What Is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.

It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA brings harmonization of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT (Information and Communication Technology ) third-party service providers.

?

What are the objectives of Dora?

DORA has two main objectives: (i) to comprehensively address ICT risk management in the financial services sector and (ii) to harmonize the ICT risk management regulations that already exist in individual EU member states.

This has been initiated in order to:

1. Mitigate risk posed by growing vulnerabilities, due to the increasing inter-connectivity of the financial sector?
2. Address the shift in risk profile as a result of the increase in financial services digital adoption
3. Acknowledge and address the third-party reliance underpinning the stability of the financial sector?
4. Adopt a single, consistent supervisory approach to operational resilience across the single market

?

How was it before DORA?

Before DORA, risk management regulations for financial institutions in the EU primarily focused on ensuring that firms had enough capital to cover operational risks.

While some EU regulators released guidelines on ICT and security risk management, these guidelines didn't apply to all financial entities equally, and they often relied on general principles rather than specific technical standards.

In the absence of EU-level ICT risk management rules, EU member states issued their own requirements. This patchwork of regulations has proven difficult for financial entities to navigate.

?

What is DORA’s scope?

DORA applies to all financial institutions in the EU. That includes traditional financial entities, such as banks, investment firms and credit institutions, and non-traditional entities, including crypto-asset service providers and crowdfunding platforms.

It also applies to some entities excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers.

It also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers

?

Who is exempt from Dora?

It can apply to “very small enterprises” (i.e. financial entities that employ fewer than ten persons and whose annual turnover and/or balance sheet total does not exceed EUR 2 million)

?

What does DORA cover?? - The 5 pillars of DORA

DORA consists of 5 pillars that lay out requirements and expectations for different aspects of operational resilience:

?

Essential Steps to Become Compliant with the DORA Act

The following best practices can help compliance to DORA :

1. Know the Requirements for Your Organization

First step is to know what the requirements and obligations are for the organization. Familiarizing with the regulation to thoroughly understand what’s required for the organization to build an effective cyber resilience framework.

2. Run a Risk Assessment of Your Organization

A risk assessment of the entire organization and its extended supply chain will give a better understanding of which parts are vulnerable to cyber threats.

3. Consult with Multiple Teams

Use the collective knowledge of multiple teams to analyze risk assessment results and contribute to building a compliance strategy. The compliance process includes IT security, compliance, legal, risk management, management, and external counter parties, so it is crucial to work with all relevant teams to get a comprehensive view of the cyber risks.

4. Conduct Employee Training

Appropriate training based on the level of complexity of the functions each employee is responsible for.

5.Build an Operational Resilience Strategy

A business continuity plan should provide a detailed plan for how the organization will respond to cyber threats, data breaches, and other operational disruptions.?

6. Consider Third-party Service Vendors

Third-party service providers, so they must be considered in the risk assessments and while building the operational resilience strategy.

7. Perform Regular DORT and Pen Testing

Pen tests and Digital Operational Resilience Testing (DORT) are testing approaches that can help become DORA-compliant by allowing to identify and mitigate risks

8. Automate Threat Detection

To maintain DORA compliance, one must have proper detection capabili

ties to alert of any incidents, anomalies, or cyber-attacks. This may require installing automated threat-detection solutions.

9. Regularly Review and Update Your Resilience Strategy

Conducting operational resilience tests can provide helpful information and prepare for compliance and mandatory reviews. Review DORT results and data from previous attacks. This will allow to make informed decisions and adjustments to improve the effectiveness of your operational resilience strategy over time.

10. Prepare for the Worst-case Scenario

Prioritize remediation actions by identifying vulnerabilities, then rank solutions based on factors such as the likelihood of occurrence and impact on the organization.

11. Secure Your Data?

Ensure that there are technical and organizational measures required to protect customer data properly. Follow all data protection regulations that apply to EU Member States, such as the General Data Protection Regulation (GDPR).

12. Be Prepared to Provide Evidence of Compliance

Providing evidence of resilience tests demonstrates to regulators that the organization is committed to the continued safety and security of data

?

Conclusion:

The financial sector is increasingly dependent on technology to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

?

?

References:

1.????? https://metomic.io/resource-centre/a-complete-guide-to-dora

2.????? https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

3.????? https://www.ibm.com/topics/digital-operational-resilience-act

?