- Kateřina Kubíková
At a time when cyberthreats are increasingly threatening the financial sector, DORA is coming - a regulation designed to change the way financial institutions manage digital risk in particular.
Digital Operational Resilience Act or DORA is a binding and comprehensive framework for managing mainly digital risks in the financial sector.
It came into force at the beginning of 2023 and entities will have to comply with it from 17 January 2025..
Who is affected by DORA?
A wide range of financial institutions, such as banks, investment firms, insurance companies or cryptoasset service providers, will have to comply with the uniform rules. However, the regulation will also significantly affect their information technology service providers, such as cloud service providers or software developers, etc.
More than 22,000 financial entities in the EU are expected to be involved.
Which financial institutions will be affected by DORA?
The Regulation will bring new obligations for a wide range of financial institutions from January 2025. For example, banks, providers of crypto-related services (which will be regulated by the Crypto Markets Regulation), insurance companies, insurance intermediaries and central securities depositories. However, this is only a basic list of the more than 20 different types of financial entities, that will be subject to the obligations under DORA.
The Regulation also provides for several exceptions. These include, for example, insurance intermediaries, reinsurance intermediaries or supplementary insurance intermediaries that are micro, small or medium-sized enterprises. The Regulation will also not apply to occupational pension institutions that operate pension plans with no more than 15 participants in total.
What obligations does DORA impose?
- risk management of Information and communication technology (ICT)
- management, classification and reporting of ICT-related incidents
- digital operational resilience testing (checking how well a financial entity is prepared to deal with potential ICT issues)
- managing ICT risks associated with third parties (not only the ICT service providers mentioned above, but also their subcontractors)
- information sharing
New and more stringent requirements are then introduced in digital operational resilience testing. And let's not forget the requirements for contracts with suppliers of financial entities. But this is only a small list of the obligations set out in DORA.
Increased accountability of the management of financial institutions
DORA also brings increased accountability for the senior management of these entities. They will play a key and active role in managing information and communications technology (ICT) risk and the overall digital operational resilience strategy. What exactly does the new responsibility for senior management of financial institutions mean?
Senior management responsibilities
The DORA regulation emphasises that senior management is responsible for setting and approving all measures related to the ICT risk management framework. Senior management must also be continuously involved in monitoring of ICT risk management and has a duty to actively contribute to the overall digital operational resilience strategy.
The approach of senior management should go beyond simply ensuring the resilience of ICT systems. It should then also focus on the company's employees and processes through internal policies. Indeed, the aim is also to ensure strong cyber risk awareness for all employees of the financial entity.
- The company's digital operational resilience strategy.
- Policies on ICT service providers (or third party ICT services).
- ICT risk tolerance levels.
- Policies on financial entity service continuity and disaster recovery plans.
- ICT internal audit plans.
- Establish procedures and strategies to ensure that standards of data availability, trustworthiness, integrity and confidentiality are maintained.
- Establish clear roles and responsibilities for all ICT-related functions.
- Establish appropriate governance mechanisms to ensure effective and timely communication, collaboration and coordination of ICT functions.
- Allocate and regularly review adequate budget resources to cover digital operational resilience needs, including a budget to ensure cyber security awareness for all staff.
The DORA regulation does not forget about the education of senior management itself. Indeed, it provides for an active effort by members of the management body to acquire sufficient and up-to-date knowledge necessary to make informed assessments of ICT risks and their impact on the company's operations.
This training is not intended to be a formal matter, but requires regular specific training that is relevant to the specific ICT risks in the company. In this way, DORA seeks to ensure that the governing body is always able to respond effectively to new cybersecurity challenges and threats.
DORA imposes new obligations on financial institutions and their suppliers. However, it is not the only EU legislation in the field of cyber security. Cybersecurity, not just for financial markets, is also addressed by a directive known as NIS2. This will be reflected in the Czech legal system in the forthcoming new Act on Cyber Security and its decrees, where it also regulates other so-called regulated services (e.g. in the energy or food industry). In case of conflicting obligations, DORA will prevail for financial institutions.
In 2024, the European Supervisory Authorities will submit draft implementing acts to the European Commission. These will provide technical specifications and guidance on how to specifically put the DORA requirements into practice. For example, they will say how to assess the amount of loss caused by an incident, or what the rules will be for controlling suppliers/subcontractors supporting critical or important functions. There should be 13 of these implementing acts in total
