Are you ready for DORA?
Tick tock. The clock is ticking for compliance to the European Union’s Digital Operational Resilience Act (DORA), which will go into full effect by the end of this year.
At that stage, financial services firms will have less than 24 months to comply. What is DORA? In recent years widespread system outages and cyber threats, along with the effects of the pandemic, have put operational resilience at the top of the priority list for financial regulators, and the EU is no exception.
Enter DORA - a significant regulatory development for financial services (FS) that aims to harmonise digital resilience throughout the EU. It introduces requirements on information and communications technology (ICT) risk management and incident reporting.
Once the new regulations come into force, EU financial firms will be expected to comply with new rules in the following five key areas:
1. Digital operational resilience
DORA will establish harmonised EU-standards for digital operational resilience testing. The testing requirements will include vulnerability and network security assessments, gap analysis and software solutions testing, as well as scenario-based testing, performance testing and penetration testing.
2. Risk management
Under the new rules, financial services firms will be expected to establish and maintain resilient ICT systems and tools that are equipped to identify and mitigate ICT risks consistently and reliably. They will also be required to put in place comprehensive business continuity policies and disaster recovery plans.
3. ICT incident reporting and management
Financial firms will be required to implement management systems to monitor, describe, and report any major ICT-based incidents to the relevant authorities. This new, standardised approach is likely to result in the creation of a new, centralised EU body to oversee and facilitate incident reporting and management.
4. Information sharing
Building on existing regulations, DORA will encourage financial firms to share cybersecurity information and intelligence with firms in other member states, to reduce the impact of cyber threats in financial services and strengthen response and recovery capabilities in the European financial sector as a whole.
5. Third-party risk management
Third-party ICT providers, including cloud service suppliers, will regulated by one of the European Supervisory Authorities (ESAs), which will be empowered to request information, issue recommendations and requests, conduct inspections and even impose penalties for non-compliance with the new EU risk management and operational resilience regulations.
Financial services firms will also be required to assess and document any potential risk associated with their third-party ICT service providers and will be responsible for ensuring their contracts with such firms specify their regulatory obligations under the new legislation.
DORA marks a new chapter for EU institutions, bringing them closer to the requirements set out by UK regulatory bodies to bolster operational resilience in the financial services sector.
Read our whitepaper to learn more about the upcoming regulation changes and the growing importance of operational resilience in other regions.