European Council Adopts Digital Operational Resilience Act (1 / 6)
Introduction
Background
Timelines
Scope
Requirements & Elements
Conclusion
Enhancing Resilience in the EU Financial Sector
The financial sector plays a critical role in the stability and functioning of the economy. However, with the increasing reliance on digital technologies, the sector faces new risks and challenges. To address these challenges, the European Union has introduced the Digital Operational Resilience Act (DORA). In this article, we will explore what DORA is, its background, timelines, scope, and what it covers.
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA), also known as Regulation (EU) 2022/2554, is a regulatory framework that aims to enhance the operational resilience of financial entities in the European Union. Before the introduction of DORA, financial institutions primarily managed operational risks through capital allocation, but they did not address all components of operational resilience. DORA fills this gap by establishing rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents.
Background
The need for a comprehensive framework addressing digital operational resilience in the financial sector became evident due to the increasing risks of cyberattacks. In response to these risks, the EU introduced the Digital Operational Resilience Act to strengthen the IT security of financial entities, including banks, insurance companies, and investment firms.
Timelines
The Digital Operational Resilience Act was formally adopted by the European Council on November 28, 2022. It was published in the Official Journal of the European Union as Regulation (EU) 2022/2554 on December 27, 2022. The regulation will enter into force on the twentieth day following its publication in the Official Journal and will apply from January 17, 2025.
Scope
DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.These requirements apply to various aspects, including:
- Information and communication technology (ICT) risk management
- Reporting of major ICT-related incidents and significant cyber threats
- Reporting of major operational or securitypayment-related incidents
- Digital operational resilience testing
- Information and intelligence sharing in relationto cyber threats and vulnerabilities.
- Measures for the sound management of ICT third-party risk
- Contractual arrangements between ICT thirdparty service providers and financial entities
- Establishment and conduct of the Oversight Framework for critical ICT third-party service providers.
- Cooperation among competent authorities, supervision, and enforcement
The contractual arrangements between financial entities and ICT third-party service providers are also covered under DORA. The regulation sets rules for these arrangements and aims to ensure that financial entities have effective oversight and control over the ICT services provided by third parties.
Requirements and Elements of DORA
ICT Risk Management: Financial entities must establish robust ICT risk management capabilities to identify, assess, and mitigate potential risks. This includes implementing appropriate security measures, conducting regular risk assessments, and developing incident response plans.
Incident Reporting: DORA emphasizes the importance of incident reporting in enhancing operational resilience. Financial entities are required to report major ICTrelated incidents, significant cyber threats, and major operational or security paymentrelated incidents to the competent
authorities. This ensures that relevant stakeholders are aware of potential risks and can take appropriate actions to mitigate them.
Digital Resilience Testing: To ensure the effectiveness of their operational resilience measures, financial entities must conduct digital resilience testing. This involves simulating various scenarios and assessing the ability to withstand and recover from ICT-related disruptions. Testing helps identify vulnerabilities and weaknesses, allowing entities to strengthen their systems and processes.
3rd Party Risk Management: Financial entities often rely on third-party service providers for various ICT-related services. DORA emphasizes the need for sound management of ICT third-party risk. Entities must establish measures to assess and monitor the risks associated with these service providers, ensuring they meet the required security and resilience standards.
Information and Intelligence Sharing: Information sharing plays a crucial role in combating cyber threats and enhancing overall resilience. DORA promotes the sharing of information and intelligence related to cyber threats and vulnerabilities. Financial entities are encouraged to collaborate and exchange relevant information to stay ahead of emerging risks.
Conclusion
The Digital Operational Resilience Act is a crucial regulation that strengthens the operational resilience of the financial sector in the EU. By setting out specific requirements and elements, it ensures that financial entities have robust systems and processes in place to mitigate the risks associated with ICT incidents. DORA emphasizes the importance of ICT risk management, incident reporting, digital resilience testing, third-party risk management, and information sharing. These measures enhance the overall resilience of financial entities and contribute to the stability of the financial system.
As financial entities prepare for the implementation of DORA, it is important for them to understand the requirements and take necessary steps to comply with the regulation. By doing so, they can enhance their operational resilience and protect themselves from the potential risks associated with ICT incidents. Remember, the Digital Operational Resilience Act (DORA) is a significant step towards strengthening the digital resilience of the financial sector, ensuring its ability to withstand and recover from ICT-related disruptions. By adhering to the requirements and adopting best practices, financial entities can proactively manage digital risks and enhance their overall operational resilience.
For further information please visit the following articles.