Community
DORA – Bolstering and Harmonising Operational Resilience Across the EU.
See full article at https://cjcit.com/insight/dora-navigating-the-eus-operational-resilience-landscape/
The EU’s DORA is inevitable and will have rippling effects beyond the union. It supersedes previous industry-specific operational resilience guidelines and overcomes national disparities, harmonising guidelines for key focus areas across the entire financial industry value chain to establish a common framework across the union. This insight explores the macro impacts of DORA, summarising key sections of DORA’s full text to define:
Digital technologies are pivotal for global financial and capital market firms to support complex systems, it is critical for the delivery of typical business functions and revenue-generating activities. Digitalisation and the resulting interconnectivity enable greater efficiency and cost savings but also amplify Information and communication technology (ICT) risks and increase the financial system’s vulnerability to cyber threats or disruptions.
Despite targeted policy and legislative initiatives at the national level, the European Union (EU) recognises the critical need to harmonise and bolster operational resilience across its member states to protect the integrity and efficiency of the internal market, particularly considering escalating cyber threats1 and disruption incidents2. A view recently echoed by Liquidnet3:
“The industry is only as strong as its weakest link […] 2024 will not only represent greater regulatory scrutiny of compliance, risks, and controls as well as technology interoperability, but individual responsibility in making the eco-system function optimally.”
Addressing the ongoing resilience challenges, the EU introduced the Digital Operational Resilience Act (DORA) to fortify ICT security and operational robustness for financial entities.
What Is DORA and Its 5 Focus Areas?
DORA was adopted by the European Parliament and the Council on the 14th of December 2022, with compliance required by January 17th, 2025. The regulation aims to consolidate and enhance digital operational resilience across the financial landscape that has, up to this point, been addressed separately in various Union legal acts via a common framework4 for the digital operational resilience of financial entities to better withstand and recover from breaches and ICT incidents.
DORA's 5 Areas of Focus:
Why Is DORA Important?
DORA builds on and supersedes earlier industry-specific guidelines to overcome disparities and consistently consolidates guidelines for key areas across the entire value chain. It is unique because it introduces a union-level common oversight framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs)5.
With the financial sector reliant on digital ICT systems and as interconnectivity grows, ICT risks and vulnerabilities will have an increasingly disruptive cross-border impact across the union, which amplifies the effect of operational disruptions and cyber threats at financial firms. DORA acknowledges that digitalisation now encompasses critical financial functions6 like payments, securities clearing, algorithmic trading, and back-office operations. It aims to bolster the operational resilience of these functions to maintain overall financial stability and protect consumer trust within the internal markets. DORA aims to preserve market confidence by ensuring the seamless provision of financial services even during challenging scenarios.
Who Does DORA Apply To?
DORA applies to all financial institutions in the EU and the ICT third-party service providers supplying services to support them. A recent insight10 addressed this. The EU’s DORA regulation introduces specific and prescriptive requirements for all financial market participants.
DORA – Financial Entities
To comply with DORA, financial entities must enhance ICT risk-related management practices, which include identifying, assessing, and mitigating risks associated with digital operations. DORA also introduces prompt ICT incident reporting obligations to the relevant authorities for critical function disruptions. Also, institutions must regularly simulate various disruptions to test operational resilience and recovery capabilities.
Notably, DORA emphasizes that financial entities must assess and manage the third-party ICT risk of their service providers and ensure contractual arrangements address operational resilience. This relates to the concentration of risk (DORA Article 2911) and follows incidents like the OPRA outage12, and cybercrime targeting critical suppliers in the financial supply chain like the Ion Group hack last year13 or cloud computing vendors14, where a single incident potentially impacts multiple financial entities.
It should be noted that the impact of outages is not limited to firms and end-users, with repercussions potentially overflowing onto personal finances as demonstrated by DBS bank15 earlier this year.
DORA –Third-Party Dependencies and Operational Resilience
Financial entities have increasingly relied on third-party providers to deliver critical parts of their operations and services, subsequently, DORA also significantly affects third-party dependencies. These third parties include cloud service providers, data vendors, software developers, and other technology partners. Outsourcing certain functions can enhance efficiency and reduce costs, but as we saw with Ion, it also introduces new risks. Authorities must now look beyond the resilience of individual regulated firms and assess the sector’s wider operational resilience.
DORA emphasizes the importance of robust risk management practices for third-party dependencies aiming to bolster the overall resilience of the financial sector in the digital age. These include:
Speaking about operational resilience and DORA compliance, Gina Wee, Chief Information Officer at CJC said, "From implementing robust encryption and strict access control to conducting regular audits, CJC upholds high levels of compliance to ensure data security. Combined with proactive planning, adaptive procedures and a culture of continual improvement, we ensure uninterrupted services to our clients. We hope our commitment to information security, operational resilience and accountability provides our clients peace of mind and confidence in our managed services."
DORA Compliance vs. Non-Compliance
The Risk of Non-Compliance
Not complying with DORA may lead to reputational damage, financial losses, and regulatory penalties. Firms that fail to comply with DORA’s requirements risk operational disruptions, customer dissatisfaction, and potential legal consequences.
DORA Compliance – 3 Considerations & Best Practices
To comply with DORA, financial institutions must comprehensively map existing third-party dependencies and involve understanding the services of outsourced functions to identify critical dependencies. Step 2 assesses the resilience of the mapped dependencies to evaluate their service provider’s operational capabilities, security measures and disaster recovery plans. Finally, contractual agreements with third parties should specifically address operational resilience requirements. This includes provisions for incident reporting, business continuity, and recovery time objectives.
To stay compliant, financial institutions can take several steps to implement best practices to ensure continuous compliance with DORA. These include:
Final Words:
DORA is not just a regulation; it is a strategic opportunity to enhance your operational resilience and build trust in the digital age. As the leading market data technology consultancy and service provider for global financial markets, CJC treats its position as a critical third-party supplier of market data-managed services to the capital market community seriously. No matter the service level, DORA-compliant standards and transparency are out-of-the-box from CJC, which provides multi-award-winning consultancy, managed services, cloud solutions, observability, and professional commercial management services for mission-critical market data systems. CJC is vendor-neutral and ISO 27001 certified, enabling CJC’s partners the freedom to focus on their core business.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
David Smith Information Analyst at ManpowerGroup
20 November
Seth Perlman Global Head of Product at i2c Inc.
18 November
Dmytro Spilka Director and Founder at Solvid, Coinprompter
15 November
Kyrylo Reitor Chief Marketing Officer at International Fintech Business
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.