To address increasing cyber challenges, the European Union introduced the Digital Operational Resilience Act (DORA). It is a crucial component of the EU’s digital finance package. The aim of this innovative legislation is to strengthen the digital resilience of the European financial market, particularly against information and communication technology (ICT) threats.
DORA stresses the duty of financial institutions’ management bodies to ensure digital operational resilience. It mandates them to create extensive ICT risk management systems for identifying, assessing, managing, and monitoring ICT risks. This regulation compels financial companies to follow stringent standards to safeguard their IT systems against disruptions and cyber-attacks.
DORA sets specific criteria for contracts with third-party ICT service providers. Financial institutions are required to rigorously assess and manage risks from these providers. This involves categorizing current contracts, defining target requirements, performing gap analyses, and addressing identified gaps.
The regulation changes how companies and their management view ICT-related responsibility and risk. It necessitates reviews and potential adjustments in insurance coverage.
DORA unifies the requirements for reporting major ICT incidents in the EU financial sector. Its goal is to enhance incident response and foster cooperation between national and European authorities. DORA sets standard procedures for monitoring, classifying, and reporting ICT incidents to the appropriate authorities, essential for rapid response and reducing the impact of cyber-attacks.
DORA mandates financial organizations to have ICT systems and processes that can swiftly detect and respond to potential threats. It specifies requirements for processes and systems to rapidly identify and defend against threats. This includes automatic network isolation during cyber-attacks, reducing data loss and system failures, and speeding up the return to normal operations.
Upon the enactment of DORA, national and EU supervisory authorities receive new powers in the area of digital operational resilience. This means increased requirements for companies in terms of assessing and enhancing their ability to deal with operational disruptions. This supervision aims not only to ensure compliance with new regulations but also to improve companies’ ability to assess and strengthen their operational resilience.
The new DORA requirements call for substantial investments in management, risk, and compliance, particularly in ICT, Cyber, and TPRM areas. Companies must perform gap analyses to pinpoint current deficiencies in capabilities, resources, and expertise. These gaps must be addressed within a 24-month implementation period. This poses a challenge for companies, necessitating quick adaptation and development of new competencies to meet evolving regulatory requirements.
The DORA regulation represents a significant step towards enhancing operational and digital resilience in the European Union’s financial sector. DORA’s comprehensive approach, demanding new investments and engagement across various management levels, holds the potential to serve as a model for global regions in cyber threat protection. The challenge remains the continuous updating and adaptation to a dynamically changing cyber environment.