- Kateřina Kubíková
With the Digital Operational Resilience Act (DORA) comes new rules for financial institutions, but with them comes increased accountability for the senior management of these entities. The management will have a key and active role in managing information and communication technology (ICT) risk and the overall digital operational resilience strategy. What exactly does the new responsibility for senior management of financial institutions mean?
Which financial institutions will be affected by DORA?
Starting in January 2025 , the Regulation will bring new obligations for a wide range of financial institutions. For example, banks, cryptoasset service providers (which will be regulated by the Cryptoasset Markets Regulation), insurance companies, insurance intermediaries and central securities depositories will have to comply with the obligations. However, this is only a basic list of the more than 20 different types of financial entitiesthat will be subject to the obligations under DORA.
The Regulation also lists several exemptions. These include, for example, insurance intermediaries, reinsurance intermediaries or supplementary insurance intermediaries that are micro, small or medium-sized enterprises. The Regulation will also not apply to occupational pension institutions that operate pension plans with no more than 15 participants in total.
Top management responsibilities
The DORA regulation emphasises that senior management is responsible for setting and approving all measures related to the ICT risk management framework. The senior body must also be continuously involved in monitoring the monitoring of ICT risk management and has a duty to actively contribute to the overall digital operational resilience strategy.
The approach of senior management should go beyond simply ensuring the resilience of ICT systems. It should then also focus on the company's employees and processes through internal policies. Indeed, the aim is also to ensure strong cyber risk awareness for all employees of the financial entity.
Senior management has the responsibility for approval/acceptance:
- The company's digital operational resilience strategy.
- Policies on ICT service providers (or third-party ICT services).
- ICT risk tolerance levels.
- Policies on financial entity service continuity and disaster recovery plans.
- ICT internal audit plans.
Other responsibilities for senior management:
- Establish procedures and strategies to ensure that standards of data availability, trustworthiness, integrity and confidentiality are maintained.
- Establish clear roles and responsibilities for all ICT-related functions.
- Establish appropriate governance mechanisms to ensure effective and timely communication, collaboration and coordination of ICT functions.
- Allocate and regularly review adequate budget resources to cover digital operational resilience needs, including a budget to ensure cyber security awareness for all staff.
Training of senior management in cyber security
The DORA regulation does not forget about the education of senior management itself. Indeed, it provides for an active effort by members of the management body to acquire sufficient and up-to-date knowledge necessary to make informed assessments of ICT risks and their impact on the company's operations.
This training is not intended to be a formal matter but requires regular specific training that is relevant to the specific ICT risks in the company. In this way, DORA seeks to ensure that the governing body is always able to respond effectively to new cybersecurity challenges and threats.
