuity plans based on test outcomes.
4. Third-party Risk Management
Requirement: Entities must manage and monitor the ICT risk stemming from dependencies on third-party service providers, including cloud services.
How to prepare:
- Conduct due diligence before entering agreements with third-party service providers.
- Regularly assess the security and resilience of third parties.
- Implement contractual clauses to ensure compliance with DORA requirements and maintain oversight.
5. Information sharing
Requirement: Entities are encouraged to share information related to ICT risks, threats, and vulnerabilities with other entities and relevant bodies to enhance collective resilience.
How to prepare:
- Join financial sector information-sharing forums and networks.
- Establish protocols for sharing information while protecting sensitive data.
- Participate in collaborative resilience exercises with other entities.
6. Compliance and oversight
Requirement: Entities must ensure compliance with DORA's regulations and are subject to oversight by competent authorities. This includes adhering to governance standards and providing necessary documentation and evidence of compliance.
How to prepare:
- Ensure governance frameworks align with DORA requirements.
- Maintain thorough documentation of all ICT risk management activities and decisions.
- Prepare for regular audits and assessments by regulatory bodies.
The IT Compliance Management Process: Steps, Roles, And Main Tasks
Special provisions
DORA also introduces special provisions for critical third-party service providers, such as cloud platforms and other key technology services, which are necessary in the financial sector. These providers are subject to oversight and must ensure that their services align with the operational resilience requirements demanded by DORA.
Timeline to implement DORA
The implementation timeline for DORA involves several key stages from its initial proposal to full enforcement. DORA was officially published and entered into force on the 16th of January 2023. This marked the beginning of the formal legislative framework for operational resilience in the financial sector.
Now, the transition period from the 16th of January 2023 to 17th of January 2025 you have a 24-month preparation window, which allows the 20 different types of financial entities, including insurance and reinsurance undertakings, Institutions for Occupational Retirement Provision (IORPs), and insurance and reinsurance intermediaries, to adapt their operations to meet DORA’s requirements.
By the 17th of January 2025, DORA will be fully applicable across the EU, which means all financial entities covered by the act must be fully compliant with its provisions by this date.
Following full application, there will be continuous monitoring and review processes to ensure the effectiveness of the framework. The EU may make adjustments based on technological advancements, emerging cyber threats, and the practical experiences of entities subject to the regulation.
Key takeaways
The development of DORA represents a significant step by the EU to not only protect its financial sector from digital threats but also to enhance its global competitiveness by creating a safer, more resilient financial environment.
Organizations within the scope of DORA need to stay informed about the specific dates and requirements as the legislative process concludes and the Act moves towards implementation. Preparing early and understanding the timeline can help ensure a smooth transition.