Objectives

DORA provides a regulatory framework on digital operational resilience where all firms need to make sure they are able to withstand, respond to and recover from all types of Information and Communication Technology (ICT) related disruptions and threats.  These requirements will be homogenous across all EU member states.  The UK has proposed similar guidelines and demonstrated this is an area of major focus, with UK regulators intending to publish a discussion paper to provide more clarity at the end of 2022.

The COVID-19 pandemic acted as a major catalyst behind the proposed legislation as financial institutions accelerated their transition to digital systems to conduct day-to-day operations increasing the technological and cyber risk in the system.

What is Digital Operational Resilience?

Under the current proposal the subject is defined as the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of ICT third-party providers, the full range of ICT related capacities needed to address the security of the network and information systems which a financial entity makes use of. The goal of the legislation is to harmonise risk management in an attempt to mitigate cyber security risk and maintain functional operations through severe operational disruption.

What classifies a Third-Party ICT?

ICT third-party providers offer digital and data services which fulfil a critical role in the functioning of the financial sector; even though they are non-financial services entities. The definition is aimed at encompassing cloud computing service providers and other technology operators that offer data analytics servers and data centres. As a result of multiple firms relying on a small number of third-party technology service providers, the risk due to concentration and contagion in the EU financial sector is considered to be elevated and thus has become a target for regulators.

Scope of DORA

DORA is much broader than any of its predecessors.  A vast range of entities from large and complex organisations to those that are smaller and simpler will be affected and many of these types of organisations have not previously been subject to the regulations that are within DORA’s scope. The expectation is that financial services organisations under its purview will treat DORA as a best-practices guide for their industry, specifically regarding cybersecurity and resiliency. The UK has proposed similar guidelines and demonstrated this is an area of major focus, with UK regulators intending to publish a discussion paper to provide more clarity at the end of 2022.

What does DORA Include?

The current proposal for DORA includes three main aspects:

• Uniform ICT risk management and resilience – a risk-based approach to establish a sound network and infrastructure management.
• Regulating third-party providers – creating an oversight framework for critical ICT third-party providers.
• Resilience testing and severe penalties – Vulnerability assessments with heavy fines for companies that fail to meet the established standards.

Summary

As this area of the industry develops, TRAction remains committed to making trade reporting simple by staying ahead of regulatory developments and monitoring for changes that may affect our clients. Don’t hesitate to contact us if you would like to know more.