DORA: Cybersecurity and Risk within the Financial Sector

Software, Media & Technology

We live in the information age – an age defined by its creating, sharing, and storing of data. This has, of course, endowed the world many benefits – not least being the ability to quickly access information anywhere without the need for a physical copy – but in this information age it is becoming increasing critical for businesses to take seriously the very real threat of malicious online parties. The Digital Operational Resilience Act (“DORA”) is a new piece of EU legislation that has been designed to combat exactly this threat. The regulation creates a legally binding IT risk management framework for companies in the member countries’ financial sectors to follow as they go about their operations.

So how will this affect your company? What’s in the legislation? And will we see something similar written into UK law?

What is DORA?

The aims of DORA are twofold: to fully address the IT risk present in the financial sector and to homogenise the patchwork of existing IT risk policies in its EU member states. Whereas previous EU regulation failed to address all financial firms involved in the handling of data within the finance industry, with legislation more focused on firms having enough capital to offset operational risks, DORA will bring together a universal framework that applies to all financial entities, though with proportional implementation. Smaller entities will not be held to the same high standards of major institutions.

More than this, DORA will apply to those companies that traditionally have been untouched by such legislation. Third-party service providers to finance firms, such as cloud storage or data centres, as well as third-party information services such as credit rating or data analytics providers, will also be covered by the legislation and made to report regularly on their diligence in this area. The thought here is to leave no part of the information supply chain untouched, as these third parties can often be the target for cyberattacks due to their connections to and storage of enormous datasets.

While DORA has been officially adopted by the EU, the regulators responsible for its financial system – the European Supervisory Authorities (“ESAs”) are still ironing out key details of the legislation. This is expected to be agreed some time this year, with the scheme coming into effect starting January 2025. This gives companies just under one year to adapt to the change that’s coming – so what can we expect?

Scope and Requirements

DORA sets technical requirements for financial entities and IT providers in the following areas:

  • ICT Risk Management and Governance: entities must establish robust risk management frameworks, conduct continuous risk assessments, and implement stringent cybersecurity protection measures. Business continuity and disaster recovery plans are required, increasing preparedness for cyber risk scenarios.
  • Incident Reporting: covered entities must establish comprehensive systems for monitoring, classifying, and reporting ICT-related incidents to regulators and affected stakeholders.
  • Digital Operational Resilience Testing: regular testing of ICT systems is mandated to identify vulnerabilities and ensure operational resilience. Financial entities deemed critical must undergo threat-led penetration testing, aligning with industry frameworks like TIBER-EU.
  • Third-Party Risk Management: DORA extends to ICT providers servicing the financial sector, aiming to cover off third-party risk by financial institutions. Concrete contractual arrangements, dependency mapping, and oversight mechanisms will be pivotal in ensuring compliance.

Once January 2025 comes around and DORA is ready to be implemented, enforcement will become the task of designated regulators in each of its member states, known here as “competent authorities”.  These authorities can request financial firms to take specified security measures and remedy known vulnerabilities. They will also have the power to impose both administrative and criminal penalties on entities that fail to comply fully, though the severity of these penalties will be decided by each member state individually.

Management’s Responsibility

Financial and IT entities affected by the new legislation will see their management teams becoming responsible for all DORA oversight and reporting. Business owners, leaders, and board members alike will be expected to outline all known risk management strategies, actively assist in executing them effectively, and to stay up to date on their knowledge of the ICT risk landscape. These business leaders can be held personally responsible for compliance failures within their firms – so it will pay to brush up now, whether you do trade with EU bodies or are simply trying to future proof for potential copycat legislation here in the UK.

Closing Thoughts

In conclusion, DORA represents a firm statement of intention from the EU, and it’s likely other governmental bodies will be watching the results carefully. Financial entities and ICT providers must proactively navigate these regulations, making use of their new management frameworks and strategic partnerships to foster a secure and lasting ecosystem. As enforcement looms, compliance with DORA will not only mitigate regulatory risks but also bolster trust and stability in the financial sector, while presenting an opportunity for well-positioned consultancies to become experts in the field.

Will your business be affected by the new regulations? Or perhaps you trade with one that will? As always, if you have any questions about your business, don’t be a stranger – get in touch.

By Rebecca Garland on 02/02/2024