Watch out, DORA is coming. Will it shake up the financial sector?

Will 2022 bring changes in the operational security of financial institutions, transferring the entire burden of responsibility to the management of organizations? All are indications that DORA (Digital Operation Resilience Act) – one of the regulatory initiatives announced on the occasion of the EU digital finance strategy published in September 2020 – is rapidly approaching us. The draft regulation provides for the creation of solid foundations for building a safe and stable financial sector in the EU, especially taking into account the latest trends in the development of companies and institutions in this field.

Who is affected by the DORA Regulation? 

Simply put, DORA is directed at the financial sector. The regulation covers both the more classic representatives (banks, payment and credit institutions, insurance and investment companies or electronic money institutions), as well as less obvious entities: providers of crypto-asset services, information sharing, crowdfunding or securitization repositories.

While the main guidelines apply to all financial institutions, not all enterprises will be obliged to follow the rules to the same extent. The size and nature of the company or institution is important in this case – smaller entities have been assessed as less exposed to digital risk, thus they will be required to fulfil some obligations arising from DORA to a lesser extent or not at all. Only the largest financial institutions will face the most complicated guidelines, incl. conducting complex risk analysis or conducting advanced penetration tests.

What is the “Digital Operational Resilience”?

The very title of the document contains the phrase: “REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience of the financial sector […]”. But what exactly is this digital resilience? The regulation contains a precise definition:

“digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality;” 

Source: REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 

In basic terms, it is about the possibility of guaranteeing the continuity and quality of services provided by entities from the financial sector in the face of threats or disruptions related to the use of information and telecommunications technologies. To use an even greater simplification: if a financial institution, e.g. a bank, provides its clients with the possibility of mobile transfers via the application, it must also take full responsibility for the security of these transactions.

What is the main goal of DORA? 

The COVID-19 pandemic has shown that the progressive digitization of the financial industry on the one hand is a necessity, and on the other, it carries a number of threats. New information and communication technologies (ICT) are exposed to digital disruptions and attacks, which can have particularly severe consequences in the financial sector. The main goal of the DORA regulation is to minimize risk, create effective defence mechanisms and strengthen supervision over providers of ICT services.

Until now, European markets have regulated the problem of network threats at the level of state regulations. Which, when taking into account the scale and pace of changes, has turned out to be insufficient and sometimes even to prevent operation – some national regulatory frameworks are internally contradictory. Inconsistent legal requirements hinder cooperation at the international level, delay action and expose financial institutions to increased costs associated with the processes of ensuring compliance with local law. Therefore, the task of DORA is also to improve and update the existing provisions on the management of ICT and related risks on a European scale.

Key aspects of the regulation 

The EU regulation addresses four key guidelines for companies from the financial sector, including the biggest changes in the field of digital operational security policy:

  1. Risk management in the field of ICT 
  2. Security incident reporting 
  3. Operational resilience testing 
  4. Relations with external providers of ICT services 

DORA and the new role of the management board 

From the point of view of companies and financial institutions, one of the most important changes introduced by DORA will be the principle of management’s responsibility for digital operational security. From the moment the new regulation comes into force, companies will be responsible not only for creating an appropriate financial reserve in the event of security incidents, but also for meeting strict guidelines, the implementation of which will have to be ensured by the management board.

Companies from the financial sector will be obliged to:

  • Create and maintain cyber-secure ICT systems;
  • Develop action plans and data security policy in the event of ICT disruptions;
  • Have properly trained employees in the field of ICT protection and security.

DORA and ICT service providers 

The relationship between companies from the financial sector and ICT service providers is one of the largest and most carefully described changes that DORA will introduce in the coming years. The regulation obliges companies to monitor the risk related to the use of communication and information technologies within their company, including in the case when services or software have been provided by external entities.

This means that institutions from the financial sector using, e.g. external software development services, will have to assess the security risk even at the stage of selecting the supplier and signing the contract, and then, throughout the entire period of cooperation, to fulfil a number of obligations resulting from the regulation (e.g. informing relevant supervisory authorities about what services and functions are supported by external providers and to what extent in every year).

From the point of view of software houses that have so far cooperated closely with the financial industry – such as Altkom Software & Consulting, for example – knowing DORA regulations and assuring business partners that you are ready to operate in the new reality is a key task in the coming year. We have to show that we can still create safe and business-efficient systems and applications for them.

[su_service title=”Good to know:” icon=”icon: lightbulb-o” icon_color=”#bbe2ef” size=”36″]Another interesting aspect of the DORA regulation is also drawing attention to the possibility of open exchange of information and intelligence on the subject of cyber threats between financial institutions. This is an opportunity to increase digital resilience, but the initiative itself will require appropriate approvals and additional legal regulations. [/su_service]

When does DORA come into effect? 

Currently, work on the regulation is still ongoing. Talks are underway in the European Parliament and the EU Council, but there are indications that the final text will be published in the first quarter of 2022. Of course, this does not mean that all regulations will enter into force at the time of publication of DORA. Entities from the financial sector will receive from one year to one and a half years to adapt to the new requirements. However, in the near future, there are changes coming that will permanently change our approach to security management.

DORA will be a challenge not only for entities from the financial sector, but also for software and new technology suppliers. We are DORA-ready!