Estimated reading time: 3 minutes
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act is a regulatory framework aimed at supporting the development of digital finance while minimising associated risks. The proposed regulation was first introduced by the European Commission in 2020, and we are expecting the legislation to come into full force in the first half of 2022.
The regulation aims to bolster the existing regulatory infrastructure for information and communications (ICT) and the associated risks that surround it. It serves to harmonise and consolidate existing, fractured EU instruments and create a consistent approach for financial services and regulators within the EU.
Features of DORA
There are five major branches of the DORA legislation:
- Operational resilience
- Risk management
- Centralised body for incident reporting
- Information sharing
- Third-party risk
DORA aims to establish an EU standard for security assessments and penetration testing across financial services. This is intended to reduce operational risk.
The overarching theme of this regulatory framework is to provide a clear foundation in financial services. This is due to the recent rise in cyber security attacks in the industry, that have also been mirrored elsewhere. The purpose of operational resilience is not to prevent cyber-attacks (as this would be impossible), but to mitigate the consequences and disruptions.
DORA has been introduced specifically to help financial services firms identify and mitigate risks. Firms will be required to create a risk management protocol, then carry out testing to ensure a completely uninterrupted workflow when threats occur.
The new legislation also acknowledges the importance of stakeholder communication. Therefore, stakeholders will be able to determine the risk tolerance at the firm, alongside approving recovery plans, for example.
Centralised Body for incident reporting
DORA aims to combine the current incident reporting facilities into one EU-wide hub for digital finance. Standardising this process should allow EU financial entities to better monitor, describe and report cyber security threats and attacks, thus improving the response across the industry.
Further to an industry-wide collaboration, DORA facilitates the exchange of information between competing firms and companies. Similar to how a central bank operates, resources can be combined in order to combat the newest developments to threats in cyber security.
Finally, each third-party service provider associated with financial institutions should evaluate whether they are deemed “critical third-party providers” (CTPPs). If so, these companies will also be required to implement an oversight framework in the case of cyber security breaches.
It is highly beneficial for third-party providers to fall under the same regulation as financial services firms since it will bring higher confidence in their services. This applies to legal matters, as well as a general increase in assurance across security and technology.
Who must comply?
Financial entities and those that work with specific ICT programs may fall under the DORA realm. In particular, those firms who qualify as critical, under the critical third-party provider regulations (CTPPs). If so, many of the current voluntary testing, such as threat-led penetration testing (TLPT) would become mandatory.
Any financial institution that falls under the European Commission may expect expenses to increase significantly as they begin to implement new monitoring, testing and reporting procedures. However, it’s important to note that the collaborative nature of any DORA requirement means that resources can be pooled together, and the entire industry will benefit from savings made against cybersecurity threats. Plus, DORA should lead to increased financial stability against any cyber threat.
Regulated firms or any ICT service provider should prepare for the changes that DORA will bring before the changes come into full force in 2022.
CUBE understands financial regulation for EU-based firms and provides automated regulatory intelligence – so you know what your regulatory obligations are now, and for the future.