The Digital Operational Resilience Act, also referred to as DORA, stands as a pivotal European Union (EU) regulation poised to elevate and standardise operational resilience and IT security within the EU financial sector.
Marking a substantial regulatory overhaul, DORA introduces stringent new requirements applicable to financial entities including banks, insurance companies, and investment firms. Moreover, critical third-party organisations providing ICT or data services to the financial services sector are also impacted. With a two-year implementation period, entities are expected to achieve compliance with the regulation by early 2025.
DORA’s reach extends to over 22,000 financial entities and ICT service providers within the EU, along with the ICT infrastructure supporting them from beyond the EU borders. These entities must prepare to meet the obligations outlined by DORA, aimed at reinforcing digital infrastructure and effectively mitigating cyber risks.
Why is DORA needed?
The Digital Operational Resilience Act (DORA) is needed for several crucial reasons:
- Cyber Security Threats: In today’s interconnected digital landscape, cyber security threats are unescapable. Cyber-attacks can disrupt essential services, compromise sensitive data, and inflict significant financial and reputational damage on businesses and institutions. DORA aims to address these threats by enhancing the resilience of digital systems and fortifying defences against cyber incidents.
- Complex Digital Ecosystems: Modern businesses and financial institutions rely heavily on complex digital ecosystems comprising interconnected networks, systems, and third-party service providers. The interdependencies within these ecosystems create vulnerabilities that can be exploited by cyber adversaries. DORA seeks to mitigate these risks by promoting a coordinated approach to digital resilience and imposing obligations on entities to assess and manage their digital risks effectively.
- Fragmented Regulatory Landscape: Prior to DORA, the regulatory framework governing digital operational resilience and IT security in the EU was fragmented and lacked consistency. DORA provides a unified and harmonised approach to addressing these issues, streamlining regulatory requirements across EU Member States and fostering greater cooperation and coordination among supervisory authorities.
- Criticality of Financial Services Sector: The financial services sector plays a pivotal role in the economy and society, making it a prime target for cyber-attacks. DORA recognises the criticality of the financial services sector and aims to bolster its resilience against cyber threats through enhanced regulatory oversight and compliance.
- Digital Transformation: The rapid pace of digital transformation has led to increased digitisation of financial services and operations. While this offers numerous benefits, it also introduces challenges and risks related to cyber security and operational resilience. DORA acknowledges the need to adapt regulatory frameworks to keep pace with technological advancements and ensure that digital systems remain secure, resilient, and trustworthy.
Regulatory Technical Standards
On 17th January 2024, the first set of regulatory technical standards were unveiled for financial entities and ICT provider across four domains:
- Harmonising ICT risk management and governance
- Incident response and reporting
- Third-party risk management
- Digital operational resilience testing
While still in draft form, these standards offer valuable insights into compliance requirements, pending finalisation by the European Commission. Looking ahead, a second batch of regulatory technical standards is scheduled for publication in July 2024, further refining compliance expectations and providing additional clarity for affected organisations.
How will DORA be enforced?
Following the finalisation of the standards and the arrival of the January 2025 deadline, enforcement will be delegated to designated regulators in each EU member state, known as “competent authorities.” In the UK, under the proposed regime, HM Treasury will – in consultation with the financial regulators and other bodies – be able to designate certain third parties to firms as ‘critical’.
These authorities will have the power to mandate specific security measures and require remediation of vulnerabilities from financial entities. Additionally, they will be authorised to impose administrative penalties and, in certain instances, pursue criminal sanctions against non-compliant entities. It will be at the discretion of each member state to determine the severity of penalties.
ICT providers classified as “critical” by the European Supervisory Authorities or “ESAs” (principally the EBA, EIOPA and ESMA) will be subject to the direct supervision of the ESAs. The ESAs will have the authority to request security enhancements, mandate remedial actions, and penalise non-compliant ICT providers. Under DORA, the ESAs are empowered to impose fines on ICT providers equivalent to 1% of the provider’s average daily worldwide turnover from the previous business year. These fines can be imposed daily for a period of up to six months until compliance is achieved.
What does this mean UK financial institutions?
The UK regulatory authorities already have a framework in place for regulated firms when it comes to outsourcing and operational resilience. Recently, the Financial Conduct Authority (FCA) has been actively evaluating cyber and operational resilience through a comprehensive questionnaire. They’re delving into crucial aspects such as whether firms have a board-approved cyber security strategy, how they safeguard critical assets, and their capacity to detect, respond, recover, and learn from incidents.
Following the introduction of the Financial Services & Markets Act 2023, regulatory bodies like the FCA, the Bank of England, and the PRA, are currently consulting on the management of critical third parties in the UK financial sector.
While the FCA’s operational resilience rules align partially with the requirements of DORA, there are distinctions. The UK rules pertain to various financial entities including banks, insurers, and payment firms, whereas DORA extends to a broader spectrum including service providers in areas like crypto-assets and data reporting.
For firms operating both in the UK and the EU, there will be some overlap in their operational resilience efforts, but DORA introduces new requirements, particularly around detailed operational resilience testing and threat intelligence sharing.
Even for large financial institutions well-versed in UK regulations, DORA presents a challenge, requiring a harmonisation of standards across the board.
Conclusion
We perceive DORA as both a challenge and an opportunity for EU financial entities and their ICT providers. DORA’s standardised requirements necessitate financial entities to maintain a consistent level of maturity in ICT and cyber resilience throughout their operations.
With a two-year preparatory period, affected entities must take proactive steps to align with its mandates. Financial institutions will need to kickstart comprehensive gap assessments to gauge their maturity level and pinpoint areas necessitating further investment and prioritisation. This proactive approach will position organisations to tackle more intricate requirements such as advanced technology resilience testing (including threat-led penetration testing), incident reporting, and threat intelligence.
With a significant emphasis on third-party risk management, entities are anticipated to ensure the resilience of third parties, dictating close collaboration and joint efforts with critical ICT service providers. This applies to existing contracts which must be compiled, reviewed, and amended for compliance, while new contracts within the scope must also incorporate such obligations.
By establishing comprehensive requirements and promoting a proactive approach to digital resilience, DORA seeks to mitigate the potential gaps, overlaps, and conflicts that might arise from differing regulations across EU member states. By doing so, it aims to strengthen the EU’s cyber security posture, safeguarding the integrity and stability of the EU’s financial ecosystem.
Written by Wayne Churchill
Chief Executive Officer
NormCyber