DORA (Digital Operational Resilience Act) is the EU's latest regulation to manage digital risks in the financial sector more effectively and comprehensively.
This regulation changes the focus from solely the financial stability of the companies to also include their ability to continue their operations and withstand challenges such as cyber attacks, IT disruptions and other digital threats. By introducing a standardized monitoring process for all affected areas within the EU, DORA promotes uniformity and coordination of the strategies previously used for cyber security and the ability to deal with digital threats.
Why is DORA relevant?
The regulations cover over 22,000 financial institutions and IT service providers within the EU.
This regulation imposes requirements on all players in the financial market, including banks, investment firms, insurance companies, financial intermediaries, crypto-asset companies, data reporting companies and cloud service providers.
It introduces a unified framework to comprehensively manage risk, strengthen IT and cyber security, and address risks with third-party services to ensure reliable service throughout the supply chain.
Five key aspects are emphasized: managing IT risks, reporting IT-related events, testing digital security measures, managing risks for third-party IT services and sharing information.
This regulatory framework is unique in that it is comprehensive, EU-wide, and includes all third-party companies providing IT services under the supervision of the European Supervisory Authorities (ESA).
Areas where DORA becomes crucial
Information and Communications Technology risk management
Financial companies need a comprehensive ICT risk management system that includes the following measures:
- Installation and maintenance of robust ICT systems and tools to reduce the impact of ICT-related risks,
- Identification, categorization and documentation of critical business functions and resources,
- Constant monitoring of potential ICT risk sources in order to implement proactive protection measures,
- Quick detection of unusual activities,
- Creation of a tailored and comprehensive business continuity policy that includes crisis and recovery plans, with annual testing of these plans covering all support functions,
- Establishing procedures to develop and learn from both external events and own experiences from ICT incidents.
Reporting of ICT-related incidents
Financial companies must:
- Create an efficient method to log and categorize ICT incidents, as well as identify major incidents based on the criteria in the regulation and additional details specified by the European regulatory bodies (EBA, EIOPA, and ESMA),
- Submit an initial, an ongoing, and a final report on events related to ICT,
- Follow a standardized reporting process for ICT-related incidents using templates developed by ESA.
Test of the business's digital vulnerability and resilience
The regulations stipulate that all companies must:
- Carry out annual baseline tests of their IT tools and systems,
- Detect, prevent and quickly fix all vulnerabilities, errors or flaws through effective countermeasures,
- Regularly carry out extensive penetration tests (TLPT) on IT services that are critical to the business. Third-party IT service providers are also required to actively participate and cooperate in these testing processes.
Risk management third party ICT service providers
Financial companies are obliged to:
- Monitor and manage risks related to IT services delivered by third-party companies,
- Report all outsourcing as well as any changes in critical IT services from third parties,
- Consider IT risks that may occur when using subcontractors,
- Integrate key aspects of IT services and relationships with third-party providers for effective monitoring,
- Ensure that contracts with third-party IT service providers include comprehensive and detailed information on service levels, data management, etc.,
- Follow the EU Supervisory Framework for critical third-party providers of IT services, which can provide recommendations to reduce IT risks. Financial companies must consider risks with third-party providers that do not follow these recommendations.
Information sharing
- Companies in the financial sector are encouraged by the regulations to share information about cyber threats among themselves,
- the supervisory body makes available anonymized information about cyber threats directedat the financial industry. Consequently, companies should establish routines to handle and act based on information from the authorities.
Source: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en