Date: 15 April 2024
The EU DORA or Digital Operational Resilience Act is a groundbreaking legislative framework designed to ensure operational stability of financial firms in the EU. The European Council adopted DORA on November 28, 2022 upon approval by the European Parliament. Financial entities and their third-party providers of Information and Communication Technologies (ICT) have until 17th January of the next year to comply with DORA.
In this article, we break down what DORA essentially encompasses in easy-to-understand pointers. We will also explore how DORA will lead to enhanced security and stability of financial systems, not just in the EU but also globally.
1. Top 6 things to know about EU DORA
2. How DORA will make financial systems more secure
The EU DORA Regulation Simplified
Our experts have been studying DORA and helping clients across the world inch closer to compliance. Having deep dived into the full Final Text of DORA, they’re best placed to break down the Act and its applications in simple, understandable language.
Here are 6 points that explain the essence of DORA requirements and the vision behind the Act. By no means is the below explanation exhaustive, but it is meant to give you, the reader, an easy-to-consume understanding of what DORA really is and what it requires you to do!
1. The Conception of DORA: The idea of DORA was borne out of the several high-profile cyber incidents that impacted the EU financial sector in recent times. These attacks exposed the vulnerabilities in the operational and digital infrastructure of financial entities in the Union. It was also apparent that some of these challenges came about due to the interconnected and globalised environment that ICT technologies operate in today.The European Commission proposed DORA as part of its digital finance package in 2020, aiming to create a harmonised approach to managing ICT risks across EU member states. As the preamble to the Act mentions, the digital resilience of ICT systems is what DORA seeks to address and enhance.
2. Main Pillars of DORA: The Digital Operational Resilience Act recognises that the shift of the financial sector, including the insurance space, to the digital ecosystem makes it highly vulnerable to disruptions caused by cybersecurity risks.
DORA compliance is based on 5 pillars that aim to reduce this vulnerability and strengthen defences against cybersecurity risks. The Act expects all organisations under its purview to prioritise and better manage risks arising out of the use of ICT technologies.
Cyber Incident Response and its key phases of preparation, identification, containment, eradication, response and recovery take on heightened importance. With DORA coming into force, having a robust cybersecurity incident response plan and playbook are absolute essentials. Cyber and operational resilience can only be achieved with an effective response strategy for cybersecurity incidents.
Testing your response capabilities through scenario-based cyber tabletop exercises, threat-led penetration testing, vulnerability assessments and performance testing are mandates under the pillar of Operational Digital Resilience Testing.
Managing third-party risks and enforcing strong contracts with ICT service providers form the crux of the fourth DORA pillar. Sharing threat intel and information on cybersecurity risks with peers in your industry make up the final pillar of DORA compliance.
3. Application: DORA's regulatory scope encompasses 21 different types of financial institutions including but not limited to:
- Banks
- Credit, payment and electronic money institutions
- Investment firms
- Entities engaged in the provision of crypto-asset services and issuers of crypto-assets
- Insurance and reinsurance companies
- Credit rating agencies
- Statutory auditors, audit firms
- Platforms offering crowdfunding services.
Third-party ICT service providers that are classified as "critical" to the operational functionality of financial entities are also included in the ambit of DORA.
4. Global Implication of DORA: DORA establishes a comprehensive and robust framework for managing digital risks in the financial sector. Its ambitious scope sets a precedent for digital operational resilience. This can potentially influence regulatory standards globally, elevating standards for digital financial services worldwide.
Secondly, financial markets are inherently global. Multinational financial institutions operating both within and outside the EU will need to comply with DORA. This will lead to improved digital operational resilience practices globally.
Finally, DORA requires financial entities to ensure that their critical ICT third-party service providers comply with its high standards. This will raise the bar for cybersecurity and resilience practices among third-party providers worldwide. Ultimately, this will benefit not just the financial sector but all sectors relying on such services.
5. Compliance and Enforcement: The European Supervisory Authorities (ESAs) are responsible for ensuring compliance with and enforcement of DORA. The ESAs include:- The European Banking Authority (EBA): EBA oversees the banking sector and credit institutions.
- The European Securities and Markets Authority (ESMA): It focuses on the securities and markets sector.
- The European Insurance and Occupational Pensions Authority (EIOPA): EIOPA covers the insurance and reinsurance sectors.
These authorities will work in tandem with national authorities of member states to oversee the implementation of DORA. Together, they will monitor compliance and impose necessary sanctions on entities that fail to meet the regulation's requirements.
6. Challenges of DORA implementation: DORA is a comprehensive and stringent regulation demanding high standards for compliance. Naturally, the biggest challenge it poses is that of regulatory compliance costs and the need to enhance cybersecurity capabilities significantly.
Many of its critics have quoted regulatory burden, compliance costs and operational adjustments, especially for smaller institutions, as one of the primary challenges of DORA implementation.
However, compliance with DORA doesn’t have to be as daunting as it first appears. Our Virtual Cyber Assistant, for instance, offers a highly cost-effective option, especially for small to medium financial enterprises looking to enhance their cybersecurity maturity over time. Depending on your needs, you can choose a Service Tier and package that suits your requirements and budget. You then get access to some of the most experienced cybersecurity consultants at a fraction of the cost of hiring full time staff or roping in a traditional consultancy.
Our Virtual Cyber Assistants will help you assess where your operational resilience currently stands. They will then guide you through the processes of risk management, ICT risk identification, establishing a robust risk management framework etc. They can also help you create or refresh cyber incident response plans and ransomware playbooks.
They will assist you with the digital operational resilience tests you need to conduct. Significantly, they also help you work and enforce strong contracts with your third-party providers. Ultimately, all of these efforts will not only result in timely DORA compliance. They’ll also help you become dramatically more resilient against cybersecurity threats and achieve compliance with other standards or certifications you might need.
How will DORA make digital financial systems more secure?
- Operational Resilience of Financial Systems: As may be clear to you by now, DORA’s primary focus is to make the financial sector as strong as possible against disruptions caused by cyber risks. If an institution were to achieve the exacting standards laid out by the regulation, they’d automatically be better prepared to deal with cybersecurity incidents of any kind.
In the world of cybersecurity, there’s only one truth - preparation is the best protection. You really cannot avoid cyber threats today. But you can prepare with better risk management frameworks, incident reporting and response, continuous testing and improved third-party security. This preparation then leads to faster bouncing back after a disruption and this is the ultimate goal of DORA.
Better operational resilience is good for every stakeholder in the financial sector. And DORA not only protects financial institutions but also secures the broader economy from the cascading effects of digital disruptions. - Consumer Protection: DORA compliance achieves enhanced levels of consumer protection in two ways. First, it results in sustainable and smooth operations of financial services which directly benefits the end-consumer. It also leads to better protection of the digital assets of the consumer.
If all financial organisations within the EU and beyond are prepared to handle cyber attacks and data breaches, natural impact on sensitive consumer information gets mitigated. By extending operational resilience requirements to include third-party ICT providers, DORA significantly mitigates the risk of system failures and data breaches stemming from third-party vulnerabilities. This builds long-term consumer trust and leads to a healthier and more vibrant digital financial economy.
- Future-Proofing the Financial Sector: The long-term benefits of DORA will create a robust financial digital ecosystem. As we discussed earlier, compliance will create stronger customer trust and a competitive edge for financial entities in the Union.
Further, by fostering a culture of continuous improvement and resilience, DORA not only mitigates risks but also supports sustainable growth and innovation in the financial sector. - Harmonisation of Cybersecurity Standards across the EU: Every financial institution, insurance provider and third-party ICT provider working in any capacity within the EU will have to follow the mandate of DORA. This will lead to standardised levels of risk management and incident reporting.
DORA specifically addresses the need for harmonisation in its final text. It states that the current regulatory environment for many EU financial institutions lacks standardisation. In many cases, entities operating in different member states face overlapping regulatory requirements. This acts as a deterrent to ‘single market freedoms for financial services’.
The current lack of harmonisation is particularly pronounced in the case of digital operational resilience testing frameworks and critical third-party ICT service providers. And this disparity or lack of clarity is precisely what DORA seeks to eliminate.
Conclusion
The holistic and detailed approach of DORA to ensuring digital operational resilience not only enhances the security and stability of individual financial institutions but also contributes to the collective resilience of the financial system as a whole.
Through improved operational continuity and reduced systemic risk, DORA paves the way for a financial environment that is both more stable and robust. This ultimately supports the EU's broader objectives of financial stability, market integrity, and consumer protection. The spillover effect into non-EU markets is inevitable and indisputably welcome.
