The complexities of the digital age and our increasing reliance upon interconnected ICT systems necessitates a robust approach to risk. This is especially true for the Financial Services sector, where global fiscal systems now depend heavily upon digital tools for their basic daily operations.
These digital tools have facilitated an intricate web of cross-border networks; no longer impeded by geographical boundaries, our transactions have come to be made with much increased speed and accuracy. But like any system, increased complexity means increased vulnerability, and an ever expanding threat landscape to get to grips with.
Recognising this, the European Union has introduced new legislation specifically for Europe’s Financial Services Sector: The Digital Operational Resilience Act, a.k.a. DORA.
What is DORA?
DORA is a regulatory framework, implemented with the purpose of consolidating and upgrading existing EU legislation on digital operational resilience within the finance sector. It was introduced by the EU in December of 2022, but will come into force officially on the 17th of January 2025.
Much like the already introduced NIS 2 legislation, DORA aims to enforce a minimum viable level of cyber security and digital operational resilience across all in-scope entities, combatting any 'weak links' across the Union's financial services sector that could be exploited by malicious actors.
Each EU member state is expected to implement their own legislation in response to this directive, meaning there may be regional variations in the specificities of the regulation. The requirements laid out by DORA at the Union level, though, do provide us with an idea of what to expect overall. Industry best practice is laid out in a holistic manner, encompassing areas such as risk management, third-party risk, incident management, reporting requirements, and testing structures.
In terms of penalties in case of non-compliance, DORA outlines two sets of penalties – those for the financial entities themselves, and those for the ICT third-party service providers.
- Financial Services Entities – DORA does not specify the exact fines or sanctions for in-scope entities, but instead provides competent authorities ‘all supervisory, investigatory and sanctioning powers necessary to fulfil their duties’. This means that penalties for non-compliance will be determined by EU member states in their own implementations of DORA.
- ICT third-party service providers – As outlined in Article 35, Overseers can impose a periodic penalty payment for non-compliance of up to 1% of the ‘average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year’ for up to 6 months.
Why is it needed?
Like many sectors, financial services have observed a transition towards heavy reliance on ICT and digital technologies for the running of day-to-day operations.
The criticality of these applications varies, but in many cases, they are responsible for keeping our international economic, banking, and data reporting structures afloat. With so much of our financial systems now relying on these technologies, the risk profile of the entities involved has rapidly expanded. The interconnectivity of financial systems in the EU means a breach in one area may have a significant knock-on effect for the rest of the sector, resulting in widespread disruption and market strain. DORA's role is to provide a practical and security-driven framework that serves to mitigate the risk posed to these critical systems, in turn strengthening the Union's operational resilience in the face of breaches, threat actors, and digital disruption.
What you need to know
DORA outlines requirements in several key areas, taking into consideration the whole IT risk management lifecycle. We've pulled out a few key points below:
- ICT Risk Management - This section mandates the need for an 'internal governance and control framework' and 'comprehensive and well-documented’ risk management framework. There are also obligations to maintain effective protection and prevention programmes, as well as incident detection and disaster recovery protocols. Proper communication structures are required, as are backup/restoration policies and procedures.
- ICT-Related Incident Management, Classification and Reporting - DORA specifies the mechanisms for incident response, as well as laying out a framework for incident classification and severity rating. It then outlines reporting obligations, which include the need to report any major incident to the relevant competent authority. There are also stipulations regarding the notification of affected clients.
- Digital Operational Resilience Testing – Financial entities will be expected to build a robust testing regime, designed to ‘identify weaknesses, deficiencies and gaps’ within their digital operational resilience. This includes the testing of ICT tools and systems using a risk-based approach, considering both the broader and localised risk landscape. These tests must be undertaken by internal or external independent parties, and any issues found as a result must be remedied following identification. The regulation goes on to specify a requirement for some entities to conduct Threat Led Penetration Testing (TLTP) of their ICT tools and systems.
- Managing of ICT Third-Party Risk - This is one of the more extensive chapters of the legislation and outlines how the management of third-party risk should be integrated into risk-management frameworks. DORA notes in Article 28 (5) that ‘financial entities may only enter into contractual arrangements with ICT third-part service providers that comply with appropriate information security standards’. The regulation’s focus on supply-chain risk goes as far as to outline key contractual provisions, circumstances for contractual termination, and even establishes an Oversight Forum with dedicated supervisory powers for critical third-party providers.
It is also worth noting that the four overarching DORA requirements outlined above do constitute industry best practice, and as such are also outlined in many similar legislative obligations introduced by other nations, for example the SEC/FTC cyber security updates in the United States.
Who it will affect
Legislators have outlined clearly within DORA the kinds of institutions within scope of the legislative obligations. While there are a few noted exceptions to these categories, the in-scope entities are as follows:
| Credit Institutions | Management Companies |
| Payment Institutions | Data Reporting Service Providers |
| Account Information Service Providers | Insurance and Reinsurance Undertakings |
| Institutions for Occupational Retirement Provision | Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries |
| Investment Firms | Electronic Money Institutions |
| Crypto-Asset Service Providers | Credit Rating Agencies |
| Central Securities Depositories | Administrators of Critical Benchmarks |
| Central Counterparties | Crowdfunding Service Providers |
| Trading Venues | Securitisation Repositories |
| Trade Repositories | ICT Third-Party Service Providers |
| Managers of Alternative Investment Funds |
Conclusion
It is important to note that DORA is not just a one-off compliance exercise, but an ongoing obligation that for some may require a fundamental overhaul of current processes. The adoption of robust digital operational resilience frameworks necessitates C-suite-level investment and board-level sponsorship of integrated risk approaches across the organisation. Increased EU supervisory activities will necessitate a solid foundation in risk management, encouraging a divergence from reactionary practices driven by breaches and compliance.
While the controls we operate for cybersecurity must be applied, DORA (like many of its global cousins) helps to highlight the need to take security seriously and to turn the conversation from ‘what’s the cost of security’ to ‘what’s the cost of failing to secure’.
