The Meaning and Appliance of the Digital Operational Resilience Act (DORA)

The European Parliament's plenary session on November 10th, 2022, marked a significant milestone with the approval of the Digital Operational Resilience Act (DORA). This groundbreaking legislation aims to create a more standardized and consistent digital resilience framework and effectively manage ICT-related risks. Also, it deals with mitigating cyber threats within the financial services (FS) sector. In this article, we will highlight the nuances of DORA, its benefits, and key objectives.

The notion of the Digital Operational Resilience Act

DORA, put forth by the European Commission in late September 2020, is a crucial component of a comprehensive plan to modernize the financial industry. It aims to enhance Europe's competitiveness and foster innovation within the sector.

Given the heavy reliance of the financial sector on information and communication technology (ICT), the COVID-19 pandemic has accentuated this dependency, with customers increasingly embracing digital services. As a result, financial institutions have become more vulnerable to cyber-attacks and other incidents. The repercussions of such attacks or disruptions can extend beyond the targeted entities, affecting other companies, sub-sectors, and even the overall economy. Therefore, prioritizing digital operational resilience in the financial sector is essential.

In light of these circumstances, the primary objective of DORA is to guarantee that all participants in the financial sector have implemented appropriate security protocols to prevent or minimize the impact of cyber-attacks and other ICT-related incidents. Additionally, it aims to empower European supervisory bodies with the authority to assess outsourced services. Consequently, a regulatory framework will be established to oversee third-party ICT providers, including those offering cloud computing services within the financial industry.

A significant aspect of DORA revolves around the importance of information sharing. When encountering difficulties or issues, it is crucial to promptly communicate with relevant servers and individuals who hold significance to collaboratively work towards finding solutions. While it is acknowledged that not everyone may be directly affected, acquiring knowledge about such matters is empowering. As a result, new reporting obligations will be introduced under these regulations and strictly enforced.

Source: KPMG

Furthermore, DORA emphasizes the significance of reporting. It strongly emphasizes risk management, incident response, and resilience testing. However, these new regulations are impactful because management bodies will be held accountable. Cybersecurity is now being addressed at an organizational level, transcending the realm of solely IT concerns or the responsibility of individuals working with machines. It has become a collective concern for everyone involved.

A recent example, the Uber attack, highlighted this shift when their Chief Information Security Officer (CISO) faced the consequences due to dishonesty regarding payment for a bug bounty, a ransom. This underscores that management bodies, the C-suite, and other key stakeholders are all subject to liability and must grasp the implications of the risks involved.

Related: Cybersecurity, resilience & the latest trends in bad bot activity: summary

DORA's key objectives and goals

The main objective of DORA is to comprehensively address the risks associated with information and ICT and enhance the operational resilience of digital systems within the European Union's financial sector. The newly proposed legal framework aims to streamline and modernize existing rules while introducing new requirements. The key concepts and goals of DORA are as follows.

Conducting effective risk assessments

Financial entities will be required to assess the effectiveness of their prevention and resilience measures, enabling them to identify and manage their ICT vulnerabilities more effectively.

Enhancing financial authorities' knowledge

DORA seeks to improve financial authorities' understanding of the current threat landscape by granting them access to information regarding ICT-related incidents.

Strengthening outsourcing regulations

The regulations governing the oversight of ICT third-party service providers will be reinforced to ensure indirect supervision by financial authorities.

Direct monitoring of ICT service providers

DORA enables direct monitoring of the activities provided by ICT suppliers when they offer their services to financial entities.

Encouraging information exchange

The legislation aims to reward the sharing of information about cyber threats within the financial sector, facilitating collaborative efforts to combat emerging risks.

In addition to these objectives, DORA aims to establish more coherent procedures for classifying and reporting ICT incidents. Currently, the lack of uniform reporting obligations hinders supervisory authorities from obtaining a complete overview of incidents' nature, frequency, importance, and impact. Harmonization efforts will also eliminate the need for cross-border financial entities to report the same incident to multiple EU or national government agencies, streamlining reporting processes.

Related: What The CCPA Is: General View

What businesses should comply with DORA?

DORA primarily applies to all regulated financial entities within the European Union (EU), including ICT third-party service providers. Notably, it extends its coverage to a broader range of financial firms compared to the two existing EBA guidelines on ICT and security risk management and EBA guidelines on outsourcing.

The requirements set forth by DORA encompass not only credit institutions, insurance companies, and investment firms but also contain all companies operating within the financial industry. This includes payment institutions, asset management companies, rating agencies, and ICT and cryptocurrency-related service providers. However, certain specific exceptions, such as those concerning development banks, can be established at a national level.

Related: Regtech & Suptech: Digital Backup of Business Compliance and State Surveillance

What benefits does DORA deliver in terms of cybersecurity?

DORA takes a holistic approach by encompassing all regulated financial entities and ICT third-party service providers. This inclusive approach ensures that cybersecurity measures are implemented across various entities involved in the financial industry, fostering a stronger defense against cyber threats.

It mandates financial entities to conduct thorough assessments of their prevention and resilience measures, enabling them to identify potential ICT vulnerabilities. This approach empowers entities to have a deeper understanding of their cybersecurity risks, facilitating the implementation of effective measures to manage and mitigate those risks.

Implementation of DORA encourages the exchange of information regarding cyber threats within the financial sector. By fostering collaboration and sharing threat intelligence, entities can stay informed about emerging risks and enhance their preparedness to counter potential cyber-attacks.

DORA provides financial authorities with access to critical information on ICT-related incidents. This enhanced oversight allows authorities to gain valuable insights into the threat landscape, empowering them to take proactive cybersecurity supervision and enforcement measures.

This act also strengthens the regulations surrounding outsourcing. This ensures that entities responsible for delivering essential services to the financial sector adhere to stringent cybersecurity practices. DORA contributes to a more secure operational landscape by minimizing vulnerabilities arising from outsourced services.

Summary

The Digital Operational Resilience Act (DORA) represents a significant milestone in the EU's efforts to enhance cybersecurity within the financial sector. By adopting a comprehensive approach, DORA ensures that cybersecurity measures are implemented across various financial entities and ICT third-party service providers. It promotes practical risk assessments, encourages information sharing, strengthens supervision, and enforces robust outsourcing regulations. Ultimately, it aims to create a more secure and resilient digital environment for the financial industry, safeguarding against cyber threats and fostering innovation.