DORA takes effect: Digital resilience and cybersecurity in the EU

European financial supervision has a clear enemy that needs to be mitigated: cyber risks. The idea that a major banking or payment system could be hacked triggers fear of major economic crises, depending on the scale of such a hack. Thus, there is a clear focus on IT security in the banking system to ensure the stability of the financial market, even in the event of a serious disruption, and to protect its market participants. One element helping to make this system more secure is the EU Digital Operational Resilience Act (DORA).

This article is intended to give both companies in the financial services sector and technical service providers an overview of what DORA entails, what its contents and objectives are, and what relevant companies need to do now to be DORA compliant next year.

Enacted in January 2023, DORA is set to be fully applicable starting January 2025, giving financial institutions and IT service providers that are active in the financial services sector two years to prepare. DORA aims to ensure that financial institutions can resist, manage, react to, and recover from various information and communication technology (ICT) disruptions.

ICT risks are identifiable circumstances related to the use of network and information systems that, if they materialise, could compromise the security of these systems. This includes risks to any technology-dependent tools or processes, operations, and the provision of services, potentially causing adverse effects in both digital and physical environments.

Those who have dealt with the financial services sector and its regulation in the European Union know there are already regulations on IT security in place. However, this has often been done at national level (for example, in Germany through numerous administrative regulations and individual provisions). Companies are therefore already used to regulation and audits in this area. However, DORA is now creating an EU-wide harmonisation of these security standards and, in some cases, even more far-reaching regulations, such as separate direct supervision for major ICT service providers.

On the one hand, key objectives of DORA are strengthening IT security by establishing a strong ICT risk management, harmonising national regulations that currently exist, and reducing inconsistencies. On the other hand, DORA also includes stringent requirements for managing risks associated with third-party ICT service providers, ensuring these providers adhere to the high standards of operational resilience. This even includes a direct (not indirect through financial institutions) supervision on important ICT service providers, which is an absolute novelty in financial regulation.

Also, a large and costly aspect for financial institutions is the examination and adaptation of relevant ICT service contracts to the requirements of DORA. So far, there have been national requirements, such as the Minimum Requirements for Risk Management framework in Germany and the European Banking Authority’s Guidelines, which gave provisions for these outsourcing agreements. Now, there is a uniform standard to which all respective agreements must be adapted.

One further key objective of DORA is the incident reporting and response. Financial services sector entities must report major ICT-related incidents to competent authorities and have robust mechanisms in place for incident response and recovery. This is the only way that supervisory authorities will be able to respond to IT incidents, issue warnings if necessary, and adapt resilience checks to real-life incidents. Currently, the supervisory authorities see it as a major problem as it often does not learn about relevant security incidents or only learns about them too late. This also makes monitoring less efficient overall. A functioning flow of information when it comes to imminent cyber risks will help the industry adapt security systems and respond appropriately.

What are ICT risks according to DORA?

• Cyber attacks: Unauthorised access, data breaches, and malware attacks that can disrupt operations and compromise sensitive information.

• System failures: Hardware or software malfunctions that can lead to significant downtime and operational disruptions.
• Third-party risks: Vulnerabilities introduced through third-party service providers, which can affect the overall security and resilience of the financial entity.
• Data loss: An accidental or malicious loss of data, which can impact business continuity and regulatory compliance.
• Operational errors: Human errors in managing ICT systems that can lead to security breaches or operational inefficiencies.

What are the key elements of DORA?

ICT risk management: DORA provides a comprehensive risk framework with regulations and standards for financial institutions and service providers to appropriately manage and reduce ICT risks. The requirements serve to maintain and, if necessary, restore the functionality of financial institutions. Financial institutions must establish:

• An internal governance and control framework to ensure prudent management of ICT risks
• A comprehensive ICT risk management framework as part of their overall risk management with the following elements: identification of ICT-supported functions, protection and prevention, detection, response and recovery of ICT systems and data, learning and development, and communication

Management processes should be in place for handling, monitoring, logging, and reporting ICT-related incidents (reporting requirements and voluntary reporting for significant cyber threats).

Testing digital operational resilience via periodic stress tests

Financial institutions should establish a risk-based, proportionate testing program. Micro-entities are exempted from this scope of testing.

Advanced threat-led testing of ICT tools, systems, and processes should be in place for a small number of financial institutions that meet specific criteria.

Financial institutions should assess and monitor ICT third-party risks. In particular, they should perform ex-ante risk assessment and due diligence prior to contract conclusion, establish special requirements for the contractual provisions with the third party, and track concluded ICT contractual relationships in an information register.

The development of a European monitoring framework for critical ICT third-party service providers is a new element of EU financial market regulation. It is classified as “critical” by European supervisory authorities. Competent supervisory authorities have direct information, control, and audit rights, which are enforceable by penalty payments vis-à-vis the critical ICT third-party service provider.

DORA encourages financial institutions to share information and intelligence about cyber threats (notification to competent authorities as soon as participation in such information-sharing agreements has been confirmed or ends).

How can financial institutions and ICT service providers prepare for new regulations?

Preparing for DORA requires financial institutions and ICT service providers to comprehensively analyse their digital infrastructure and processes. They need to identify all relevant risks, take preventive measures, develop contingency plans, and ensure that all third-party providers meet the same high standards.

Only by planning ahead and consistently implementing resilience strategies can organisations meet DORA’s requirements and ensure their digital operational capability in the long term:

1. Governance and risk management: Financial institutions must implement clear governance structures and risk management systems to identify and manage digital risks. This includes the introduction of internal processes for risk assessment and mitigation.
2. Operational resilience: Companies must ensure that their IT infrastructures and processes are resilient to various types of disruption, such as cyberattacks, natural disasters, or technological failures.
3. ICT security and incident management: DORA requires the implementation of robust ICT security strategies, including the ability to detect, report, and respond to security incidents.
4. Disaster and crisis management: Organisations must develop contingency plans that ensure rapid recovery of services in the event of an outage.

Strengthening relationships with third-party providers:

• DORAplaces particular emphasis on collaboration with third-party providers of ICT services. Financial institutions must ensure that their third-party providers meet the same security and resilience standards and that contractual agreements set out clear requirements regarding ICT security and operational capability.
• Financial institutions must regularly conduct a risk analysis of their third-party providers and ensure that the failure of a critical service provider does not result in an uncontrollable operational risk. This particularly applies to ICT service providers, cloud services, etc.

Implementation of a Continuous Monitoring and Testing Program:

• Regular testing of security mechanisms (through penetration testing) is required to identify and address vulnerabilities in digital infrastructure at an early stage.
• DORA requires companies to regularly assess the resilience of their digital systems and processes to identify potential vulnerabilities that could jeopardise business operations in the event of a crisis.

Reporting incidents:

• Financial institutions must promptly report incidents that affect digital operational resilience (such as security vulnerabilities and data breaches). DORA requires incidents to be reported to the relevant regulators within 24 hours of discovery.
• Acentral point of contact for reporting ICT security incidents must be established, which is responsible for internal coordination and communication with regulatory authorities.

Training and raising awareness:

• All employees must receive regular training on security protocols and emergency measures to ensure quick and effective action in the event of a crisis.
• Senior management should be involved in the strategic planning and implementation of DORA requirements to ensure the entire organisation understands the importance of digital resilience.

Adapt IT infrastructure and architectures:

• Financial institutions need to structure their IT infrastructures so they are resilient to outages. This can be achieved through redundant systems, multi-cloud strategies, and geographic diversification.
• Outdated systems and technologies must be updated to avoid security vulnerabilities and improve resilience.

Compliance and regulators:

• Financial institutions and ICT service providers must ensure they meet all relevant DORA provisions. Regulation compliance is verified by the relevant supervisory authorities, and violations can result in heavy fines.
• All measures to improve digital resilience should be documented and provided to supervisory authorities upon request.

What happens in the event of noncompliance with DORA?

The consequences of noncompliance with DORA can be severe, ranging from financial penalties to reputational harm, operational disruptions, and legal liabilities. Given the critical importance of operational resilience and cybersecurity in the financial sector, financial institutions and their third-party service providers must ensure they comply with the regulations to avoid tough actions and restrictions by the regulatory authorities.