What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act is an important regulation that could change the financial sector as we know it today. While many threats to EU banks and financial services are out of their control (current wars or the Covid-19 pandemic are two prime examples), another growing concern is the danger posed by hacking to steal important financial data. Financial entities currently are highly interconnected and often rely on their ICT systems. This constitutes a systemic vulnerability allowing the financial entities to turn into a channel of cyber incidents spreading across the whole financial sector of the EU.
To combat this, the Digital Operational Resilience Act (DORA) has been announced as a further measure to help protect EU-state organizations against potential disruptions by setting rules that must be followed.
In the past, defenses were set up by financial organizations to protect against criminal activity, typically through the capital. The European Agency for Cyber Security (ENISA) was created to combat this danger in 2004 but it’s clear that more is required.
In addition, in the past, ICT requirements have been addressed in various legal acts. DORA will be bringing a uniform regime across the whole EU financial sector.
Why is DORA Important?
With an estimated value of up to €5.5 trillion worth of cybercrime up to 2020 alone from criminal activity worldwide, ransomware is one of the major threats to modern civilization not just in the EU but on a global scale. DORA is a key legislation that will tackle this issue. In the past financial institutions predominantly backed up security measures by investing with capital, but now they will need to follow more stringent EU laws.
The Digital Operational Resilience Act is vital for helping financial entities reduce vulnerabilities, because:
- It will put laws in place to assess ICT risk management at a higher level and reduce the need for financial businesses to rely on third parties.
- It will implement these rules by creating an Oversight Framework to monitor ICT third-party providers.
- It will create a platform for financial entities to share best cybersecurity practices among themselves, not just reducing the risks posed by ransomware on an individual scale but a collective one too.
As the over-reliance on digital banking grows, DORA will be initiated as a single legislative act across the EU states to mitigate risks whether businesses use blockchain technology, wallets, mobile banking, and so on. DORA will be passed as law to ensure the continued survival of the financial industry, regardless of the impending threat from outside criminal activity.
DORA in the EU follows on from the UK Bank of England’s plan to work in tandem with the Financial Conduct Authority (FCA). To draw on the methodology of operational resilience, to not add to any disruptions caused by outside influences on the financial sector. Instead, the financial sector will defend against all threats with a plan in place. And at the same time prevent major threats to the financial system as a whole by protecting financial markets, infrastructures, and entities together.
When Will the Digital Operational Resilience Act (DORA) Be Implemented Throughout the EU?
Following its publication in the Official Journal of the European Union as Regulation (EU) 2022/2554, it will apply to all EU states as of the 17th of January 2025, with a review of the Digital Operational Resilience Act one year later in early 2026. As we know, DORA is a regulation that requires implementation by all EU financial authority members and is not intended purely as a directive. This followed the European Parliament and Council presidency reaching a political agreement on DORA on the 28th of June 2022.
What Do You Need to Prepare for Digital Operational Resilience Act (DORA)?
In a nutshell, you need to ensure that your business or financial institute can ‘withstand, respond to, and recover’ from different types of threats and disruptions within your ICT systems.
By 2025, all security systems and network facilities need to align with DORA principles as documented by EU legislation. In due course, the European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) will work together to introduce technical standards that EU financial entities will need to follow.
Some examples of this include credit institutions, investment firms, crypto-asset service providers, and electronic money institutions.
DORA is then broken down into requirements that all organizations will need to follow:
1. ICT Risk Management
This encompasses a wide range of practices that require attention, such as:
- Having policies in place to recognize potential cyber threats to ICT systems and infrastructures
- Creating strategies and tools to protect monetary and digital assets
- Preparing control framework and internal governance in-house correctly via human resource management
- In addition, it will be important to have monitoring systems set up to detect suspicious activity and to keep on top of the functionality within the ICT system of the organization that follows DORA policy
- A crisis plan will also need to be created in case the ICT system is breached and financial entities are at risk. With warnings sent out to any clients, as well as the public where it is required.
2. ICT Incident Management, Classification, and Reporting
A product or service is only as important as the records you keep. To ensure the continued existence of any organization or business, there must be reports fashioned and all cyber incidents notified to not just the financial authorities but all clients too. This is not just to cover any EU business or organization from a legal standpoint but for transparency too.
ICT incidents will have to be classified, if it’s major, based on the criteria, the financial entities will have to report those to the competent authority. In Lithuania, it’s most likely going to be the Bank of Lithuania.
Implementing the correct ICT-related incident management process is vital to honor this promise and all incidents should be reported to the correct authority, with financial entities creating an initial report, a second report in greater detail with updated notifications, and then a final report. The stated criteria will apply to incidents related to operational and security issues of payments, and significant operational or security incidents related to payments.
The reporting formats and content will be standardized by RTS. Moreover, the possibility of establishing a unified EU Hub for reporting major ICT-related incidents by financial entities will be evaluated by ESAs (European Supervisory Authorities).
In addition, the mentioned criteria will apply to incidents related to credit institutions, payment institutions, account information service providers, and electronic money institutions that involve operational and/or security issues related to payments, as well as major operational or security incidents related to payments.
3. Digital Operational Resilience Testing
Without sounding too obvious, testing is imperative to reduce and prevent risks to a financial entity. Financial entities except microenterprises are expected to introduce:
- A program for digital operational resilience testing (which needs completing at least once a year.
- Tested by an independent agency (preferably externally)
- Applying the correct policies and procedures to signify any dangers to key operations, with solutions where appropriate
The program should cover a range of activities: open-source analyses, network security assessments, questionnaires, scanning software solutions, source code reviews (if feasible), scenario-based tests, vulnerability assessments and scans, physical security reviews, compatibility testing, performance testing, end-to-end testing, and pen-testing. Microenterprises shall perform this test on a risk-based approach
Every three years financial entities should carry out advanced thread-led penetration testing (TLPT). TLPTs will have to cover several or all critical functions of a financial entity and will have to be performed on live production systems. ICT third-party service providers (TPPs) are also subject to testing. National competent authorities will have the right to reduce or increase this frequency if deemed necessary.
4. Managing ICT Third-Party Risk
One way to do it is to go into contractual arrangements between financial entities and ICT third-party service providers (also known as outsourcing arrangements). All of the rights and obligations will have to be allocated and set out in writing. In addition, they will have to include all requirements laid out in DORA. The full responsibility for compliance will go to the financial entity.
In line with new DORA laws, there will be an agreement in place in writing between any organization and third-party ICT service providers to ensure the requirements are followed correctly. All responsibilities regarding compliance fall under the financial entity.
DORA established The Oversight Framework of ICT TPPs and the determination of whether an ICT TPP is necessary or not will be made at the EU level by ESAs. Each critical ICT TPP will have a designated Lead Overseer whose primary responsibility will be to ensure that the ICT service provider is adhering to effective rules, diligence, fairness, proper procedures, and mechanisms to prevent risks to any financial entity.
In case of non-compliance, the Lead Overseer will either offer recommendations to the financial entity or impose periodic penalty payments on the ICT third-party service. As a last resort, financial entities may have the right to terminate or suspend any contractual agreement with the third party, depending on the recommendation made by the Lead Overseer.
5. Information Sharing Arrangements
What’s great about the initiation of the DORA Act is the encouragement for financial entities to voluntarily share intelligence, tips, and tactics amongst each other after informing the correct competent authorities if asked. This means there is a legal process in place that ensures the best practices are followed collectively throughout the EU and exchanged accordingly to protect the financial union. This includes all cyber security alerts, threats, indications of compromise, and configuration tools.
This partnership between financial entities should help prevent cyber attacks and cripple hackers simultaneously.
6. Competent Authorities
Under DORA, competent authorities will be provided with all necessary powers for supervision, investigation, and imposition of sanctions to carry out their duties. This includes:
- The ability to access any document or data relevant to the competent authorities’ performance of their duties
- Conducting on-site inspections or investigations, and requiring corrective or remedial measures
- Requiring corrective or remedial measures and, without prejudice to the right of Member States to impose criminal penalties, administrative penalties for breaches of Regulation.
As we get closer to the deadline, BCCS will update this blog with any further useful information as more details about DORA are revealed.
In the meantime, should you have any questions about DORA or require any assistance regarding its regulations, at BCCS we have many members within our cluster with a variety of expertise that could help to get your business ready for the future EU legislation before 2025. Let’s talk.