ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

DORA takes effect from January 2025: These companies are affected

The Digital Operational Resilience Act (DORA) is a regulation of the European Union and has been in force since January 17, 2023. It will be applied from January 17, 2025. DORA is part of a comprehensive EU package on digitalization and is intended to make the financial markets in particular more resilient to the growing threats posed by cyberattacks.
Categories:

The Digital Operational Resilience Act (DORA) is a regulation of the European Union and has been in force since January 17, 2023. It will be applied from January 17, 2025. DORA is part of a comprehensive EU package on digitalization and is intended to make the financial markets in particular more resilient to the growing threats posed by cyberattacks.

Background and necessity of DORA

Digitalization has significantly changed the financial sector in recent years. Banks, insurance companies, payment service providers and other financial institutions are increasingly relying on digital technologies to make their services more efficient and customer-friendly. At the same time, however, these technologies are vulnerable to cyberattacks, technical disruptions and other operational risks.

The EU has recognized that the operational resilience of the financial sector is not only a challenge for the companies themselves, but can also pose a threat to the stability of the entire financial system. A serious IT failure or cyber-attack on a major financial institution could lead to widespread disruption and shake consumer and market confidence.

The COVID-19 pandemic and the associated increase in cyberattacks on the financial sector have further highlighted these risks. In particular, it became clear that many financial companies are still vulnerable despite having cyber security policies and contingency plans in place.

The introduction of an EU-wide regulation such as DORA was therefore necessary to better manage digital risks and prepare the financial sector for IT-related crises.

Objectives of DORA

The central goals of DORA are:

  1. Protection against cyber attacks and IT disruptions:
    DORA is designed to ensure that financial companies can effectively identify, assess, manage and mitigate the risks associated with the use of ICT systems.
  2. Harmonization of regulatory requirements:
    By introducing uniform requirements for digital resilience, the EU wants to ensure that there are no regulatory differences between member states. This should be particularly beneficial for cross-border financial service providers.
  3. Improved collaboration and monitoring:
    DORA requires financial institutions to better coordinate with the relevant authorities and other industry players in the event of incidents.
  4. Commitment to robust ICT systems:
    Companies should ensure that their ICT systems are robust enough to maintain operations even in the event of IT disruptions or cyber attacks.

These companies are covered by the Digital Operational Resilience Act

DORA is aimed at a wide range of financial companies and ICT service providers. According to Article 2 (1) DORA, the following fall within the scope of application:

a) CRR credit institutions,
b) Payment institutions,
c) Account information service providers,
d) Electronic money institutions,
e) Investment firms,
f) providers of crypto services authorized under the Regulation of the European Parliament and of the Council on markets in crypto assets (MiCAR) and issuers of value-referenced tokens,
g) Central securities depository,
h) central counterparties,
i) Trading venues,
j) trade repository,
k) Alternative investment fund managers,
l) Management companies
m) Data provision services,
n) Insurance and reinsurance companies,
o) Insurance intermediaries, reinsurance intermediaries and insurance intermediaries in secondary employment,
p) Company pension schemes,
q) Rating agencies,
r) Administrators of critical reference values,
s) Swarm financing service providers,
t) Securitization register
u) ICT service provider

As many financial companies now rely on external ICT service providers, DORA is also looking at third-party providers. These service providers must meet the same security and resilience requirements as the financial institutions themselves.

Exceptions apply to the following companies in accordance with Article 2 (3) DORA:

  • Alternative investment fund managers within the meaning of Article 3(2) of Directive 2011/61/EU;
  • Insurance and reinsurance undertakings within the meaning of Article 4 of Directive 2009/138/EC;
  • Institutions for occupational retirement provision that operate pension schemes with fewer than 15 members in total;
  • natural or legal persons exempted in accordance with Articles 2 and 3 of Directive 2014/65/EU;
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries who are micro, small or medium-sized enterprises;
  • Postal giro offices within the meaning of Article 2(5)(3) of Directive 2013/36/EU.

Core elements of DORA

DORA comprises a number of specific requirements and measures that financial institutions must implement. The most important elements include:

  1. ICT risk management
    Financial institutions must have a robust risk management framework that specifically addresses the risks associated with ICT systems. This includes, among other things:
  2. Identification of vulnerabilities and threats in ICT systems.
  • Implementation of protective measures to avoid or minimize risks.
  • Regular evaluation of the effectiveness of these measures.
  1. Dependence on third-party providers
    As many financial institutions procure ICT services from external providers, dependence on third-party providers is a key issue in DORA. The regulation stipulates that the risks associated with third-party providers must also be assessed and monitored. Financial companies must ensure that their external service providers meet the same security standards as they do themselves.
  2. Emergency plans and business continuity
    A key aspect of DORA is ensuring business continuity in the event of a cyber incident or IT disruption. Financial institutions must develop comprehensive contingency plans that also take into account scenarios such as cyber attacks, technical failures or natural disasters. These plans must be tested and updated regularly.
  3. ICT documentation and information exchange
    Financial institutions must document ICT incidents and report them to the relevant authorities. A key component of DORA is the exchange of information on threats and vulnerabilities. This should help the entire industry to better arm itself against cyber attacks.
  4. Supervision and sanctions
    DORA gives the competent supervisory authorities in the EU member states extensive powers to monitor and enforce the regulation. Heavy fines can be imposed for non-compliance.


Reading tip: NIS 2 Directive - these companies are affected

Advantages and challenges of DORA for companies

Advantages of Dora are:

  • Increased safety and resistance:
    The introduction of uniform security standards will strengthen the digital resilience of the financial sector in the EU.
  • Consistency and clarity:
    The harmonization of requirements reduces the regulatory patchwork and ensures clear rules in all member states.
  • Consumer protection:
    Customers can rest assured that their data and assets are better protected, even in times of crisis.
  • Increased market stability:
    By making financial institutions more resilient to IT failures and cyberattacks, DORA contributes to the stability of the entire financial system.


However, the companies concerned must also reach an agreement Challenges place:

  • Costs:
    Implementing the DORA requirements can involve significant costs, especially for smaller companies that may not have the necessary resources.
  • Dependence on third-party providers:
    Monitoring third-party providers can be complex and difficult, especially when global cloud providers such as Amazon Web Services or Microsoft are involved.
  • Complexity of the requirements:
    DORA requires a high degree of technical and organizational implementation, which can be a challenge for many companies.

EU supervisory authorities develop concrete standards for DORA application

By introducing uniform requirements for risk management, protection against cyber incidents and cooperation between the players involved, DORA aims to ensure that financial companies and their ICT systems become more resilient to increasing digital threats. Even though implementation may be associated with challenges, DORA should help to increase the stability and security of the financial market in the long term.

The three European supervisory authorities - the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) - are jointly developing technical regulatory standards, implementation standards and guidelines to further specify the application of DORA in all sectors.

Source: Ordinance on Digital Operational Resilience in the Financial Sector of December 14, 2022

Tags:
Share this post :
en_USEnglish