DORA Regulation: What's worth knowing?

The Digital Operational Resilience Act (DORA) is a crucial topic for individuals in the financial sector, particularly concerning regulations and legal requirements. What are the most critical aspects related to DORA? What is the history of the regulation? Most importantly, what obligations and requirements stemming from DORA must be considered? All of this is in today's article! There will also be some practical tips regarding interpretation and implementation.

What is the DORA regulation?

The DORA regulation stands for?Digital Operational Resilience Actwhich pertains to digital operational resilienceIt aims to enhance the financial sector's resilience to threats associated with digital technology. It includes the introduction of uniform standards for IT risk management, resilience testing against cyberattacks, and requirements concerning outsourcing technological services.

History and Purpose of Introducing the DORA Regulation

In 2020, the European Commission presented a project to strengthen the financial sector's resilience to digital threats. The main goals and motives behind the introduction of the DORA regulation are:

• Increasing the security and stability of the financial sector,
• Protecting clients and investors from the negative impacts of IT incidents,
• Ensuring uniform standards for IT/ICT risk management and testing resilience against cyberattacks,
• Introducing requirements concerning the outsourcing of technological services.

The regulation came into effect on January 16, 2023. Entities subject to DORA have until January 17, 2025, to prepare for the new requirements.

Scope of the DORA Regulation: To Whom Does It Apply?

DORA encompasses a wide range of entities in the financial sector, including:

• Banks
• Payment institutions,
• Insurance institutions,
• Investment firms,
• Fund managers,
• Exchanges,
• Trading platforms,
• Central securities depositories,
• Other entities providing financial services.

It's worth noting that that the scope of DORA also includes providers of technological services to entities in the financial sector. Therefore, not only financial institutions but also their IT service providers must comply with the requirements arising from this regulation!

Failure to comply with the obligations arising from the DORA regulation can lead to various consequences, such as financial penalties or restrictions on conducting business.

Obligations Arising from the DORA Regulation

Obligations Arising from the DORA Regulation include a range of actions that entities covered must take to increase their resilience to digital threats. Some of the key obligations arising from the DORA regulation include:

• Implementing an IT risk management strategy tailored to the specificities of the entity's operations,
• Ensuring an adequate level of data security, including the protection of personal data and confidential information,
• Conducting regular resilience tests against cyberattacks to assess the effectiveness of security measures,
• Monitoring and reporting IT incidents to respond to potential threats promptly,
• Complying with requirements concerning the outsourcing of technological services, including proper risk management related to using services from external providers,
• Security documentation, which should be based on identified risks.

What Are the Consequences of Non-Compliance with the DORA Regulation?

Descriptions of potential consequences for violating the DORA regulation include:

• Financial penalties, which can amount to several per cent of the entity's annual revenue,
• Restrictions on conducting business, such as suspension or revocation of licenses,
• Mandates to implement corrective actions to rectify irregularities,
• Damage to the entity's reputation in the eyes of clients and investors.

Examples of penalties for non-compliance with the DORA regulation may include imposing fines on a bank that has not conducted adequate resilience tests against cyberattacks or on a payment institution that has not ensured sufficient data security for its clients' data.

How to Meet DORA Requirements: Practical Tips

How to Meet DORA Requirements: Practical Tips

To meet the requirements of DORAentities covered by this regulation should take specific actions. Here are some practical tips that can help in this process:

?

1. Conduct an IT risk analysis to identify potential threats to data security and IT systems.
2. Implement appropriate policies and procedures for IT risk management tailored to the entity's operations and identified threats.
3. Provide regular training for employees on IT security to increase their awareness of digital threats and ways to mitigate them.
4. Conduct regular resilience tests against cyberattacks to identify weaknesses in IT systems and make necessary changes to enhance security.
5. Monitor and report IT incidents to quickly respond to potential threats and minimize their impact.
6. Collaborate with technological service providers to ensure proper risk management related to using their services.

But where to start?

To achieve organizational compliance with DORA regulations, the first steps should be:

• Identifying processes,
• Identifying IT resources (systems, technical infrastructure),
• Reviewing and cataloguing contracts with third parties responsible for ICT infrastructure (Information and Communications Technology).

The DORA regulations affect various aspects of the daily operations of entities covered by this regulation. Here are some examples of how DORA regulations impact practical aspects of operations:

1. Implementing an IT risk management strategy requires entities to continuously monitor and analyze potential threats, improving IT systems' security against attacks.
2. Ensuring adequate data security may require investments in modern technologies and training employees to protect personal data and confidential information.
3. Regular resilience tests against cyberattacks enable the identification of weaknesses in IT systems and implementing necessary changes to enhance security.
4. Monitoring and reporting IT incidents allow swift responses to potential threats and minimize their impact on the entity's operations.
5. Compliance with requirements concerning outsourcing technological services may lead to changes in the cooperation model with IT service providers and the introduction of additional safeguards to minimize the risk associated with using services from external providers.

In summary, the DORA regulation introduces several significant requirements for entities operating in the financial sector. These requirements aim to increase the security of IT systems and protect personal data and confidential information. Understanding and meeting these requirements is crucial to avoid the negative consequences of non-compliance with DORA regulations.

Do you want to prepare thoroughly and ensure compliance with all requirements?

Contact us. Our experienced experts with years of experience in information security, risk management, and business continuity support financial entities subject to DORA regulation in successive stages of compliance examination and reporting:

1. Process analysis in terms of BIA,
2. Development or updating of ICT risk management,?zarz?dzania ryzykiem ICT,
3. Creation of process assessment matrices, criticality catalogues, and ICT risks,
4. Preparation of a summary report for further reporting processes and the development of security documentation.??

We collaborate with many leading solution providers in the field of security. Therefore, we have knowledge of applied and possible automation and support tools for security in the organization.