DORA

Why DORA?

The Digital Operational Resilience Act is a regulation made in Europe. It was proposed in September 2020 by none other than the European Commission as part of its digital finance strategy. Why was this legislation deemed necessary? Because the authorities recognized the growing vulnerability of financial infrastructures to cyberattacks and technological disruptions.

DORA therefore aims to ensure that all financial entities within the EU have the necessary capabilities, resources, and tools to prevent, detect, manage, and recover from ICT (Information and Communication Technology) incidents.

What are DORA's main objectives?

1. Strengthening the operational resilience of financial institutions means ensuring that financial entities can continue to operate in the event of disruptive incidents.
2. Harmonize regulatory requirements across the EU by creating a consistent and uniform framework for all financial institutions—thereby reducing regulatory disparities between Member States.
3. Improve risk monitoring and management by implementing robust mechanisms to proactively identify and manage technological risks.

Who is affected by DORA?

DORA applies to a (very) wide range offinancial entities. Here is a non-exhaustive list:

• banks and credit institutions;
• investment firms;
• insurers and reinsurers;
• asset management companies;
• financial market infrastructures (clearing houses, central securities depositories);
• payment service providers.

And that's not all: DORA also imposes obligations on third-party providers that supply essential services to financial entities.The critical interdependence between these providers and the financial sector is therefore (finally) recognized!

The 5 pillars of the DORA regulation

#1 Risk management

First and foremost, DORA requires financial entities to implement a robust and documented risk management framework. This framework must take into account several aspects: prevention, detection, response, and learning.

An effective risk management strategy therefore includes:

• implementing appropriate security measures to prevent incidents;
• continuous monitoring of systems to detect incidents and vulnerabilities;
• the design of detailed plans to respond to incidents and restore services;
• organizingpost-incident assessments to improve processes and controls.

#2 Operational resilience testing

Operational resilience testing is the first level of testing introduced by DORA. The principle? Simulate a cyberattack against an asset in order to identify its main vulnerabilities.

Mandatory for all organizations affected by DORA, these tests are divided into two categories:

• internal tests, which must be performed regularly to assess the ability to withstand and recover from incidents;
• Threat-based penetration tests (TIBER-EU), which are much more advanced and dedicated to critical entities.

Test results must (of course) be shared with regulators to ensure transparency and compliance in all circumstances.

#3 Management of third parties and service providers

Just because service providers are external to the company doesn't mean they don't matter! On the contrary: relationships with these players are crucial to operational resilience.

True to its mission, DORA therefore imposes specific obligations with regard to third-party management:

• conduct a thorough preliminary assessment of suppliers before entering into contracts;
• include specific contractual clauses to ensure the resilience and security of the services provided;
• Establish monitoring mechanisms to continuously assess supplier performance and risks.
• prepare exit plans to manage contract termination without disrupting operations.

#4 Incident reporting

Preventing incidents is good. But when they unfortunately do happen, you shouldn't keep them to yourself! On the contrary, incident reporting is a crucial part of DORA regulations (and cybersecurity in general).

To regulate this practice, DORA first imposes strict notification deadlines: entities must notify the competent authorities of major incidents within 24 hours of their detection. This requirement for speed aims to ensure a rapid and coordinated response to minimize the potential impact of the incident.

Incident reports submitted to authorities must be detailed and complete. They must include:

• the nature of the incident (precise description of what happened, including the type of attack or failure);
• its impact on the company's operations, customers, and partners (financial losses, service disruptions, data security breaches, etc.);
• the actions taken to contain and mitigate the incident (technical measures, communication actions, business recovery interventions, etc.);
• analysis of the causes of the incident and formalization of preventive measures designed to avoid the recurrence of such incidents in the future (improvements in security processes, software updates, staff training, etc.).

#5 Governance and oversight

The DORA regulation emphasizes the responsibility of the board of directors and senior management of financial entities, who must be directly involved in risk management. Their main obligation? To ensure that all staff are trained and aware of risks and resilience measures.

But national and European regulators are not to be outdone: they also have a role to play, as they are responsible for monitoring compliance, carrying out inspections, and imposing penalties in the event of non-compliance.

DORA emphasizes cooperation and coordination between different regulatory authorities within the EU. These authorities are required not only to share information, but also to work together to ensure the consistency andeffectiveness of the overall response. Or how to combine collaboration and protection.

What are the implications for financial institutions?

1. Increased technological investments

Since DORA came into force, financial institutions have had to invest significantly in their technological infrastructure in order to comply with these new requirements.

These investments may relate to:

• improving cybersecurity systems overall;
• the implementation of advanced monitoring and detection solutions;
• automation of risk management processes.

Financial institutions must also invest in ongoing training for their staff to ensure that they understand both new cyber risks and resilience protocols.

2. Changes to policies and procedures

Another change: companies' internal policies and operational procedures must be revised to incorporate the new DORA requirements. Business continuity plans, incident response procedures, supplier managementprotocols ...everything must be updated!

3. Engagement with suppliers

To ensure that they are (and remain) DORA compliant, financial institutions must strengthen their relationships with their service providers. This may require:

• renegotiation of contracts;
• the establishment of new service level agreements (SLAs);
• the implementation of stricter monitoring mechanisms.

Challenges in implementing the Digital Operational Resilience Act

1. Complex regulations

DORA is a useful and relevant regulation... but it is complex and demanding. So for small and medium-sized businesses with limited resources, it can be difficult to implement. In any case, compliance with DORA requires careful planning, considerable investment, and constant monitoring.

And since this involvesintegrating new requirements into an existing system, financial institutions must ensure that their systems can interact effectively with the new resilience and monitoring solutions.

2. Third-party management issues

Managing service providers—which is no easy task to begin with—can prove particularly difficult under DORA regulations. The main areas affected? Continuous monitoring andassessment of the risks associated with their providers.

Several requirements are therefore imposed on financial institutions:

• Implement monitoring mechanisms and regular audits to ensure that suppliers comply with security and operational resilience standards.
• assess the risks posed by their suppliers, particularly in terms of business continuity, through analyses of the entire supply chain.

In short, they must work closely with their suppliers to ensure compliance with DORA requirements without compromising operations. This may involve putting in place detailed contracts, specific clauses on incident management, or transparency and reporting obligations.

3. Essential regulatory coordination

To ensure that the DORA regulation is implemented harmoniously in all countries concerned, the (multiple) national and European authorities must communicate and collaborate. The goal? To align the requirements and processes related to DORA, in order to make things easier for companies operating in several countries.

This is a good thing—even if, for financial institutions, it means navigating an even more complex and evolving regulatory landscape. They must remain vigilant in order to adapt to potential regulatory changes through continuous regulatory monitoring.

What are the benefits of the DORA regulation?

As its name suggests, the Digital Operational Resilience Act aims to improve the operational resilience of financial institutions. Its goal is simple (but twofold): to reduce the likelihood and impact of security incidents, thereby strengthening stability and confidence in the European financial system.

1. Reduce risks

By imposing strict cyber risk management requirements, DORA helps financial institutions better understand and manage their technological vulnerabilities. The result: reduced risks in terms of cyberattacks and operational disruptions.

2. Maintain consumer confidence

DORA helps to strengthen consumer confidence in digital financial services by ensuring enhanced data protection and increased operational resilience. As a result, consumers are more inclined to use these services because they know that their data and transactions are secure.

3. Harmonizing the European regulatory landscape

Last but not least, DORA harmonizes operational resilience requirements across the EU, creating a consistent regulatory framework for all financial institutions. In addition to simplifying and standardizing processes, this act aims to facilitate cross-border operations.

DORA therefore represents a major step forward in cybersecurity for the financial sector. Its recent entry into force is no coincidence, as it is a response to the exponential growth of cyber threats, particularly in such a sensitive area. However, looking on the bright side, DORA also provides an opportunity to build a stable and resilient financial ecosystem that consumers can trust.

How about putting this into practice? To help you manage your compliance with DORA, take a look at our webinar!

‍