The Digital Operational Resilience Act (DORA) is new EU legislation which aims to achieve a high common level of digital operational resilience in the financial services sector across all Member States. It has broad geographic jurisdiction, applying both to firms that have offices in the EU, as well as those that provide services to a financial institution which provides services in the EU.
DORA applies to a wide range of financial entities, such as banks, insurers and investment firms, and also to their critical technology suppliers, bringing IT firms within the remit of financial regulators for the first time. The imperative for DORA is clear: to improve resilience against cyber attacks within a financial industry that is increasingly dependent on digital technology. As digital transformation takes hold, firms are increasingly vulnerable to failure in the event of a serious cyber attack - which would lead to problems not just for themselves but for the wider economic ecosystem too.
Alarmingly for many firms, time is running out to be compliant. In a DNB publication dated 31 October 2023, the DNB indicated that organisations need to now get started (1). DORA entered into force in January 2023 and must be applied by 17 January 2025, with significant penalties for compliance failures. Non-compliant third party IT service providers face potential fines of up to 1% of the business’s daily global turnover. These fines can be applied daily until firms reach compliance. Penalties for financial institutions are to be set by the individual territories in which they reside, and have the potential to be even larger. Reputational damage and erosion of customer trust could be even more costly.
The scope of DORA is exceptionally broad, and many firms will need to address a number of considerations in order to achieve compliance.
Firstly, a lot of firms do not possess the capabilities to comprehensively and systematically assess cyber incidents, as well as analyse their root cause. This is a problem because, under DORA, firms will have to set out how they are monitoring and managing the vulnerability of their IT assets on an ongoing basis. Remedying the shortfall between the two is not straightforward.
Secondly, they will need to address risk management. The risk management regime in DORA requires firms to have robust and resilient processes for managing their IT assets. But many organisations currently lack a clear view of what those assets include. Visibility of the endpoints in their systems has diminished over time as their networks have expanded and become more complex – and as staff have moved to remote working.
DORA introduces a new set of rules regarding the sharing of threat intelligence, requiring firms to notify the European Supervisory Authorities with the details of intelligence sharing arrangements within strict timeframes. Again, non-compliant firms could face financial penalties or regulatory action.
Finally, there is a requirement for firms to implement a testing programme that demonstrates their IT systems are operationally resilient. Under some circumstances, testing must be undertaken by an independent party for financial entities. In others, certain financial institutions must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests. This will be a challenge for many firms, as very few organisations have penetration testing programs that satisfy the breadth of testing required by DORA (which can often include testing of third-party IT service providers which service financial entities).
Given the work involved to achieve compliance, time is running out fast. Many firms will need to complete remedial work to close gaps, and move to cyber solutions that provide the level of functionality required by DORA. Financial services firms must also be confident in their third-party suppliers, as DORA places an onus on financial institutions to ensure their entire supply chain is compliant with the regulation.
Firms should start by conducting a comprehensive gap assessment that identifies areas which require further investment and maturity. Given that DORA is far-reaching and highly prescriptive, the biggest challenge for firms will be to work out what their requirements are, and how long it will take them to make the changes necessary to achieve compliance. Financial firms should also begin creating a detailed register of information on their IT-related third parties, which is required by DORA. This can be used to help identify areas of non-compliance throughout the supply chain, so decisions can be made on what to do next.
With just over one year to go, the time to act is now.
In a world that has become reliant on digital technology, most organisations’ current cyber security strategies are no longer enough to combat threats. Future-proof your business by understanding and mitigating cyber risks.
Everyone can be a target of cyber attacks, from large corporations and government institutions to small businesses and individuals. With the threat increasing, insurers have developed products for businesses to provide protection – in fact, cyber is one of the fastest growing lines of business for insurers.
Globally, we are more digitally connected than ever before. As technology develops, and firms accelerate adoption, there is a simultaneous escalation in the scale of cyber threats.
By digitally connecting organisations, individuals, as well as devices, mutual dependencies and vulnerabilities arise. You could speak of a digital ecosystem where the following applies: ‘The chain is only as strong as its weakest link’. Adequate management of security risks is increasingly becoming a prerequisite for being part of this digital ecosystem.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.