Exploring DORA

May 2024  |  FEATURE | BANKING & FINANCE

Financier Worldwide Magazine

May 2024 Issue

For years, national governing bodies within the European Union (EU) were able to exercise their own discretion when it came to cyber security within the financial services (FS) space. This leeway led to a patchwork of incident reporting processes and directives which increased compliance costs for organisations.

Considering the diverse approaches to cyber security across the bloc, the EU has moved to harmonise rules and regulations. By implementing the Digital Operational Resilience Act (DORA), the EU is driving FS firms to withstand, respond to and recover from threats, boosting stability and confidence within the space.

DORA aims to promote, improve and ensure operational resilience within the FS sector. The goal is to achieve consistency across member states so that operations are maintained even during severe disruption.

With less than a year to go until DORA’s application on 17 January 2025, companies must be cognisant of their obligations.

Key provisions

While DORA’s impact will vary from country to country, depending on their existing regulations, it is a more interventionist approach to cyber security than previously prescribed. It requires financial institutions (FIs) to comply with a number of obligations designed to ensure that their business lines remain resilient to various risks. Being ‘operationally resilient’ means being able to resist, recover from and adapt to adverse effects that can disrupt or prevent the provision of services.

The Act will also place specific obligations on certain information and communications technology (ICT) service providers deemed to be ‘critical’. These providers will fall within the scope of a new direct regulatory oversight regime.

DORA sets a high threshold for financial entities’ digital resilience and ICT security, introducing a long and detailed list of complex requirements supplemented by several delegated and implementing acts.

To meet their obligations under DORA, firms must effectively enhance their operational resilience in a number of ways.

The Act contains five key pillars: (i) digital operational resilience testing; (ii) ICT risk management; (iii) incident reporting; (iv) information and intelligence sharing; and (v) ICT third-party risk management. All five pillars are interconnected to some degree and should be approached jointly by firms.

EU financial entities subject to DORA include full-scope alternative investment fund managers (AIFMs), Markets in Financial Instruments Directive (MiFID) investment firms, undertaking for collective investment in transferable securities (UCITS) management companies, credit institutions, central securities depositories (CSDs), central clearing counterparties (CCPs), payment institutions, e-money institutions, authorised cryptoasset service providers and trading venues.

Importantly, DORA’s scope extends beyond FS firms to cover providers of ICT services to financial entities, including those based outside the EU.

By the time DORA comes into effect next year, FIs of all sizes, including banks, insurers, investment firms and fund managers, will need to have in place arrangements for comprehensive ICT risk management. This includes strategies, policies, protocols, mechanisms, tools and technical systems for resilience testing, incident reporting, managing third-party ICT risks, and information sharing arrangements.

Under DORA, national competent authorities will have the power to impose sanctions, including fines, on non-compliant entities. Potential penalties under article 50 of the Act are significant. Unlike the EU’s General Data Protection Regulation (GDPR) or the NIS 2 Directive, DORA can impose daily fines on companies. Organisations deemed non-compliant by the relevant supervisory body may find themselves subject to a periodic penalty payment of 1 percent of the average daily global turnover in the preceding year, for up to six months, until compliance is achieved.

The supervisory body may also issue cease and desist orders, termination notices, additional pecuniary measures, and public notices to non-compliant organisations. Regulators can order an audit or, in extreme cases, suspend the company’s operations. The scope of the potential penalties and associated reputational damage to organisations for failure to comply with DORA mean that in-scope organisations must take immediate steps to prepare for its implementation.

Validate and refine processes

Digitalisation is playing an increasingly important role in banking and FS, but this comes with greater risk. Under DORA, FIs must prioritise risk management processes and conduct regular testing.

To meet their obligations under DORA, firms must effectively enhance their operational resilience in a number of ways. This includes investing in technology that gives them the ability to centralise enterprise-wide ICT risk management, monitor third-party risks, report ICT incidents in real time, easily share information between essential operations, and regularly test to evaluate the effectiveness of their processes.

Embracing DORA will help institutions meet their regulatory and operational needs. Given the harsh penalties for compliance failures, it is in firms’ best interests to address their obligations as soon as possible. As cyber security threats continue to evolve, companies must invest in their futures by validating and refining their DORA programmes before January 2025.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.