The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.
It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.
Why is DORA needed?
The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.
When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
With the DORA regulation, the EU aims to establish a universal framework for ICT risk management and mitigation in the financial sector.
The aim is to eliminate gaps, overlaps and conflicts that might arise between different regulations in different EU states by harmonizing risk management rules across Europe.
Indeed, a shared set of standards can facilitate the compliance of financial entities and, at the same time, improve the resilience of the entire European financial system by ensuring that all players adhere to the same standards.
For organisations operating in the financial sector, government interference and regulatory oversight are nothing new.
It stands to reason, of course: finances dictate so much of how a country and society functions that the power of government could be hobbled should the financial sector be struck down or left impotent. Furthermore, a secure financial market draws business to itself, which is obviously desirable for all governments.
In 2020, the ESRB (European Systemic Risk Board) examined systemic cyber risk in the EU financial sector.
The resulting report found that the primary risks arose from key developments in modern networks and ways of doing business:
- High levels of interconnectedness across financial entities and markets.
- Interdependence between systems – e.g. payments systems, securities clearing and settlement, claims management, peer-to-peer finance, etc.
- Deepened interconnectedness between financial entities and third-party service providers and suppliers.
- Financial entities deploy services across national borders and cyber threats know no borders.
- Likelihood that vulnerabilities can propagate across the entire EU financial system, compromising stability of EU financial systems.
It was a combination of these factors that led the EU to create DORA.
As a regulation, DORA will be enforced from a fixed date regardless of what any member state does. Some countries may apply more restrictive conditions, but it is not possible for any of them to override DORA to relax requirements.
A measure first proposed in September 2020 by the European Commission, and part of a broader digital finance package that also includes initiatives for regulating cryptocurrencies and improving the EU’s overall digital finance strategy.
The Council of the European Union and the European Parliament formally adopted DORA in November 2022, on December 27, 2022 it was published in the Official Journal, and on January 16, 2023 it entered into force.
Financial entities and third-party ICT service providers to comply with the requirements have until January 17, 2025 when the regulation will become binding.
The DORA regulation applies to all financial institutions in the EU, including traditional financial entities, such as banks, investment companies, and credit institutions, as well as nontraditional entities, such as cryptocurrency-related service providers and crowdfunding platforms, cloud service providers, and data centers.
Firms that provide critical third-party information services, such as rating and data analytics services, are also affected by the regulations.
After the January 2025 deadline, designated regulatory authorities in each member state will manage implementation. These competent authorities may require financial entities to take specific security measures and correct any vulnerabilities. They will also be able to impose administrative and, in some cases, criminal penalties, on defaulting entities. Penalties will be decided by each individual member state and can be as much as 1 percent of the average daily global turnover recorded in the previous fiscal year by the sanctioned party.
Fines may be imposed daily for up to six months until the provider achieves full compliance.
The 6 pillars of the Regulation
The measures under DORA are divided into 6 major areas that are to represent must-haves that companies and organizations are required to improve or implement:
- ICT Governance.
The goal here is to foster better alignment of ICT risk management strategies by financial entities. The Management Body will play a key role in assigning responsibilities and roles for all ICT functions, controlling and monitoring ICT risk management, and finally, appropriately allocating ICT investment and training; - ICT Risk Management.
In this context, the goal is to improve and harmonize rules for ICT risk management. Financial entities will need to establish and maintain resilient ICT tools and systems through ICT risk identification, preparation of protection and prevention measures, threat detection, incident management, implementation of business continuity strategies and disaster recovery plans; - Incident management.
Provides for specific ICT incident management requirements. Industry organizations will have to implement a mapping system, in which they classify various incidents based on criteria described in the Regulations and further defined by the ESAs (European Supervisory Authorities) to specify materiality thresholds; - Resilience Test.
This is the biggest change because it is specified that financial entities will have to be tested periodically to ascertain their degree of maturity, identify their weaknesses and determine any corrective measures. A measure that highlights the regulator’s goal of taking a proactive approach that is not limited to “reaction” corrective measures alone. At this stage, Penetration Testing and, more generally,Red-Teaming activities should only be carried out by authorized and appropriately certified parties. In this regard, the Framework provided by the European Community, i.e., TIBER EU, transposed in Italy as TIBER IT, which has also been adopted by the Bank of Italy, Consob and IVASS, can be used to conduct these Tests. - Third Party Risks.
For this area, the regulator specifies that the various entities will have to ensure compliance with standards that apply to monitoring ICT risks arising from Third Parties and harmonize the essential elements of the service in all phases of the contract: contracting, execution, termination, and post-contractual phase; - Information sharing.
Here the goal is to make up for the lack of communication between the various entities within the EC. Indeed, it is allowed for financial organizations to enter into agreements to exchange information and data on cyber threats in order to strengthen cooperation among member states.
After the date of January 17, 2025, therefore, all stakeholders will have to take certain technical and organizational measures.
Specifically, the financial institutions involved are first and foremost required to adopt an ICT-related risk management process, with the goal of identifying cyber risks preventively and minimizing the impact of cyber incidents.
This burden is placed on the management body of the enterprise, which is called upon to assume “full and ultimate responsibility” for:
- ICT risk management;
- The definition and approval of the digital operational resilience strategy;
- The review and approval of corporate policy on the engagement of third-party vendors for ICT services.
All actors covered by the DORA Regulation must therefore prepare to implement it by January 2025 by developing or updating their incident reporting procedures in line with the new measures. These are a series of fulfillments that financial entities are obliged to perform in order to ensure a high level of digital operational resilience and represent an additional field of knowledge that must be acquired and managed.
Among these, great emphasis is placed on training and awareness-raising that different financial entities will need to put in place in a systemic way.
According to point 6 of the fundamental Article 13 of the Regulations, mandatory ICT security training modules for staff will have to be provided.
These training programs should be applicable to all employees and management personnel, and will have a level of complexity commensurate with the mandate of their functions. Where necessary, financial entities should include third-party ICT service providers in their training programs.
Training is therefore a pillar of this new legislation, which is necessary not only to make those involved unassailable on the cybersecurity front but also on the legal side and avoid unpleasant penalties.
