DORA: How the “Digital Operational Resilience Act” should protect the EU financial world from cyber attacks

What is the DORA?

Until a few decades ago, banking and insurance transactions were primarily carried out physically — in branches, with an agent or consultant. Today, in the age of banking apps, trading platforms and fintechs, many processes are digitized, centralized and stored in the cloud. Digitalization, of course, offers enormous gains in efficiency and convenience. But it also means that financial market participants who store and process sensitive data in particular could become victims of cyber attacks. Companies and supervisory authorities see this for themselves and have focused preventive measures heavily on risks from information and communication technologies (ICT).

The current Study “Paradigm Shift in Risk Strategy” In this context, investigated how well banks see themselves prepared for the challenges ahead. The result: ICT risks will play a very large role in the risk profile of financial institutions in the coming years, with 78 percent seeing them as a key challenge.

Banks themselves expect a significant increase in cybercrime; 56 percent expect a cyber attack in the next 24 months. Regulatory authorities are also increasingly focusing on ICT risks and are responding with a series of regulations, including IT infrastructure, IT data protection and outsourcing/third-party risks. In addition, the consequences of an attack or disruption in important, cross-border financial services can have far-reaching effects on other companies, sub-sectors or even the entire economic area.

Regulation for financial companies

That is why, on 27.12.2022, the EU adopted the Regulation 2022/2254 “Digital Operational Resilience for the Financial Sector and Amending Regulations” enacted. In German, DORA means “Regulation on Digital Operational Resilience in the Financial Sector.” The regulatory framework is intended to contribute to Europe's digital transformation and security by harmonising regulations for financial market participants in the EU. The aim of the regulation is that all financial sector stakeholders have taken the necessary security measures to prevent or mitigate ICT-related cyber attacks and other incidents.

In essence, the requirements of the Digital Operational Resilience Act can be translated into this five subject areas Subdivide:

• Establishing a framework for ICT risk management

• Handling, classifying and reporting ICT incidents

• Operational resilience testing

• Managing third-party ICT risk

• Creating a monitoring framework for critical third-party ICT service providers

DORA will impact financial companies such as banks, insurance companies, investment firms, and crypto service providers. The regulation also applies to third parties who provide ICT-related services to these financial companies — such as cloud service providers. On the other hand, “micro-enterprises “with fewer than ten employees and an annual turnover of two million euros are excluded. It is expected that DORA will apply to more than 22,000 financial institutions and ICT service providers operating in the EU. A period of 24 months until 17.01.2025 is foreseen for the implementation of the 79-page DORA regulation by the companies and authorities concerned.

Goal: Cyber resilience in the EU financial sector

Thanks to DORA, vulnerability to ICT disruptions and cyber threats along the entire financial sector value chain is to be reduced. In addition, the regulation aims to harmonise national ICT security rules in the financial sector across the EU and create a uniform supervisory and legal framework. This is because the current EU legal framework for ICT risks in the financial sector is fragmented and sometimes inconsistent. Practically every country currently has its own regulations and supervisory obligations, which, however, do not sufficiently take into account some ICT risks — or include double requirements at national and EU level.

Within the five core topics mentioned above, it is particularly important ICT risk management and risk analysis. Financial companies are required to set up comprehensive ICT risk management, including:

• establishing and maintaining robust ICT systems and tools that minimise the impact of ICT risks,
• key elements such as identification, classification and documentation of critical functions,
• continuous monitoring of all sources of ICT risks in order to establish protection and prevention measures,
• immediate detection of anomalous activity,
• introduction of specific and comprehensive business continuity policies and disaster and recovery plans, including annual testing of plans that cover all supporting functions,
• Establishing mechanisms to learn and develop both from external events and from in-house ICT incidents.

Some points are likely to be worked out or specified in detail in the coming months. However, it is already clear that since the EU regulation came into force on January 16, 2023, companies have only two years to upgrade their systems so that they become more resistant to incidents such as data leaks, DDoS attacks or insider threats. This is because the regulation requires financial companies to implement effective and comprehensive management of cybersecurity, information and communication technology risks by January 17, 2025.

Time is of the essence for financial companies

In light of this, DORA is both a challenge and an opportunity for financial companies. With a preparation period of just two years, there is already a lot to consider, implement and prove. Financial institutions should therefore carry out comprehensive analyses promptly in order to identify areas in good time that require further investments and/or optimization.

Despite the sometimes extensive preparatory measures, the DORA initiative also represents a great opportunity for financial companies. After all, an EU-wide security network offers the industry many advantages. For example, when it comes to reducing general industry risk or distributing security tasks. DORA is also a step forward from a consumer perspective, as its implementation protects our sensitive data from cyber criminals.