The new DORA Regulation (Digital Operational Resilience Act), published on December 27th, 2022 in the Official Journal of the European Union, aims at strengthening and harmonizing the main cybersecurity requirements at European level for financial companies (banks, insurance companies, cryptocurrency services companies, financial institutions) and their critical service providers.

 

DORA Regulation – Digital Operational Resilience Act- to strengthen and harmonize the main cybersecurity requirements at European level for financial companie

On December 27th, 2022 the new DORA Regulation (Digital Operational Resilience Act) was published in the European Union Official Journal, which aims to strengthen and harmonize at European level the main cybersecurity requirements for financial companies (banks, insurance companies, cryptocurrency service companies, financial institutions) and their critical service providers.

The need to define a European Fintech regulation stems from an assessment seen as common to many sectors: the digital transformation, which has involved most financial players, has not been supported by an adequate awareness campaign and management of ICT risks to which the sector is increasingly exposed.

In fact, the growth in number and severity of cyberattacks, the danger of consequences at both national and supranational system level, combined with various gaps in the existing regulatory framework, have highlighted the need to standardize the parameters in a uniform way at European level to ensure “digital operational resilience” in the financial sector.

DORA Regulation: game changer for all cybersecurity aspects in the financial sector

Therefore this publication establishes a decisive and significant turning point for all cybersecurity aspects in the financial sector, and it aims at ensuring that companies in the sector:

• are able to adequately manage the risks deriving from the ICT use;

• have a complete and efficient ICT incident management system;

• verify their digital operational resilience;

• adequately manage the risks introduced by the increasingly significant presence of third parties operating in the ICT world;

• share with the digital financial community information concerning the cyber threats and the detected vulnerabilities.

 

The DORA Regulation entered into force throughout the European Union on 17th January, 2023, while it will be fully applicable from 17th January, 2025; therefore, companies targeted by the Regulation have about two years to comply with the numerous innovations. Although the timing may seem long, in complex organizations it can appear decidedly limited.

 

For the financial institutions, the most relevant chapters are four, which can be considered the main pillars of the regulation. Not having the intention to carry out a close examination of the articles that compose them, we can summarize the numerous obligations introduced by the Regulation in the following main points:

  1. governance and internal organization whose purpose is to define a control framework for the effective and prudent ICT risks management. A fundamental role is played by the “Management Body” of the institution, which will have the task of approving and applying the provisions contained in the above mentioned framework, having full responsibility;
  2. adoption of an IT risks management plan, which essentially requires the creation of a Framework for the ICT risk management and the definition of a digital resilience strategy (i.e. business continuity and disaster recovery);
  3. management of ICT-related incidents by implementing a process of continuous monitoring, recording and management of ICT-related incidents, in order to notify them to the competent authorities. The management must be defined on priority severity and criticality basis , of the affected services, with the clear intention of lessen their impact and ensuring the prompt reactivation of operations and the security of services;
  4. test of digital operational resilience, in order to increase supervisors’ awareness of cyber risks and incidents to which financial entities are exposed. Financial entities will be required to perform a series of periodic tests, in order to identify weaknesses, deficiencies or gaps, as well as to verify the ability to implement corrective measures in a timely manner, with a proportionate application to their own size, business and risk profile;
  5. IT risk management system arising from third parties. In particular, this requirement includes the identification, classification and documentation of all processes depending on third-party service providers related to ICT technologies. Furthermore, the imposition of different contractual obligations is required, in order to ensure an adequate monitoring of the activities carried out by suppliers that perform a critical function for the financial institution business;
  6. definition of information sharing protocols, through the establishment of agreements among financial entities for the exchange of information and data on cyber threats.

 

As it turns out from this brief summary, to be compliant with the regulation can be burdensome especially for medium-small businesses. Therefore, it is important to underline that, for the implementation of the above mentioned requirements, the Regulation relies on the principle of proportionality placing the burden (as is already the case, for example, with GDPR) on the individual entity to assess and demonstrate the correct level of requirements to implement.

It is also important to underline that this new regulatory system fits into a context already full of national and European regulations related to cybersecurity, which have partial overlappings with the topics covered here. Moreover, it is likely that several organizations will have to simultaneously manage the activities necessary to comply with the obligations under the NIS Directive, the DORA Regulation and the CyberResilience Act, to name the most relevant.

Our approach

Our approach to the DORA Regulation compliance process involves the preparation of a customized compliance plan defined according to the level of implementation of the activities required by the regulation itself.

The assessment is carried out by means of a gap analysis based on what is already operational in the company: only at the end of this activity it will be possible to carry out an impact assessment of the new rules provided by the DORA Regulation.

This gap analysis involves the following assessments:

  1. Organizational aspects
  2. Risk management framework
  3. Incident management and reporting process
  4. Business continuity management process
  5. Critical ICT service providers
  6. Risks introduced by third parties
  7. Control and monitoring process

Each area of the gap analysis is assessed:

  • The of compliance level identified.
  • The gap to be filled.
  • Actions to be taken in the short and medium term to fill the gap.

 

 

CONCLUSIONS

Taking into consideration the requirements of the standard and its potential impacts, companies should not further indulge in undertaking the compliance process: two years seem like a long time, but for complex realities it could even not be enough. Contact Us

Simona Costa

Senior Security Advisor,Innovery