Share This Article
The DORA Regulation is a turning point for cybersecurity for companies operating in the financial services sector.
Following the publication of the NIS2 Directive, the Digital Operational Resilience Act (DORA) Regulation has been published in the Official Gazette of the European Union and is now in force. DORA has the ambitious goal of consolidating and harmonizing essential cybersecurity requirements for digital operational resilience in the financial sector at the European level. This includes banks, insurance companies, crypto asset service companies, financial institutions, and suppliers.
The DORA Regulation is an important part of a larger package of policy measures for fintech in the EU, which includes proposals for regulation on crypto-asset markets (MiCA) and distributed ledger technology (DLT). Its primary goal is to ensure that financial firms are able to withstand cyber-attacks and operational disruptions by implementing effective governance, cybersecurity, and ICT risk management and incident reporting measures. This will help to ensure the stability and resilience of the financial sector as a whole in the face of increasingly sophisticated cyber threats.
1. Goals, scope, and deadline for implementing the DORA Regulation
Why a regulation? Over the past decade, information and communication technology (ICT) has revolutionized the financial sector and gained a central role in its daily operations. However, digital transformation has not been accompanied by adequate awareness and management of the cyber risks to the sector increasingly exposed. Cybersecurity provisions have so far remained scattered in different EU acts, not always consistent with each other and differentiated at the national level.
The growth and severity of cyber-attacks, the danger of systemic consequences, and the gaps in the existing regulatory framework led to the conception of the now-approved DORA Regulation, which aims to uniformly regulate “operational resilience” in the financial sector in the EU. The goal is thus to mandate the adoption of standardized cybersecurity requirements necessary to ensure that financial entities operating in Europe are positioned to prevent, resist and respond to cyber threats of which they may be targets. To this end, the DORA Regulation introduces a harmonized body of technical-organizational cybersecurity measures to enable and support digital finance’s innovative potential while mitigating technological innovation risks.
To whom does it apply? The scope of the DORA Regulation is vast and will impact almost everyone in the financial sector. Indeed, it will apply not only to “traditional” financial institutions (e.g., banks, investment firms, and insurance companies) but also to “new players” in the market, such as crypto-asset service companies and critical ICT service providers (e.g., cloud service providers). In addition, the approved DORA Regulation also applies to critical service providers to the companies mentioned above.
When will it be operational? Affected operators will benefit from a grace period of 24 months from the effective date of the DORA Regulations to implement all the necessary steps from a technical-organizational point of view to comply with this regulation.
2. The cybersecurity pillars of the approved DORA Regulation
The DORA Regulations can be summarized in three main pillars:
(i) Governance and internal organization (Art. 5)
Financial entities must have an internal cybersecurity governance and control framework to manage all ICT risks effectively and prudently to achieve a high level of digital operational resilience. In particular, a defined set of tasks will need to be assigned to the management body of the financial institution, which remains primarily responsible for the overall management of ICT risks.
(ii) Risk management (Arts. 6-16)
Financial entities must have a robust, comprehensive, and well-documented cyber risk management framework as part of their overall risk management system. Among other things, operators will need to take care to:
- use resilient ICT tools and systems such that the impact of related risks is minimized;
- promptly identify all sources of risk and implement mechanisms that can detect abnormal activities; and
- adopt internal procedures and measures for protection and prevention.
The DORA Regulation introduces some simplifications for firms exempt from the enhanced obligations (e.g., small non-interconnected investment firms). Still, these exemptions do not exclude the implementation of basic ICT risk mapping and management measures.
(iii) Incident management and reporting (Arts. 17-23)
Numerous provisions have been introduced regarding the management of incidents related to ICT services. Financial entities will have to:
- provide for and implement business continuity and systems policies and recovery plans in the event of an ICT-related disaster, as a consequence of a cyber attack, for example;
- equip themselves with appropriate capabilities and personnel to detect vulnerabilities, threats, incidents, and cyber-attacks and assess the possible consequences on their digital operational resilience;
- provide communication plans to various stakeholders.
On the other hand, with regard to the reporting of related incidents, financial entities will need to establish and implement a management process to monitor and record ICT-related incidents, classify them and determine their impact, and notify them, through a report, to the relevant authorities if deemed severe.
(iv) Third-party ICT service providers (Arts. 28-44)
To mitigate the risks arising from the dependence of financial entities on third-party service providers, specific supervisory powers are provided to financial supervisors.
Therefore, in addition to providing an EU-wide oversight framework for third-party providers of critical ICT services, key contractual aspects (contracting, execution, post-contractual phase) will be harmonized to ensure that financial companies monitor third-party cyber risks. In addition, to ensure adequate monitoring of technology service providers that perform a critical function for the operation of the financial sector, a “lead” oversight authority will be defined for each third-party provider of critical ICT services.
Thus, the DORA Regulation is also particularly onerous for providers of critical services to these companies.
3. Main implications for operators and next steps
It is important to keep in mind that, for the implementation of the above requirements, the approved DORA Regulation refers to the principle of proportionality (Art. 4) and, thus, follows a well-established logic found in many other regulations (foremost among them, for example, the GDPR), puts the onus back on the individual entity, to assess and demonstrate the correct level of requirements that need to be implemented.
How to prepare for the DORA regulation?
It will be critical for all financial entities to take a proactive and informed approach by carrying out preparatory activities that will enable them to determine the actual impact of DORA on their organization and thus not be unprepared when it is implemented. Among these, in particular, it will be appropriate for practitioners to:
- Gap analysis of the ICT risk management framework: review the internal governance structure and ICT risk and incident management measures already in place to check corporate awareness of the new regulatory framework and assess whether the resources, strategies, and response and remediation plans in place adequately address the regulatory requirements. If not, plans to update and adapt will need to be considered.
- Review of incident reporting mechanisms: assess the company’s reporting capabilities and responsiveness, and accordingly implement from scratch or adjust existing incident reporting procedures to ensure alignment with new regulatory requirements.
- Assessment of critical ICT service providers and renegotiation of the agreements with them: mapping contracts with third-party ICT providers, assessing their criticality to business operations, reviewing and documenting their vulnerabilities to enable planning of appropriate risk containment strategies and renegotiating the agreements with them to make them compliant with the DORA Regulation.
In turn, ICT service providers will need to assess their own membership in the category of providers defined as “critical” and, if so, analyze the actions to be taken to meet the new supervision requirements by the European Supervisory Authorities (EBA, EIOPA, ESMA).
Finally, it will be important for all market participants to monitor the positions and directions that the European Supervisory Authorities will adopt, including, in particular, the definition of the criteria under which certain companies will be required to perform so-called “threat led penetration tests” at least once every three years.
It is likely that several organizations will have to manage concurrently the activities necessary to comply with obligations under the NIS Directive, the DORA Regulation, and the Cyber Resilience Act, along with the activities necessary to comply with local cybersecurity perimeter regulations. To this end, proper planning will be critical to avoid wasting resources or performing superficial activities that do not ensure compliance.
The timing of the DORA Regulation
The DORA regulation will become binding as of January 17, 2025, but in the meantime, the legal framework will need to be supplemented by regulatory technical standards to be developed by ESMA and finalized by early 2024 at the latest. The timeline seems long, but in complex organizations, it may seem decidedly limited.
To this end, the following article, “The NIS2 Directive approved – cybersecurity news for more and more companies” may be of interest.
Authors: Maria Chiari Meneghetti and Giorgia Carneri