On January 19, 2024, the three European Supervisory Authorities (EBA, EIOPA, and ESMA) released the first set of final draft technical standards under DORA to improve the digital operational resilience of the EU financial sector by strengthening ICT and third-party data risk management.
Although DORA goes into full effect on January 17, 2025, if you’re responsible for developing and implementing compliance, data security, and protection procedures in the financial sector and ICT, this article is for you.
Here, you’ll learn what exactly DORA is, why it matters, and how to stay compliant. Let’s explore the details.
Although DORA goes into full effect on January 17, 2025, if you’re responsible for developing and implementing compliance, data security, and protection procedures in the financial sector and ICT, this article is for you.
Here, you’ll learn what exactly DORA is, why it matters, and how to stay compliant. Let’s explore the details.
DORA 101: Understand What the Regulatory Framework is All About
Understanding DORA and adhering to it isn’t just a matter of regulatory compliance; it’s more about safeguarding the integrity and stability of your business.
Before DORA, the EU regulations mainly focused on ensuring sufficient capital for operational risks. ICT and security risk guidelines varied for financial entities, leading to a mix of challenging regulations.
For instance, a bank that operates in France may follow different ICT and security risk guidelines compared to one operating in Germany. This creates challenges for cooperation between international branches because there are no unified compliance standards.
DORA will change this.
The main reason behind the regulation is that the financial sector increasingly depends on technology and services offered by tech vendors. This makes financial entities vulnerable to cyber-attacks or incidents.
Picture this scenario: Your bank relies on a cloud service provider to host its customer data. If the provider experiences a breach and exposes sensitive financial information, your organization could face the daunting prospect of restoring trust and recuperating potential revenue losses.
Even without a data breach, third-party service providers might not uphold your business's data-handling standards or security protocols despite having contractual agreements and assurances in place.
DORA is a regulatory framework proposed by the European Commission to ensure the financial sector's and ICT's operational resilience. It aims to address the increasing digitalization of financial services and the potential risks associated with cyber threats and ICT disruptions.
The regulatory framework establishes a comprehensive set of rules and requirements to improve the operational resilience of financial institutions and infrastructure providers.
Financial institutions and infrastructure providers include:
The new regulation encompasses various measures to prevent, detect, and mitigate ICT-related incidents. The key idea is to ensure the continuity of critical functions in the financial sector.
Let’s explore the main ideas behind DORA.
DORA’s key ideas aim at strengthening the resilience of the financial sector and ICT by:
Before DORA, the EU regulations mainly focused on ensuring sufficient capital for operational risks. ICT and security risk guidelines varied for financial entities, leading to a mix of challenging regulations.
For instance, a bank that operates in France may follow different ICT and security risk guidelines compared to one operating in Germany. This creates challenges for cooperation between international branches because there are no unified compliance standards.
DORA will change this.
The main reason behind the regulation is that the financial sector increasingly depends on technology and services offered by tech vendors. This makes financial entities vulnerable to cyber-attacks or incidents.
Picture this scenario: Your bank relies on a cloud service provider to host its customer data. If the provider experiences a breach and exposes sensitive financial information, your organization could face the daunting prospect of restoring trust and recuperating potential revenue losses.
Even without a data breach, third-party service providers might not uphold your business's data-handling standards or security protocols despite having contractual agreements and assurances in place.
What is DORA?
DORA is a regulatory framework proposed by the European Commission to ensure the financial sector's and ICT's operational resilience. It aims to address the increasing digitalization of financial services and the potential risks associated with cyber threats and ICT disruptions.
The regulatory framework establishes a comprehensive set of rules and requirements to improve the operational resilience of financial institutions and infrastructure providers.
Financial institutions and infrastructure providers include:
- Credit institutions
- Payment institutions
- E-money institutions
- Investment firms
- Crypto asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Management companies
- Insurance undertakings and intermediaries
- Crowdfunding service providers
- Securitization repositories.
The new regulation encompasses various measures to prevent, detect, and mitigate ICT-related incidents. The key idea is to ensure the continuity of critical functions in the financial sector.
Let’s explore the main ideas behind DORA.
Main Objectives of the Digital Operational Resilience Act
DORA’s key ideas aim at strengthening the resilience of the financial sector and ICT by:
- Promoting proactive risk management and incident response capabilities to safeguard critical functions
- Establishing a clear governance program and oversight to address potential ICT-related disruptions and cyber threats
- Fostering collaboration and information sharing among relevant stakeholders to enhance overall operational resilience
- Ensuring compliance with regulatory standards to mitigate systemic risks and protect the stability of the financial sector and ICT infrastructure
This is How DORA Impacts the Financial Sector
The implementation of DORA has initiated significant changes in compliance requirements for financial institutions. These modifications fundamentally alter how your business interacts and responds to regulatory demands.
DORA brings stricter compliance standards for financial institutions, prompting a reassessment of internal processes, risk management, transparency, and data security.
The regulation includes:
The implementation of DORA might feel overwhelming at times. We got you. All in all, a big part of your role is planning and executing the strategy so your organization adheres to this new regulation.
However, changes in regulations bring innovation and growth opportunities, too.
For instance, using DORA can help your business standardize practices and technologies, leading to a robust infrastructure, enhanced cybersecurity, and resilient systems. This can give you a competitive edge in the financial and ICT industries.
Plus, complying with DORA demonstrates your commitment to operational resilience and security, which can build trust among customers and stakeholders.
Your organization also should move towards adoption of a zero trust data approach that ensures that all data sources and storage locations are treated as potentially compromised, with continuous verification and validation of data access and transactions. This data management strategy aligns with DORA’s requirements and secures data integrity and confidentiality across all ICT systems.
Proactively preparing for DORA can reassure clients that their data and assets are protected against cyber threats and operational disruptions. And even in case of a breach, compliance with DORA ensures that the customer data stays safe.
Changes in Compliance Requirements
DORA brings stricter compliance standards for financial institutions, prompting a reassessment of internal processes, risk management, transparency, and data security.
The regulation includes:
- Policies, procedures, protocols, and tools your organization needs to protect data
- Guidance of how to classify, report, and respond to threats (especially reporting major incidents)
- Guidelines on more regular testing like vulnerability scans, network assessments, and penetration assessments
What Opportunities Does DORA Regulation Bring for Your Business?
The implementation of DORA might feel overwhelming at times. We got you. All in all, a big part of your role is planning and executing the strategy so your organization adheres to this new regulation.
However, changes in regulations bring innovation and growth opportunities, too.
For instance, using DORA can help your business standardize practices and technologies, leading to a robust infrastructure, enhanced cybersecurity, and resilient systems. This can give you a competitive edge in the financial and ICT industries.
Plus, complying with DORA demonstrates your commitment to operational resilience and security, which can build trust among customers and stakeholders.
Your organization also should move towards adoption of a zero trust data approach that ensures that all data sources and storage locations are treated as potentially compromised, with continuous verification and validation of data access and transactions. This data management strategy aligns with DORA’s requirements and secures data integrity and confidentiality across all ICT systems.
Proactively preparing for DORA can reassure clients that their data and assets are protected against cyber threats and operational disruptions. And even in case of a breach, compliance with DORA ensures that the customer data stays safe.
This is How DORA Impacts ICT
If you stand on the service providers' side, implementing DORA also significantly impacts your organization.
Integrating DORA regulations in ICT infrastructure and reinforcing cybersecurity and data protection measures remain important in ensuring compliance and fostering operational resilience.
Integrating DORA into the ICT infrastructure requires a thorough approach to adjust and strengthen current systems. This includes:
Integrating DORA regulations in ICT infrastructure and reinforcing cybersecurity and data protection measures remain important in ensuring compliance and fostering operational resilience.
Integration of DORA in ICT Infrastructure
Integrating DORA into the ICT infrastructure requires a thorough approach to adjust and strengthen current systems. This includes:
- Strong risk management frameworks
- Transparent incident reporting processes
- Defining clear operational duties
How Can You Start Preparing for DORA?
Cybersecurity is crucial for your business to protect sensitive data, prevent financial fraud, maintain customer trust, and ensure the integrity of critical systems and operations.
However, the traditional data protection measures fall short of providing this security and ensuring compliance with DORA.
Gary LaFever, Co-CEO & General Counsel at Anonos, noticed that:
However, the traditional data protection measures fall short of providing this security and ensuring compliance with DORA.
Gary LaFever, Co-CEO & General Counsel at Anonos, noticed that: