Digital threats top the agenda for every Chief Information Officer (CIO), especially in the Financial Services industry, where the consequences of breaches can be catastrophic. As financial services increasingly rely on IT tools and systems,
any digital disruption can have profound impacts not only on the institution itself but on the broader economy. Ensuring the operational resilience of these systems is critical and should be monitored by regulators similarly to traditional financial risks,
such as capital adequacy.
The European Union’s Digital Operational Resilience Act (DORA - EU Regulation 2022/2554) aims to significantly enhance the security and resilience of the financial sector, especially in the event of severe disruptions such as cyberattacks,
natural disasters, or technological failures. As the first legislation of its kind at the European level, DORA establishes a harmonized and comprehensive framework for ensuring the digital operational resilience of European financial institutions.
DORA was published on December 27, 2022, and came into effect in January 2023. However, full compliance is only required by January 2025 — a rapidly approaching deadline. This means that financial institutions must act now (if not already
ongoing) to ensure compliance.
The impact of this regulation is significant, as it impacts over 22,000 financial institutions and IT service providers across Europe, including major banks, insurance companies, payment service providers, brokers, funds, and credit institutions.
All those institutions will have to prove they are robust enough to manage disruptions and threats to their digital operations. DORA is overseeing this by introducing a framework with five key pillars:
-
IT Risk Management: Institutions must establish a comprehensive risk management framework to continuously identify (e.g. mapping IT assets and dependencies), assess, and mitigate IT risks. The focus extends beyond protecting the infrastructure
and also covers the ability of the institution to quickly recover from severe disruptions (cfr. Business Continuity Management & Disaster Recovery).
-
Incident Management: Institutions are required to implement proper incident management procedures. This includes recording and classifying every IT incident, assessing its impact, and notifying customers, other financial institutions, and
regulators about these incidents.
-
Operational Resilience Testing: Regular penetration testing and advanced security and resilience assessments are mandated to ensure systems can withstand and recover from cyber-attacks, aiming to eliminate vulnerabilities, deficiencies,
or gaps through mitigating measures.
-
Third-Party Risk Management: With increasing reliance on third-party providers, particularly cloud services, DORA enforces stringent oversight to ensure these services meet high resilience standards. This includes establishing contractual
provisions with these third parties and conducting ongoing risk assessments.
-
Information Sharing: DORA encourages a collective approach to threat intelligence, promoting the exchange of information and intelligence on cyber threats to enhance sector-wide resilience.
Clearly these five pillars have a broad impact on every financial institution, with impacts not only at IT, but for every department in the financial institution. Upgrading systems and processes to align with DORA’s requirements involves substantial costs
and may pose significant challenges, especially for smaller institutions.
However, the benefits of enhanced operational resilience are also clear. Entities that effectively manage their digital risks can reduce the frequency and impact of service disruptions, maintaining customer trust and operational continuity.
It will be interesting to observe how DORA enhances the security and resilience of the European financial system. While the principles of DORA are sound, the practical implementation leaves much to interpretation, potentially complicating compliance enforcement
by regulators.