The European Union’s Digital Operational Resilience Act (DORA) represents a significant step in ensuring the stability and security of the financial sector within the EU. As digital transformation accelerates, financial entities are increasingly exposed to a range of cyber threats. Traditionally financial institutions managed risks by the allocation of capital but DORA expands the scope to the broader Operational Resilience.
DORA creates a unified regulatory framework to ensure these entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions and threats. This blog will explore which organisations are affected by DORA and the key requirements they must adhere to.
Who Does DORA Apply To?
DORA’s comprehensive scope applies to a broad array of financial entities; both traditional institutions and modern fintech companies. The types of organisations it applies to include:
- Credit Institutions: Banks and other credit-giving financial bodies.
- Investment Firms: Entities involved in trading securities, managing portfolios, and providing investment advice.
- Insurance and Reinsurance Companies: Organisations offering insurance products and their reinsurance partners.
- Central Securities Depositories: Entities that hold securities and facilitate their exchange.
- Payment Institutions: Companies providing payment services, such as electronic money institutions.
- Crypto-asset Service Providers: Firms dealing with cryptocurrencies and related digital assets.
- Trading Venues: Exchanges where securities and other financial instruments are traded.
- Third-party ICT Service Providers: Companies offering technological services to financial entities, including cloud services, data analytics, and cybersecurity services.
Key Requirements of DORA
DORA establishes a set of stringent requirements aimed at bolstering the digital operational resilience of these entities. Here are the key mandates:
1. ICT Risk Management
Financial entities must implement robust ICT risk management frameworks. This includes:
- Recovery and Learning: Developing strategies to recover from ICT disruptions and incorporating lessons learned into the risk management framework.
- Identification and Protection: Recognising critical ICT assets and ensuring they are adequately protected against potential threats.
- Detection and Response: Establishing mechanisms to detect ICT incidents promptly and respond effectively.
2. Incident Reporting
Entities are required to report significant ICT-related incidents to their national competent authorities. The reporting process involves:
- Initial Notification: Providing a preliminary report soon after the incident is detected.
- Intermediate Updates: Keeping authorities informed with updates as the situation evolves.
- Final Report: Submitting a detailed report on the incident, its impact, and the remediation measures taken.
3. Operational Resilience Testing
DORA mandates regular testing of ICT systems to ensure their resilience. This includes:
- Threat-led Penetration Testing (TLPT): Conducting advanced penetration tests to simulate real-world cyber-attacks and evaluate the effectiveness of defence mechanisms.
- Vulnerability Assessments: Regularly scanning for and addressing vulnerabilities in ICT systems.
4. Information Sharing
DORA encourages information sharing among financial entities regarding cyber threats and incidents. This collaborative approach aims to enhance the overall security posture of the financial sector.
5. Third-party Risk Management
Financial entities must carefully manage risks associated with third-party ICT service providers. This involves:
- Due Diligence: Thoroughly assessing the risks of engaging third-party providers.
- Contractual Requirements: Ensuring contracts with third-party providers include clauses on security, incident reporting, and compliance with DORA.
- Continuous Monitoring: Regularly monitoring the performance and security measures of third-party providers.
6. Governance and Control
Entities must establish governance structures to oversee ICT risk management. This includes:
- Internal Audit: Implementing regular internal audits to assess the effectiveness of ICT risk management and compliance with DORA.
- Board Responsibility: Ensuring that the board of directors is responsible for overseeing ICT risk management strategies.
Operational Resilience and Business Continuity
Although Operational Resilience is a specific discipline, there are obvious crossovers with business continuity management’s objective to prevent disruptions to the organisations. Many regulated financial firms use ISO 22301, ISO 27001 and other standards to support their operational resilience, and the requirements of DORA can be incorporated into these programmes.
However, just implementing the standards and achieving certification will not automatically guarantee DORA compliance. A consultant such as Assent Risk Management can help you build a bespoke project to ensure compliance across all applicable requirements.
Conclusion
The Digital Operational Resilience Act (DORA) is a landmark regulation that aims to fortify the financial sector’s defences against ICT-related risks. By encompassing a wide range of financial entities and outlining stringent requirements for ICT risk management, incident reporting, resilience testing, third-party risk management, information sharing, and governance, DORA ensures a comprehensive approach to digital operational resilience. As the financial sector continues to evolve in the digital age, DORA will play a crucial role in safeguarding the stability and security of financial services across the European Union.