Article | 23 Nov 2023

Unraveling DORA: Cyber Resilience Requirements in Digital Finance

Responsive image

In the fast-moving and ever-evolving world of digital finance; data protection and cybersecurity are not merely buzzwords, but fundamental prerequisites for operational success. The European Union (“EU”) recognizes this reality, and the Digital Operational Resilience Act (“DORA”) is an EU regulatory response that came into force in January 2023. Designed specifically to address the unique needs and challenges of the financial sector, DORA has the potential to reshape the cybersecurity landscape for financial institutions across Europe. In this article, we unravel the key aspects of DORA, its implications, and how it may revolutionize data protection and operational resilience within the financial industry.

 

The Essence of DORA for Finance

DORA is part of the EU’s sweeping initiative to modernize the regulatory framework for the digital sector, with a primary focus on financial institutions. Here are the core objectives that DORA aims to accomplish:

Fortifying Operational Resilience: In a financial world driven by digital technologies, resilience is paramount. DORA seeks to empower financial institutions to withstand cyber-attacks and operational disruptions, ensuring business continuity and safeguarding financial services. DORA necessitates the implementation of robust risk management and incident response frameworks. Financial institutions will be required to conduct thorough risk assessments, take preventive measures, and establish efficient protocols for responding to cyber incidents.

Streamlining Reporting: Financial entities often deal with complex reporting obligations in the event of cyber incidents. DORA promises to streamline this process, making it more consistent and easier to navigate for financial firms. This minimizes operational disruptions and facilitates more effective regulatory oversight.

Empowering Oversight: DORA grants supervisory authorities increased authority to both set and monitor cybersecurity standards for financial institutions. This represents a pivotal shift towards a more controlled and secure financial ecosystem.

Data Protection: Data is the lifeblood of the financial industry. DORA takes data protection seriously, ensuring that financial institutions comply with the highest standards to secure client data and maintain GDPR compliance.

Key Provisions Tailored for Finance

DORA includes provisions tailored specifically for financial institutions, making it a comprehensive and industry-specific regulatory instrument. Recognizing the unique challenges of the financial industry, DORA encompasses a broad range of financial entities, including banks, insurance companies, payment service providers, and trading platforms.

In order to achieve a high level of common digital operational resilience, DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:

  • requirements applicable to financial entities in relation to:
    • information and communication technology (ICT) risk management;
    • reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the authorities;
    • reporting of major operational or security payment-related incidents to the authorities (applies to credit institutions, payments institutions, account information service providers and electronic money institutions);
    • digital operational resilience testing – including testing in cooperation with critical service providers to the entity;
    • information and intelligence sharing in relation to cyber threats and vulnerabilities;
    • measures for the sound management of ICT third-party risk;
  • requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
  • rules for the establishment and conduct of an “Oversight Framework” which will, e.g., develop technical standards and supervise and scrutinize critical ICT third-party service providers when providing services to financial entities;
  • rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by DORA. DORA also introduces substantial penalties for non-compliance with its provisions.
Anticipated Impact on Financial Institutions

For financial institutions, DORA holds immense significance. It promises to create a more secure and resilient operating environment, thereby enhancing customer trust, preserving sensitive financial data, and reducing operational risks. The legislation’s ripple effects are also expected to resonate globally, influencing cybersecurity and data protection standards beyond the EU’s borders.

Furthermore, financial institutions operating in the EU or looking to access the EU market will need to adhere to DORA’s requirements. This could drive global harmonization of cybersecurity practices, potentially increasing efficiency and reducing compliance complexities for international financial players.

Conclusion

DORA is not merely a regulatory framework; it’s a fundamental shift in how cybersecurity and data protection are approached by the financial sector. By focusing on operational resilience, streamlined reporting, oversight, and data protection, DORA is set to elevate cybersecurity standards for financial institutions across Europe. For those in the financial sector, DORA represents an opportunity to embrace a new era of cyber resilience and data protection, ensuring not just compliance, but also safeguarding the reputation and trustworthiness of financial services. In an industry where data is everything, DORA is a milestone in shaping the future of cybersecurity and data protection.

DORA comes into effect in January 2025, and entities under its scope are recommended to start implementing measures for compliance. Considering that the authorities are issuing complementary guidelines (e.g., regulatory technical standards (RTS) and implementing technical standards (ITS)), we advise entities under its scope to conduct continuous gap-analyses in order to assess and implement all relevant measures needed for complete DORA compliance.

Contact:

Practice areas:

FinTech

  • This field is for validation purposes and should be left unchanged.

Do you want to get in touch with us?

Please fill out the form and we will contact you as soon as possible.