In September 2020, the European Commission unveiled a groundbreaking initiative aimed at revolutionizing digital risk management for financial entities and critical ICT service providers. The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, represents a significant leap forward in fortifying digital operational resilience within the financial sector.
DORA officially came into force on January 16, 2023, and starting from January 17, 2025, it will have a wide-reaching impact on various financial institutions. This includes credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, and investment fund managers.
DORA’s Mandate
At its core, DORA strives to establish a unified regulatory framework across Europe for managing risks stemming from Information and Communication Technology (ICT) and associated suppliers. This extends beyond the conventional boundaries of financial institutions, incorporating various players within the financial sector, such as insurance and reinsurance undertakings, alternative investment fund managers, and management companies.
Defining Digital Operational Resilience
Digital operational resilience, as per DORA’s definition, is a financial entity’s ability to ensure its systems’ operational integrity and reliability. This involves managing risks directly or indirectly through services provided by ICT third-party service providers, thereby safeguarding the full spectrum of ICT-related capabilities needed to ensure the security of networks and information systems supporting financial services.
DORA’s Broad Scope
Applying to all financial institutions in the EU, DORA casts a wide net that includes traditional entities like banks, investment firms, credit institutions, and non-traditional players such as crypto-asset service providers and crowdfunding platforms. DORA significantly extends its regulatory reach to entities typically excluded from financial regulations, encompassing third-party service providers supplying ICT systems and services, including cloud service providers and data centres.
In a unique approach, DORA also covers firms offering critical third-party information services, such as credit rating services and data analytics providers.
Who Falls Under DORA’s Purview?
DORA’s regulatory reach extends to a broad spectrum of financial entities, including but not limited to:
- Payment institutions and electronic money institutions
- Account information service providers
- Investment firms
- Credit institutions
- Credit rating agencies
- Insurance and reinsurance firms
- Central securities depositories
- Crypto-asset service providers
- Central counterparties
- Trading venues and trade repositories
- Crowdfunding service providers
- Data reporting service providers
The DORA Framework
The Digital Operational Resilience Act (DORA) ushers in a new era of regulatory standards for financial entities and Information and Communication Technology (ICT) providers, focusing on four key domains: ICT risk management and governance, incident response and reporting, resilience testing, and third-party risk management. As financial institutions gear up for compliance, DORA introduces a proportional enforcement approach, recognizing the diverse landscape of entities, with smaller organizations facing different standards than major financial players.
Enforcing DORA
Once the standards are finalized, enforcement responsibility will fall on competent authorities in each EU member state. These authorities can mandate specific security measures, remediate vulnerabilities, and impose penalties, both administrative and, in certain cases, criminal, on non-compliant entities.
For ICT providers deemed “critical,” direct supervision by “Lead Overseers” from the ESAs will be implemented. Lead Overseers can request security measures, penalize non-compliance, and impose fines amounting to 1 percent of the provider’s average daily worldwide turnover for up to six months until compliance is achieved.
Delving into DORA’s Requirements
DORA establishes technical requirements across five crucial domains:
1. ICT Risk Management and Governance
DORA places the responsibility for ICT management on the entity’s management body. Board members, executives, and senior managers must define risk management strategies, conduct continuous risk assessments, and be personally accountable for compliance. Covered entities must develop comprehensive ICT risk management frameworks, including mapping ICT systems, identifying critical assets, and conducting business impact analyses.
2. Incident Reporting
Covered entities must establish systems for monitoring, managing, classifying, and reporting ICT-related incidents. Depending on the severity, entities must file three types of reports for critical incidents, with forthcoming rules on incident classification, reporting criteria, and timelines.
3. Digital Operational Resilience Testing
Entities must conduct regular tests to evaluate ICT system strength and identify vulnerabilities. Basic tests, including vulnerability assessments and scenario-based testing, are required annually. Financial entities playing a critical role must undergo threat-led penetration testing (TLPT) every three years.
4. ICT Third-Party Risk Management
DORA uniquely extends to ICT providers servicing the financial sector. Financial entities must actively manage third-party ICT risk, negotiate specific contractual arrangements, and map third-party ICT dependencies. Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs.
5. Information Sharing
While encouraged, information sharing is not mandatory under DORA. Financial entities are encouraged to participate in voluntary threat intelligence sharing arrangements, with shared information protected under relevant guidelines such as GDPR considerations.
Conclusion
As the EU charges ahead with DORA, financial entities must embrace a proactive stance to ensure compliance and fortify digital resilience. With its holistic approach, DORA addresses the immediate challenges of ICT risk management and sets the stage for a harmonized and resilient European financial landscape. As financial entities navigate the complexities of DORA’s requirements, a new era of cybersecurity standards is set to reshape the future of the financial services sector in the European Union.
