Setterwalls’ Tech Regulatory News Series – DORA

What: The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the resilience of the financial sector to cyber threats and operational disruptions.

Who: DORA will cover all types of financial institutions, including banks, investment firms, and payment service providers. Interestingly enough, also ICT third-party service providers will be subjected to oversight.

When: DORA came into force on 16 January 2023, which means that companies affected by DORA now have until the beginning of 2025 to meet the requirements.

Actions: Some of the key actions that companies covered by DORA would need to undertake include:

1. Conducting regular IT system testing: Financial institutions will be required to conduct regular testing of their IT systems to ensure that they are resilient to cyber threats and other operational disruptions. The tests should cover all critical systems and should simulate various scenarios, including cyberattacks and hardware failures.
2. Assessing cybersecurity risks: Financial institutions will be required to conduct regular cybersecurity risk assessments to identify potential threats to their IT systems and operations. The assessments should cover all areas of the company and should be updated regularly to reflect changes in the threat landscape.
3. Implementing contingency plans: Financial institutions will be required to have contingency plans in place to address potential operational disruptions, including cyberattacks and other IT failures. The plans should include procedures for responding to incidents, restoring operations, and communicating with customers, regulators, and other stakeholders.
4. Reporting cyber incidents: Financial institutions will be required to report all significant cyber incidents to their national regulator, including the nature and scope of the incident, the systems and services affected, and the actions taken to mitigate the impact.
5. Ensuring third-party resilience: Financial institutions will be required to ensure that their third-party service providers, including cloud providers and other IT vendors, are also equipped to deal with operational disruptions. This may include conducting due diligence on their third-party providers, negotiating service level agreements that specify resilience requirements, and monitoring their performance regularly.
6. Having a dedicated IT and cybersecurity governance framework: Financial institutions will need to establish and maintain a dedicated IT and cybersecurity governance framework. This framework should provide clear lines of responsibility, oversight and accountability for the company’s IT and cybersecurity operations, and ensure that appropriate resources are allocated for IT and cybersecurity functions.

Enforcement: Monetary penalties for financial institutions have not yet been set. Member States will lay down frameworks in due course, and DORA also leaves the door open for potential criminal liability for non-compliance. Monetary penalties for critical ICT third-party service providers will be up to 1% of their average daily worldwide turnover in the preceding business year, applied on a daily basis until compliance is achieved, for a maximum of six months.

Do a Setterwalls DORA Gap Analysis and find out what your organisation needs to do to be compliant.