If your IT department works for a financial institution operating in Europe, you’ve come to the right place, since the Digital Operational Resilience Act (DORA) simplifies compliance and promotes a unified approach to managing IT risks, which is vital in an era of increasing cyber attacks.
This legislation introduced by the European Union (EU) aims to standardize and enhance cybersecurity practices across financial entities, ensuring they can withstand, respond to, and recover from IT disruptions.
DORA was officially published and entered into force on January 16, 2023, marking the beginning of a 24-month preparation period that will culminate in its full application on January 17, 2025. During this time, financial institutions, including banks, insurance companies, and other financial services providers, are required to align their operational resilience frameworks with the new regulations.
In this article, we will explore the importance of this groundbreaking framework, its implications for various entities within the financial ecosystem, and how it aims to maintain the stability and trust in the financial markets.
So join us as we break down the essentials of DORA and what it means for the future of financial operations in the EU!
Table of contents
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act (DORA) is a regulatory framework brought up by the European Commission as part of its broader digital finance package. The act aims to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber threats and to maintain operational resilience.
This includes a wide range of entities such as banks, insurance companies, and investment firms, as well as critical third-party service providers like cloud computing services.
The inception of DORA is rooted in the increasing dependency on digital technologies and the corresponding vulnerabilities that the financial sector faces.
Over recent years, the financial industry has experienced significant digital transformation processes, which, while beneficial, has also introduced new risks and challenges. The European Commission proposed DORA in September 2020, recognizing the need for a comprehensive approach to bolster the cybersecurity and operational resilience of the financial sector.
ISO 27001 vs. NIS2 vs. DORA vs. CIS
Each one of these frameworks focuses on enhancing cybersecurity and operational resilience. Although they sometimes share certain purposes, they are also tailored to specific sectors or general organizational practices.
Let’s take a look at them in a little more detail:
- ISO 27001: This is an international standard that outlines the requirements for an Information Security Management System (ISMS). It provides a framework for organizations to manage their information security by addressing people, processes, and technology.
- NIS2 Directive: It is an update to the EU’s Network and Information Systems Directive, NIS2 focuses on improving cybersecurity across various sectors, including essential and important entities. It mandates Risk Management measures and incident reporting obligations to enhance national and EU-level cybersecurity.
- DORA: Specifically targets the financial sector, aiming to consolidate and upgrade ICT (Information and Communication Technology) security and governance across financial entities. DORA introduces requirements for digital operational resilience testing and oversight over critical third-party providers.
- CIS Controls: Developed by the Center for Internet Security, the CIS Controls are a set of actionable best practices for cyber defense that help organizations protect themselves from known cyber attack vectors. These controls are more practical and specific compared to the broad regulatory frameworks of DORA or NIS2.
Why is the DORA framework important – and who needs it?
DORA’s importance extends beyond merely addressing cybersecurity; it is about maintaining the stability and trust in financial markets by ensuring continuous service during adverse events.
This is particularly significant as financial institutions handle sensitive data and their uninterrupted operation is crucial for market stability.
The framework facilitates cross-border collaboration in cybersecurity efforts within the EU, enhancing the security posture of the region’s financial ecosystem and protecting consumer interests.
The scope of DORA covers a wide range of entities within the EU’s financial system. This includes banks, investment firms, insurance companies, financial market infrastructures like stock exchanges and clearinghouses, and critical third-party IT service providers, including cloud services. These entities are pivotal to the financial system’s infrastructure, and ensuring their resilience is essential for the overall health of the financial markets.
All that to say that DORA is a key legislative measure that addresses the pressing need for robust operational resilience and cybersecurity in the financial sector.
In this environment, creating a harmonized regulatory framework in the EU enhances the security and stability of financial services and protects consumers by ensuring that financial entities and their critical service providers can maintain operations and manage IT disruptions effectively.
DORA compliance: scope and applicability
Below, we outline the scope and applicability of DORA, detailing which entities are affected and what compliance entails. The act applies to a wide range of financial entities, explicitly listed in its Article 2.
It is essential for these entities to ascertain if they fall within the purview of DORA’s regulations in order to devise suitable compliance strategies.
The entities encompassed are:
1. Credit Institutions: Traditional banks and financial institutions offering credit facilities.
2. Payment Institutions: Entities involved in payment processing, including those exempt under Directive (EU) 2015/2366 (PSD2).
3. Account Information Service Providers: Providers of consolidated information on one or more payment accounts.
4. Electronic Money Institutions: Institutions issuing and managing electronic money, including those exempt under Directive 2009/110/EC (EMD2).
5. Investment Firms: Firms engaged in securities trading and related services.
6. Crypto-Asset Service Providers and Issuers of Asset-Referenced Tokens: Entities dealing with cryptocurrencies and related financial products.
7. Central Securities Depositories: Institutions that hold and administer securities and enable securities transactions to be processed.
8. Central Counterparties: Entities facilitating transactions between various entities in the financial markets.
9. Trading Venues: Includes stock exchanges and other platforms where financial instruments are traded.
10. Trade Repositories: Entities maintaining records of derivatives contracts.
11. Managers of Alternative Investment Funds: Entities managing investments in alternative assets.
12. Management Companies: Companies managing investment funds.
13. Data Reporting Service Providers: Entities offering data and reporting services in financial markets.
14. Insurance and Reinsurance Undertakings: Companies involved in insurance and reinsurance businesses.
15. Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Agents and brokers in the insurance market.
16. Institutions for Occupational Retirement Provision: Entities managing occupational pension schemes.
17. Credit Rating Agencies: Agencies providing credit ratings for various financial entities.
18. Administrators of Critical Benchmarks: Entities responsible for setting benchmarks critical to financial markets.
19. Crowdfunding Service Providers: Platforms facilitating crowdfunding for various purposes.
20. Securitization Repositories: Entities dealing with the documentation and reporting of securitizations.
21. ICT Third-Party Service Providers: Providers of information and communication technology services to financial entities. The formal legislative framework for operational resilience in the financial sector began with the introduction of DORA. From January 16, 2023, to January 17, 2025, financial entities have a 24-month preparation period to comply with DORA’s requirements. By January 17, 2025, DORA will be fully applicable across the EU, mandating full compliance from all covered financial entities. Ongoing monitoring and reviews will ensure the framework’s effectiveness, with possible adjustments based on technological advancements and practical experiences. The development of DORA demonstrates the EU’s commitment to safeguarding its financial sector and enhancing global competitiveness. Organizations under DORA’s scope must stay informed and prepare early for a smooth transition.