European Union: The Digital Operational Resilience Act

Share Post :

The European Union is taking a much needed step forward in terms of digital operational resilience with the introduction of their new legislation, the Digital Operational Resilience Act (DORA). This means that financial service companies looking to operate in European markets must have clear plans for responding to and managing cyber risks. DORA will allow businesses operating across jurisdictions within the EU to reduce outages, manage data protection and privacy compliance issues more effectively, as well as provide greater assurance that customer data is secure during transactions. For professional clients in particular this could provide an improved level of protective measures something which may be essential given long-term economic uncertainty arising from global events at present.

Digital Operational Resilience Act (DORA) explained

The legislation will require financial service companies to identify, assess and manage their cyber risks. Furthermore, it requires that firms have a ‘security culture’ in place which includes processes and policies for the protection of customer data. All companies must also ensure that their procedures meet the highest levels of security standards to protect customers from potential breaches or misuse of their data.

The legislation also requires financial service companies to have a clear plan for responding to incidents, as well as processes for investigating them and ensuring compliance with the DORA requirements. In the event of an incident, companies are required to notify the relevant authorities in a timely manner and provide details on how they will prevent similar risks arising in the future.

On December 27, 2022, DORA was published in the Official Journal of the European Union. It becomes effective on January 16, 2023. DORA is a major piece of legislation that places strict new requirements on financial institutions as well as crucial third-party providers. It calls for new systems and controls, risk management frameworks, policies, and contractual clauses to be included in ICT-focused outsourcing agreements. The regulation contains a two-year implementation window, with the new requirements going into effect on January 17, 2025, in acknowledgment of the time it will take for businesses to be DORA-compliant.

The Digital Operational Resilience Act (DORA) is a major step forward for Europe’s financial service companies and provides an opportunity to establish stronger levels of security across the industry. It is hoped that it will provide customers with confidence in the financial services they are using, as well as allow businesses to benefit from an improved level of protection in an ever-changing digital landscape.

Impact of DORA on Financial Institutions

Financial institutions that operate within the EU or offer services to customers located there will be significantly affected by the introduction of DORA. Companies must ensure they have adequate plans and policies in place for managing cyber risks, with different provisions depending on their size and the nature of their customer base. The regulation also requires companies to implement certain processes, such as regular risk assessment and monitoring of third-party providers, as well as to invest in systems that are able to detect and respond to potential cyber threats.

The introduction of DORA places a greater burden on companies which should result in increased costs for financial institutions. Companies must hire more staff or utilize outsourcing solutions in order to comply with the regulation, as well as invest in technology and processes to ensure they have suitable risk management measures in place.

Financial institutions will need a framework for ICT risk management that is completely comprehensive to handle this. The ability to identify risks, safeguard ICT systems, reduce the risk of cybersecurity incidents, detect suspicious activities, recover from negative incidents, and have backup and other recovery techniques in place will also be required. This should help financial institutions deal ICT risks effectively.

In accordance with the framework, businesses will also need to evaluate the risks associated with using third-party services and have rules in place to guarantee that only appropriate third-party services are employed. DORA applies to a very broad range of financial institutions, such as banks and investment firms, markets infrastructure entities, trading companies, fund managers, insurance undertakings, payments and e-money institutions, and other financial entities like credit rating agencies, in order to ensure resilience against digital risk across the entire financial services sector.

Financial institutions will have to test their operational resilience frequently under DORA. Firms will be expected to test against the risks that are most pertinent to their investment services and business lines. Testing should follow a risk-based approach. By doing this, businesses may verify that the cyber risk controls in place are specific to their own operations. Firms will be compelled to document any incidents, including cyberattacks, and report them to the appropriate authority.

further, This calls for careful monitoring of the risks associated with relying on third-party ICT suppliers, Make sure that all relevant information regarding monitoring and accessibility is included in the contracts with the ICT third-party providers.Financial institutions must communicate among themselves about cyberthreat intelligence and information using mechanisms that protect the potentially sensitive nature of the transferred content.

Requirements for Financial institutions to comply with DORA

  • Investing in the appropriate technology and processes to ensure the organization has suitable cyber risk management measures in place.
  • Evaluating the risks associated with using third-party services, and have rules in place to guarantee that only appropriate third-party services are employed.
  • Documenting any incidents, including cyberattacks, and report them to the appropriate authority.
  • Monitoring and safeguarding ICT systems.
  • Reducing the risk of cybersecurity incidents, detecting suspicious activities, and having backup and other recovery techniques in place.
  • Frequently testing operational resilience against applicable risks.
  • Sharing intelligence and information on cyber threats among themselves through secure systems that safeguard potentially sensitive material.
  • Implementing appropriate measures to protect against cyber threats in order to ensure the continuity of operations.
  • Maintaining a framework for ICT risk management that is comprehensive and addresses all IT risks.
  • Planning for potential emergencies and having contingency plans in place to respond quickly to any incidents or threats.

Financial entities regulated under DORA

  • Investment firms
  • Credit institutions
  • Payment institutions and electronic money institutions
  • Crypto-asset service providers
  • Trading venues and trade repositories
  • Insurance and reinsurance undertakings and intermediaries
  • Central securities depositories
  • Central counterparties
  • Credit rating agencies
  • AIFMs and management companies
  • Data reporting service providers
  • Statutory auditors and audit firms
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitization repositories
  • Institutions for occupational retirement pensions 

In conclusion, compliance with the principles of DORA is crucial for the financial services sector to be able to manage digital risks effectively. Financial institutions need to assess their operations and cyber security measures continually in order to remain compliant with DORA. This will help them protect their customers’ data and assets, reduce operational risks, and maintain a secure and reliable financial infrastructure.

Recent Posts

We are dedicated to delivering top-notch compliance consulting services, ensuring your success and peace of mind. This principle is the cornerstone of our approach in every project we undertake. Contact us today for a free consultation and see how we can support your compliance needs.