News

Digital operational resilience and the DORA regulation 

This article explores in detail what the DORA regulation is, its implications for companies and supervisory authorities, and how it contributes to digital operational resilience. 

DORA logo with the meaning of the acronym

26 August 2024

Table of contents 

  • Introduction to DORA 
  • The emergence of the DORA regulation 
  • Objectives of the DORA regulation 
  • Key requirements of the DORA regulation 
  • Implementation of the DORA regulation 
  • Implications for companies and supervisory authorities 
  • Scope of the DORA regulation 
  • Current status of the DORA regulation 
  • Application of the DORA regulation 
  • Requirements of the DORA regulation 
  • Information sharing 

Introduction to DORA 

The DORA (Digital Operational Resilience Act) regulation is a landmark in regulating digital operational resilience in Europe. This regulation was enacted to strengthen cyber security and ICT (information and communication technologies) risk management, aiming to protect financial systems and investment firms from cyber attacks and other digital threats.

The emergence of the DORA regulation 

The DORA regulation was developed in response to the growing threat of cyber attacks and the need for greater cyber security within the European Union. European supervisory authorities recognized the importance of a uniform regulatory framework for ICT risk management. This regulatory framework ensures that all member states adopt similar standards to protect their financial systems. 

Objectives of the DORA regulation 

The primary objective of the DORA regulation is to enhance the digital operational resilience of financial firms. This includes investment firms, insurance companies, and alternative investment funds. The regulation sets clear requirements for: 

  • ICT risk management 
  • Incident management 
  • Information sharing between various financial entities and supervisory authorities 

Key requirements of the DORA regulation 

The DORA regulation imposes several requirements that companies must meet to ensure digital operational resilience. These include: 

  • ICT risk management
    Companies must implement adequate policies and procedures for managing ICT risks. This includes continuous threat assessment and the implementation of effective mitigation measures. 

  • Operational resilience testing
    Companies are required to conduct regular tests to verify the resilience of their ICT systems. These tests must simulate various attack scenarios to identify and correct vulnerabilities. 

  • Incident management
    Companies must have an incident management plan in place to respond quickly and effectively to any cyber security incident. 

  • Information sharing
    The regulation promotes information sharing between companies and supervisory authorities to improve collective response to cyber threats. 

Implementation of the DORA regulation 

The DORA regulation sets technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025. Compliance with DORA requires companies to: 

  • Map their ICT systems 
  • Identify and classify critical functions and assets 
  • Document dependencies between resources, systems, processes, and providers 
  • Conduct continuous risk assessments on their ICT systems 
  • Document and classify cyber threats 
  • Adopt adequate cyber security measures, such as identity and access management policies and patch management 

Implications for companies and supervisory authorities 

Investment firms, insurance companies, and alternative investment funds must adapt to the new requirements imposed by the DORA regulation. This may involve significant investments in new technologies and staff training to ensure compliance. Additionally, European supervisory authorities will play a crucial role in monitoring compliance and providing support to companies. European supervisory authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), are responsible for drafting regulatory and implementation technical standards that the affected entities must implement. 

Scope of the DORA regulation 

The DORA regulation applies to all financial institutions in the EU. This includes traditional financial entities such as banks, investment firms, and credit institutions, as well as non-traditional entities like cryptocurrency asset providers and crowdfunding platforms. Notably, the DORA regulation also applies to some entities generally excluded from financial regulation.

Example:

Third-party service providers supplying financial firms with ICT systems and services, such as cloud service providers and data centers, must meet DORA requirements. 

Current status of the DORA regulation 

This regulation was first proposed in September 2020 by the European Commission, the EU’s executive branch responsible for legislative functions. It is part of a broader digital finance package that includes initiatives for cryptocurrency regulation and enhancing the EU’s overall digital finance strategy. The Council of the European Union and the European Parliament formally adopted the DORA regulation in November 2022. Financial entities and third-party ICT service providers have until January 17, 2025, to comply with DORA requirements before its implementation. 

Application of the DORA regulation 

Once the standards are finalized and the January 2025 deadline is reached, enforcement will fall to designated regulatory authorities in each EU member state, known as “competent authorities.” These authorities can require financial entities to adopt specific security measures and correct vulnerabilities. They can also impose administrative and, in some cases, criminal sanctions on non-compliant entities. Each member state will decide the appropriate sanctions. 

Requirements of the DORA regulation 

The DORA regulation establishes technical requirements for financial entities and ICT providers in four areas: 

  • ICT risk management and governance
    The DORA regulation assigns the responsibility for ICT management to an entity’s administrative body. Board members, executives, and senior managers must define appropriate risk management strategies, actively contribute to their implementation, and stay updated on the ICT risk landscape. They can also be held personally liable for non-compliance by their entity. 

  • Incident response and reporting
    Affected entities must establish systems to monitor, manage, record, classify, and report ICT incidents. Depending on the severity of the incident, entities may be required to report to both regulatory authorities and affected customers and partners. For critical incidents, three types of reports must be submitted: an initial notification report to the authorities, an interim progress report on resolving the incident, and a final report analyzing the root causes of the incident. 

  • Digital operational resilience testing
    Entities must regularly test their ICT systems to evaluate the strength of protections and identify vulnerabilities. The results of these tests and plans to address identified weaknesses will be communicated to and validated by the competent authorities. 

  • Third-party risk management
    A unique aspect of the DORA regulation is that it applies not only to financial entities but also to ICT providers serving the financial sector. Financial companies should play an active role in managing third-party ICT risk. When outsourcing critical and important functions, they must negotiate specific agreements regarding, among other things, exit strategies, audits, and performance objectives for accessibility, integrity, and security. Entities are not allowed to enter into contractual agreements with ICT providers that cannot meet these requirements. 

Information sharing 

Financial entities are required to establish learning processes based on both internal and external ICT incidents. The DORA regulation encourages entities to participate in voluntary threat intelligence sharing agreements. All information shared in this manner must be protected according to relevant guidelines, such as personal identification information being subject to General Data Protection Regulation (GDPR) considerations. 

FAQ

  1. What is the DORA regulation? 
    The DORA regulation is a European regulation aimed at improving the digital operational resilience of financial firms through ICT risk management, incident management, and information sharing. 
  2. What are the main objectives of the DORA regulation? 
    The main objectives are to protect financial systems from cyber attacks, effectively manage ICT risks, and promote information sharing between companies and supervisory authorities. 
  3. Which companies are affected by the DORA regulation? 
    The DORA regulation applies to investment firms, insurance companies, and alternative investment funds within the European Union. 
  4. What does the DORA regulation require in terms of operational resilience testing? 
    Companies must conduct regular tests on their ICT systems to verify operational resilience and identify vulnerabilities that could be exploited during a cyber attack. 
  5. What is the role of European supervisory authorities in the context of the DORA regulation? 
    European supervisory authorities are responsible for monitoring compliance with the DORA regulation and supporting companies in improving their digital operational resilience. 
  6. How does the DORA regulation affect incident management? 
    The DORA regulation requires companies to have incident management plans that enable rapid and effective responses to any cyber security incident. 
  7. What are the main challenges in implementing the DORA regulation? 
    The main challenges include updating ICT systems, staff training, and close collaboration between various corporate departments to ensure compliance with the new requirements. 
48
To top