The complexities of the digital age and our increasing reliance upon interconnected ICT systems necessitates a robust approach to risk. This is especially true for the Financial Services sector, where global fiscal systems now depend heavily upon digital tools for their basic daily operations.
These digital tools have facilitated an intricate web of cross-border networks; no longer impeded by geographical boundaries, our transactions have come to be made with much increased speed and accuracy. But like any system, increased complexity means increased vulnerability, and an ever expanding threat landscape to get to grips with.
Recognising this, the European Union has introduced new legislation specifically for Europe’s Financial Services Sector: The Digital Operational Resilience Act, a.k.a. DORA.
What is DORA?
DORA is a regulatory framework, implemented with the purpose of consolidating and upgrading existing EU legislation on digital operational resilience within the finance sector. It was introduced by the EU in December of 2022, but will come into force officially on the 17th of January 2025.
Much like the already introduced NIS 2 legislation, DORA aims to enforce a minimum viable level of cyber security and digital operational resilience across all in-scope entities, combatting any 'weak links' across the Union's financial services sector that could be exploited by malicious actors.
- Financial Services Entities – DORA does not specify the exact fines or sanctions for in-scope entities, but instead provides competent authorities ‘all supervisory, investigatory and sanctioning powers necessary to fulfil their duties’. This means that penalties for non-compliance will be determined by EU member states in their own implementations of DORA.
- ICT third-party service providers – As outlined in Article 35, Overseers can impose a periodic penalty payment for non-compliance of up to 1% of the ‘average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year’ for up to 6 months.
Why is it needed?
What you need to know
- ICT Risk Management - This section mandates the need for an 'internal governance and control framework' and 'comprehensive and well-documented’ risk management framework. There are also obligations to maintain effective protection and prevention programmes, as well as incident detection and disaster recovery protocols. Proper communication structures are required, as are backup/restoration policies and procedures.
- ICT-Related Incident Management, Classification and Reporting - DORA specifies the mechanisms for incident response, as well as laying out a framework for incident classification and severity rating. It then outlines reporting obligations, which include the need to report any major incident to the relevant competent authority. There are also stipulations regarding the notification of affected clients.
- Digital Operational Resilience Testing – Financial entities will be expected to build a robust testing regime, designed to ‘identify weaknesses, deficiencies and gaps’ within their digital operational resilience. This includes the testing of ICT tools and systems using a risk-based approach, considering both the broader and localised risk landscape. These tests must be undertaken by internal or external independent parties, and any issues found as a result must be remedied following identification. The regulation goes on to specify a requirement for some entities to conduct Threat Led Penetration Testing (TLTP) of their ICT tools and systems.
- Managing of ICT Third-Party Risk - This is one of the more extensive chapters of the legislation and outlines how the management of third-party risk should be integrated into risk-management frameworks. DORA notes in Article 28 (5) that ‘financial entities may only enter into contractual arrangements with ICT third-part service providers that comply with appropriate information security standards’. The regulation’s focus on supply-chain risk goes as far as to outline key contractual provisions, circumstances for contractual termination, and even establishes an Oversight Forum with dedicated supervisory powers for critical third-party providers.
Who it will affect
|Credit Institutions||Management Companies|
|Payment Institutions||Data Reporting Service Providers|
|Account Information Service Providers||Insurance and Reinsurance Undertakings|
|Institutions for Occupational Retirement Provision||Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries|
|Investment Firms||Electronic Money Institutions|
|Crypto-Asset Service Providers||Credit Rating Agencies|
|Central Securities Depositories||Administrators of Critical Benchmarks|
|Central Counterparties||Crowdfunding Service Providers|
|Trading Venues||Securitisation Repositories|
|Trade Repositories||ICT Third-Party Service Providers|
|Managers of Alternative Investment Funds|
It is important to note that DORA is not just a one-off compliance exercise, but an ongoing obligation that for some may require a fundamental overhaul of current processes. The adoption of robust digital operational resilience frameworks necessitates C-suite-level investment and board-level sponsorship of integrated risk approaches across the organisation. Increased EU supervisory activities will necessitate a solid foundation in risk management, encouraging a divergence from reactionary practices driven by breaches and compliance.
While the controls we operate for cybersecurity must be applied, DORA (like many of its global cousins) helps to highlight the need to take security seriously and to turn the conversation from ‘what’s the cost of security’ to ‘what’s the cost of failing to secure’.