The complexities of the digital age and our increasing reliance upon interconnected ICT systems necessitates a robust approach to risk. This is especially true for the Financial Services sector, where global fiscal systems now depend heavily upon digital tools for their basic daily operations.
These digital tools have facilitated an intricate web of cross-border networks; no longer impeded by geographical boundaries, our transactions have come to be made with much increased speed and accuracy. But like any system, increased complexity means increased vulnerability, and an ever expanding threat landscape to get to grips with.
Recognising this, the European Union has introduced new legislation specifically for Europe’s Financial Services Sector: The Digital Operational Resilience Act, a.k.a. DORA.
What is DORA?
DORA is a regulatory framework, implemented with the purpose of consolidating and upgrading existing EU legislation on digital operational resilience within the finance sector. It was introduced by the EU in December of 2022, but will come into force officially on the 17th of January 2025.
Much like the already introduced NIS 2 legislation, DORA aims to enforce a minimum viable level of cyber security and digital operational resilience across all in-scope entities, combatting any 'weak links' across the Union's financial services sector that could be exploited by malicious actors.
Each EU member state is expected to implement their own legislation in response to this directive, meaning there may be regional variations in the specificities of the regulation. The requirements laid out by DORA at the Union level, though, do provide us with an idea of what to expect overall. Industry best practice is laid out in a holistic manner, encompassing areas such as risk management, third-party risk, incident management, reporting requirements, and testing structures.
In terms of penalties in case of non-compliance, DORA outlines two sets of penalties – those for the financial entities themselves, and those for the ICT third-party service providers.
Why is it needed?
Like many sectors, financial services have observed a transition towards heavy reliance on ICT and digital technologies for the running of day-to-day operations.
The criticality of these applications varies, but in many cases, they are responsible for keeping our international economic, banking, and data reporting structures afloat. With so much of our financial systems now relying on these technologies, the risk profile of the entities involved has rapidly expanded. The interconnectivity of financial systems in the EU means a breach in one area may have a significant knock-on effect for the rest of the sector, resulting in widespread disruption and market strain. DORA's role is to provide a practical and security-driven framework that serves to mitigate the risk posed to these critical systems, in turn strengthening the Union's operational resilience in the face of breaches, threat actors, and digital disruption.
What you need to know
DORA outlines requirements in several key areas, taking into consideration the whole IT risk management lifecycle. We've pulled out a few key points below:
It is also worth noting that the four overarching DORA requirements outlined above do constitute industry best practice, and as such are also outlined in many similar legislative obligations introduced by other nations, for example the SEC/FTC cyber security updates in the United States.
Who it will affect
Legislators have outlined clearly within DORA the kinds of institutions within scope of the legislative obligations. While there are a few noted exceptions to these categories, the in-scope entities are as follows:
Credit Institutions | Management Companies |
Payment Institutions | Data Reporting Service Providers |
Account Information Service Providers | Insurance and Reinsurance Undertakings |
Institutions for Occupational Retirement Provision | Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries |
Investment Firms | Electronic Money Institutions |
Crypto-Asset Service Providers | Credit Rating Agencies |
Central Securities Depositories | Administrators of Critical Benchmarks |
Central Counterparties | Crowdfunding Service Providers |
Trading Venues | Securitisation Repositories |
Trade Repositories | ICT Third-Party Service Providers |
Managers of Alternative Investment Funds |
Conclusion
It is important to note that DORA is not just a one-off compliance exercise, but an ongoing obligation that for some may require a fundamental overhaul of current processes. The adoption of robust digital operational resilience frameworks necessitates C-suite-level investment and board-level sponsorship of integrated risk approaches across the organisation. Increased EU supervisory activities will necessitate a solid foundation in risk management, encouraging a divergence from reactionary practices driven by breaches and compliance.
While the controls we operate for cybersecurity must be applied, DORA (like many of its global cousins) helps to highlight the need to take security seriously and to turn the conversation from ‘what’s the cost of security’ to ‘what’s the cost of failing to secure’.