Digital Operational Resilience Act (DORA) is a pioneering legislative framework designed to boost the digital operational resilience across the EU’s financial sector. Its aim is straightforward yet ambitious: to ensure that financial institutions throughout the EU have robust digital defenses in place, capable of withstanding, managing, and recovering from any ICT (Information and Communication Technology) disruptions or threats. 

DORA came into force in January 2023 and will become enforceable 24 months later, which means that entities are expected to be compliant with its provisions by January 2025. This act represents a significant step toward a safer, more reliable financial environment in the digital realm.

Understanding DORA: Purpose and Scope

DORA has two main objectives:

Strengthening the ICT Risk Management Framework Across the Financial Sector

DORA aims to establish a unified and comprehensive ICT risk management framework applicable to all entities within the financial sector. This includes banks, insurance companies, investment firms, and critical third-party service providers like cloud computing companies. 

The objective is to ensure that these entities have robust policies, procedures, and mechanisms in place to effectively identify, protect against, detect, respond to, and recover from ICT-related incidents and risks. By standardizing the approach to managing digital risks, with DORA the EU seeks to improve the overall resilience and security of the financial system against cyber-attacks, data breaches, and other digital threats.

Creating a Harmonized and Integrated Framework for Digital Operational Resilience Testing, Reporting, and Information Sharing

The second main objective of DORA is to harmonize and integrate practices related to digital operational resilience testing, incident reporting, and information sharing across the financial sector. This involves establishing consistent requirements for entities to regularly test their digital operations and systems for vulnerabilities and to share information about cyber threats and incidents, both with regulatory authorities and within the financial industry. 

The aim is to create a culture of transparency and cooperation that enhances the collective ability of the sector to anticipate, withstand, and recover from digital disruptions. This objective also includes ensuring that financial entities within the EU can manage the risks associated with their reliance on third-party ICT service providers through effective oversight and risk management practices.

The Digital Operational Resilience Act (DORA) encompasses a wide-ranging scope within the European Union’s financial sector, targeting 20 different entities including:

• Banks
• Insurance companies
• Investment firms
• Payment and electronic money institutions
• Crypto-asset service providers
• Critical infrastructures such:
  • Central securities depositories
  • Trading venues
  • Central counterparties. 

It also extends to critical third-party ICT service providers, notably cloud services and IT outsourcing, emphasizing the need for robust digital operational resilience. 

Key Components of DORA

DORA is built around several key pillars designed to enhance the digital operational resilience of financial entities. 

These are the foundational pillars of DORA:

• ICT Risk Management Requirements

This pillar mandates financial entities to establish and maintain robust ICT risk management frameworks. These frameworks should cover the identification, protection, detection, response, and recovery from ICT-related incidents, including cyber threats. It emphasizes the importance of continuously assessing and updating risk management measures to address evolving digital risks.

• Incident Reporting Mechanism

DORA requires the establishment of mechanisms for financial entities to promptly detect and report significant cyber incidents to relevant authorities. This ensures a timely and coordinated response to cyber threats, minimizing their potential impact on financial stability and consumer trust. The standardized reporting framework facilitates a collective understanding and management of ICT risks across the financial sector.

• Digital Operational Resilience Testing

Financial entities are expected to regularly test their digital systems and processes to assess their resilience to cyberattacks and other ICT disruptions such as conducting vulnerability assessments, penetration testing, and scenario-based exercises. DORA aims for these tests to be rigorous and comprehensive, involving all critical systems and processes to ensure they can withstand and recover from operational shocks.

• Third-Party Risk Management

Recognizing the increasing reliance on third-party ICT service providers, including cloud computing services, DORA emphasizes the need for stringent management of third-party risks. Financial entities are required to ensure that their third-party providers adhere to the same high standards of operational resilience. This includes conducting due diligence, monitoring performance, and ensuring contractual agreements include provisions for compliance with DORA requirements.

• Information and Intelligence Sharing

This pillar encourages financial entities to share information and intelligence on cyber threats, vulnerabilities, and incidents. By fostering a culture of collaboration and information exchange, DORA aims to enhance the collective ability of the financial sector to identify, respond to, and mitigate ICT risks. This sharing should occur within a secure and trusted environment to protect sensitive information.

• Supervisory Measures and Tools

DORA provides authorities with a set of supervisory measures and tools to oversee the digital operational resilience of financial entities. This encompasses the ability to request information, conduct investigations, and enforce compliance with the Act’s requirements. Supervisory authorities are also tasked with promoting awareness and understanding of ICT risk management best practices among financial entities.

• Concentration Risk

A specific focus on concentration risk aims to address the potential systemic risks arising from the financial sector’s reliance on a limited number of ICT service providers. This involves monitoring and assessing the impact of such concentration on the sector’s overall operational resilience and taking measures to mitigate any identified risks.

The Impact of DORA

The implementation of DORA is expected to have a profound impact on the financial sector in the EU. By establishing a harmonized and robust regulatory framework, DORA not only enhances the digital operational resilience of individual entities but also bolsters the stability and integrity of the financial system as a whole. Financial institutions will benefit from clearer guidelines and best practices, while consumers and investors will enjoy greater confidence in the digital resilience of financial services.

Challenges and Opportunities

While DORA presents a formidable challenge in terms of compliance, it also offers significant opportunities for the financial sector. By adopting a unified regulatory approach to digital resilience, financial institutions can benefit from reduced complexity and greater clarity in their cybersecurity efforts. Furthermore, DORA’s push for standardized incident reporting and information sharing can enhance the sector’s ability to anticipate, respond to, and recover from cyber incidents more effectively.

Additionally, DORA may serve as a catalyst for innovation within the financial sector. As institutions upgrade their ICT systems and processes to comply with the new regulations, they can also explore new technologies and approaches to enhance their services and competitive advantage.

In conclusion, the Digital Operational Resilience Act represents a significant step forward in the EU’s efforts to safeguard its financial sector from digital threats. By mandating comprehensive risk management practices, incident reporting, resilience testing, and third-party risk management, DORA aims to ensure that the financial sector remains robust, reliable, and resilient in the face of an ever-evolving digital landscape.

How Can PECB Help?

Recognizing the critical importance of DORA’s objectives to enhance ICT risk management and operational resilience in the financial sector, PECB is preparing to launch the DORA training course. 

This comprehensive training course will cover all key aspects of the legislation, offering in-depth insights, practical applications through case studies, and interactive learning experiences led by industry experts. Designed to equip participants with a thorough understanding of DORA’s requirements and effective compliance strategies, the training course also aims to prepare individuals for the PECB certification, marking their expertise in managing digital operational resilience.

STAY TUNED!

About the Author

Vlerë Hyseni is the Digital Content Specialist at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her at: content@pecb.com.