Digital Operational Resilience Act (DORA) for financial services

In today’s digital era we can no longer imagine a world without information- and communication technology (ICT). Be it in everyday life or in a business environment, ICT is ubiquitous. Exchange of information, trade transactions, business activities… all facilitated by ICT. It is safe to say that ICT has become a key pillar of our economy and an indispensable factor in various key sectors, including financial services.

The digital transformation within the financial sector in recent years brings an unprecedented use of and reliance on ICT services. From various software solutions to data-related services, the digital opportunities for financial entities these days are numerous. This digitization, however, results in a European financial ecosystem that is becoming increasingly and intrinsically co-dependent on different ICT services provided by third-party ICT service suppliers. A deepened interconnectivity and dependency between the financial players, third-party infrastructure, and service providers eventually also means an increased vulnerability to ICT and operational disruptions, data loss, or cyber threats in the financial system. Therefore, mitigating the risk of ICT dependency and incorporating a solid digital resilience into the operational framework is today all the more important. A disruption in financial services could not only affect other businesses in other sectors but ultimately the entire economy.

This is where the Digital Operational Resilience Act (DORA) comes into play.

Scope of the Digital Operational Resilience Act (DORA)

DORA is a set of uniform requirements concerning the security of networks and information systems that support the business processes of financial entities. The ultimate goal is to achieve a high common level of digital operational resilience.

The requirements apply to:

  1. Financial entities in relation to Information and Communication Technology (ICT) Risk Management: A set of principles and requirements is needed to set up a reliable ICT risk management framework. Financial entities should follow the same approach and same principle-based rules when addressing ICT risk. Harmonization of key digital operational resilience requirements is required.
  2. ICT-related Incident Management, Classification, and Reporting: Not only a strong ICT risk management, but also specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents need to be in place in order to maintain control over ICT risk.
  3. Digital Operational Resilience Testing: Policies should be in place for testing ICT systems, controls, and processes.
  4. Measures for the sound management of ICT third-party risk: A set of principle-based rules in order to ensure a sound monitoring of ICT third-party risk.
  5. Information and intelligence sharing in relation to cyber threats and vulnerabilities: Cyber threat information and intelligence can be exchanged between financial entities :
  • contracts between financial entities and ICT third party service providers
  • rules for establishing and conducting an oversight framework for critical third party service providers
  • rules on co-operation, supervision and enforcement by competent authorities in relation to all matters covered by the regulation

 

DORA applies to following entities:

credit institutions management companies

 

payment institutions data reporting service providers

 

account information service providers insurance and reinsurance undertakings

 

electronic money institutions insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries

 

investment firms institutions for occupational retirement provision

 

crypto-asset service providers (as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets) and issuers of asset-referenced tokens credit rating agencies

 

central securities depositories administrators of critical benchmarks

 

central counterparties crowdfunding service providers

 

trading venues securitisation repositories

 

trade repositories

 

ICT third-party service providers

 

managers of alternative investment funds

 

By Harmonizing Operational Resilience Rules

By harmonizing the rules related to operational resilience and applicable to more than 20 different financial entities and ICT third-party service providers, DORA aims to enhance the IT security of financial services, ensuring the European financial sector remains resilient in case of significant operational disruptions. The Digital Operational Resilience Act entered into force on 16 January 2023 and will apply as of 17 January 2025.

(Based on the Official Journal of the European Union: REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011)

An article by, Evy Slaets – Manager at DynaFin.