The Digital Operational Resilience Act (DORA) is a recently adopted regulation from the European Commission that aims to establish a comprehensive framework for the continuity, security and supplier risk management programs of financial institutions in the European Union (EU).
While DORA is an EU regulation, it is important to note that financial service providers (FSPs) engaging in the European marketplace are required to abide by these regulations. As the UK remains one of the fundamental European financial hubs, DORA will be a crucial aspect of UK FSPs.
The Act covers topics related to operational resilience, including cybersecurity, incident management, resilience testing, data management, outsourcing, and governance requirements.
The goal is to ensure that financial institutions can withstand severe operational disruptions, such as cyberattacks, IT system failures, and third-party service provider outages, while maintaining the continuity of financial services. Although the EU published DORA in December 2022, the Act will only fully apply from 17 January 2025.
In this article, we investigate and provide a summary of what the Digital Operational Resilience Act will mean for business finance providers, their senior managers and operations, and what you should be doing now in preparation for day-one compliance.
Who will be impacted by DORA?
With a broad scope, the Act covers almost the entire financial sector and will apply to a range of "financial entities." While there will be limited exclusions for certain smaller entities, the Act will apply to credit institutions, investment firms, central securities depositories, central counterparties, insurance and reinsurance undertakings, insurance intermediaries, payment institutions, trading venues, benchmark administrators, fund management companies, electronic money institutions, crypto-asset service providers, issuers of asset-referenced tokens and crowdfunding service providers.
The most notable inclusion of DORA is that third-party Information and Communication Technology (ICT) service providers would need to comply. Therefore, providers of services or technology used to transmit, process, store, create, display, share or exchange information electronically would need to adhere to the Act - this will include data centres, cloud platforms, data analytics and software and service providers. However, the Act excludes providers of hardware components and undertakings authorised under Union law that provide electronic communication services to financial entities.
With banks and financial institutions embracing Cloud and Software as a Service, DORA will add another layer of due diligence on the suppliers of these services. This additional overhead may potentially lead to suppliers falling short of the required standards, without the capability to remedy shortcomings and to the detriment of their customers.
Why does DORA matter to business finance?
- Enhancing cybersecurity: Cybersecurity is a key focus of DORA, and businesses must ensure their IT systems are secure and resilient against cyber threats. As expected, this will be critical to protecting sensitive financial data and ensuring the continuity of financial services in the EU.
- Improving incident management: the regulation requires finance providers – and their ICT providers – to have robust incident management processes in place to respond quickly and effectively. Additionally, this will help businesses recover from operational disruptions and continue providing financial services.
- Strengthening data management: DORA requires finance businesses to manage their data effectively to ensure data quality, integrity, availability, and confidentiality – a crucial aspect of maintaining accurate financial data and preventing data breaches.
- Management of third-party providers: DORA requires businesses to manage operational risks associated with outsourcing arrangements – integral to maintaining operational resilience when outsourcing crucial functions to third-party providers.
What are the key obligations under DORA for business finance providers?
- Mapping critical business services: Identifying and mapping their critical business services, including IT systems and third-party providers.
- Cybersecurity requirements: Finance providers will be required to ensure the security and resilience of their IT systems against cyber threats. They should look to implement appropriate security measures, incident reporting and management, and conduct regular cybersecurity testing.
- Risk and incident management: A comprehensive risk management framework and documented incident management processes to respond quickly and effectively to operational disruptions. These should also include details on the assessment and management of risks arising from third-party service providers.
- Resilience testing: Finance providers are required to conduct regular resilience testing of their critical business services to evaluate how their software and systems will perform under stress. This includes testing their IT systems, third-party providers, and incident management processes.
- Incident reporting: DORA does require businesses – and their service providers – to report certain incidents to the relevant authorities. Additionally, they must grant access to relevant information and systems, including access to service providers’ premises, documentation, and staff. Furthermore, service providers must also give clients access to all relevant information and systems to enable them to comply with their reporting obligations.
- Data management requirements: Finance providers will be required to ensure the accuracy, integrity, and confidentiality of their data, including implementing appropriate data management policies and procedures.
- Outsourcing requirements: Finance providers will be responsible for managing the risks associated with outsourcing arrangements or third parties, including conducting due diligence, monitoring outsourced activities, and ensuring they comply with DORA requirements.
- Governance requirements: Financial entities will be required to have effective governance arrangements to ensure compliance with DORA, including appointing a senior executive responsible for operational resilience.
What can finance businesses do to prepare for DORA?
- Stay informed: Seeking legal counsel from carefully chosen law firms will be necessary but costly. However, subscribing to newsletters of specialist law firms can be a low-effort but a high-impact way of keeping yourself informed. While news and media outlets often provide almost immediate summaries, they often lack nuance. Yet monitoring regulatory bodies or governing agencies websites for changes to specific market niches can prove challenging. Using a content change detection and notification service - like Google Alerts - can be particularly useful in this regard. Finally, highly relevant in-person and virtual events can be insightful ways to monitor regulatory changes and ask questions to experts.
- Conduct a gap analysis: Evaluate your current operational resilience capabilities and identify gaps that need addressing to meet the DORA requirements.
- Enhance cybersecurity measures: Cybersecurity is a crucial focus of DORA, so it’s essential to ensure that your IT systems are secure and resilient against cyber threats.
- Establish effective incident management processes: DORA requires finance entities to have robust incident management processes to respond quickly and effectively to operational disruptions. Ensure your incident management processes are well-documented, tested and updated regularly.
- Implement a robust data management framework: Finance must manage their data effectively to ensure data quality, integrity, availability, and confidentiality. You may need to invest in data management tools and technologies to meet the requirements.
- Consider your service providers and outsourcing arrangements: As mentioned above, DORA requires finance providers to manage operational risks associated with third-party ICT service providers. Reviewing existing contracts – and making changes to ensure compliance with the DORA requirements – may be required. The information security accreditations of your technology partners may provide some comfort, but you will be responsible for ensuring that they - and their service providers - meet a wider range of operational resilience standards and must ensure the appropriate contractual arrangements are in place to manage these risks.
In summary, it will be necessary for finance providers to prove they are DORA compliant and will require that they (and their ICT partners) take a more comprehensive and proactive approach to operational resilience – specifically, cybersecurity, incident management, data management, and ICT providers.
By doing so, finance providers will be better prepared to manage risks and disruptions, protect sensitive financial data, and maintain the continuity of financial services in the EU.
Article written by: