What is the Digital Operational Resilience Act (DORA)?

Features of DORA

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act is a regulatory framework aimed at supporting the development of digital finance while minimising associated risks. The proposed regulation was first introduced by the European Commission in 2020, and we are expecting the legislation to come into full force in the first half of 2022.

The regulation aims to bolster the existing regulatory infrastructure for information and communications (ICT) and the associated risks that surround it. It serves to harmonise and consolidate existing, fractured EU instruments and create a consistent approach for financial services and regulators within the EU.

Features of DORA

There are five major branches of the DORA legislation:

  1. Operational resilience
  2. Risk management
  3. Centralised body for incident reporting
  4. Information sharing
  5. Third-party risk

Operational Resilience

DORA aims to establish an EU standard for security assessments and penetration testing across financial services. This is intended to reduce operational risk.

The overarching theme of this regulatory framework is to provide a clear foundation in financial services. This is due to the recent rise in cyber security attacks in the industry, that have also been mirrored elsewhere. The purpose of operational resilience is not to prevent cyber-attacks (as this would be impossible), but to mitigate the consequences and disruptions.

Risk Management

DORA has been introduced specifically to help financial services firms identify and mitigate risks. Firms will be required to create a risk management protocol, then carry out testing to ensure a completely uninterrupted workflow when threats occur.

The new legislation also acknowledges the importance of stakeholder communication. Therefore, stakeholders will be able to determine the risk tolerance at the firm, alongside approving recovery plans, for example. 

Centralised Body for incident reporting

DORA aims to combine the current incident reporting facilities into one EU-wide hub for digital finance. Standardising this process should allow EU financial entities to better monitor, describe and report cyber security threats and attacks, thus improving the response across the industry.

Information Sharing

Further to an industry-wide collaboration, DORA facilitates the exchange of information between competing firms and companies. Similar to how a central bank operates, resources can be combined in order to combat the newest developments to threats in cyber security.

Third-party risk

Finally, each third-party service provider associated with financial institutions should evaluate whether they are deemed “critical third-party providers” (CTPPs). If so, these companies will also be required to implement an oversight framework in the case of cyber security breaches.

It is highly beneficial for third-party providers to fall under the same regulation as financial services firms since it will bring higher confidence in their services. This applies to legal matters, as well as a general increase in assurance across security and technology.

Who must comply?

Financial entities and those that work with specific ICT programs may fall under the DORA realm. In particular, those firms who qualify as critical, under the critical third-party provider regulations (CTPPs). If so, many of the current voluntary testing, such as threat-led penetration testing (TLPT) would become mandatory.

Any financial institution that falls under the European Commission may expect expenses to increase significantly as they begin to implement new monitoring, testing and reporting procedures. However, it’s important to note that the collaborative nature of any DORA requirement means that resources can be pooled together, and the entire industry will benefit from savings made against cybersecurity threats. Plus, DORA should lead to increased financial stability against any cyber threat.

Regulated firms or any ICT service provider should prepare for the changes that DORA will bring before the changes come into full force in 2022.

CUBE understands financial regulation for EU-based firms and provides automated regulatory intelligence – so you know what your regulatory obligations are now, and for the future.

Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More