European Commission's Digital Resilience Act: Safeguarding Online Stability

The Digital Operational Resilience Act (DORA) is a significant regulatory framework introduced by the European Commission in September 2020 as part of its broader digital finance package. The act aims to strengthen the digital operational resilience of the European Union's financial sector by establishing uniform standards for managing risks related to information technologies and the security of networks and information systems. DORA was officially adopted in December 2022 and is set to apply from January 2025, harmonizing rules related to operational resilience for 21 different types of financial entities. The regulation represents a major step forward in regulating IT-related risks within the European Union, unifying and extending existing standards and requirements at both European and national levels.

Objectives And Importance Of DORA

The primary objective of DORA is to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber threats and maintain operational resilience. This includes a wide range of entities such as banks, insurance companies, investment firms, and critical third-party service providers like cloud computing services.

The inception of DORA is rooted in the increasing dependency on digital technologies and the corresponding vulnerabilities that the financial sector faces. Over recent years, the financial industry has experienced significant digital transformation processes, which, while beneficial, has also introduced new risks and challenges.

The European Commission proposed DORA in 2020, recognizing the need for a comprehensive approach to bolster the cybersecurity and operational resilience of the financial sector. The regulation aims to create a harmonized framework to ensure the continuity of financial activities in the face of cyber-attacks and strengthen the digital operational resilience of financial entities.

Scope And Applicability Of DORA

The DORA regulation primarily impacts companies in the European Union's financial sector, including traditional organizations (credit institutions, investment firms) and more recent organizations (payment organizations, e-money companies, asset management companies, insurance and reinsurance companies). The regulation also covers ICT service providers considered critical to the EU financial services sector.

Exemptions from DORA regulations are microenterprises and very small enterprises with fewer than 10 employees or sales of less than €2 million. The regulation requires financial entities to rapidly inform the supervisory authorities in the event of major ICT-related incidents.

Key Pillars Of DORA

The DORA regulation includes several key pillars to reinforce digital operational resilience in the European Union's financial sector:

1. ICT Risk Management

The DORA regulation requires management to take responsibility for ICT risk management, identify critical functions, and put in place a risk management framework based on international standards, to be reviewed annually. This framework must include a digital resilience strategy, regular audits, and cybersecurity training for the management team and all company employees.

2. Reporting ICT Incidents

DORA establishes a harmonized detection and reporting system, requiring companies to submit initial, interim, and final reports in the event of major ICT incidents. These reports must enable the importance of the incident and its possible repercussions beyond national borders to be assessed. European authorities will be able to issue instructions to limit the consequences as soon as the initial statement is received and will publish an annual report on ICT incidents.

3. Digital Operational Resilience Testing

Financial entities will be required to conduct regular resilience testing to identify vulnerabilities, ensure business continuity, and comply with regulatory standards. The testing should involve critical service providers and maintain documentation for reporting and corrective actions.

4. ICT Third-Party Risk Management

DORA focuses on overseeing the risks posed by critical ICT service providers to financial entities, ensuring proper risk management. Financial institutions must adopt and regularly review a strategy on ICT third-party risk, maintain a register of information, control outsourcing contracts and arrangements, and perform ICT concentration risk assessments before entering into new contractual arrangements.

5. Information Sharing

The regulation encourages sharing cyber threat information within trusted financial communities to raise awareness and enhance operational resilience. The objective of such information-sharing is to raise awareness of new cyber threats, reliable data protection solutions, and operational resilience tactics.

Timeline And Compliance With DORA

Although DORA came into force on January 16, 2023, its effective application will begin in 2025, with a 24-month preparation period for financial institutions to align their operational resilience frameworks with the new regulations.

To comply with DORA, affected entities must incorporate practices such as establishing a sound, comprehensive, and well-documented ICT risk management framework, implementing reliable early warning indicators of ICT disruptions, and conducting regular resilience testing. Financial institutions must also maintain documentation for reporting and corrective actions and ensure that critical service providers comply with DORA requirements.

Conclusion

The Digital Operational Resilience Act (DORA) represents a significant step forward in regulating IT-related risks within the European Union. By establishing uniform standards for managing risks related to information technologies and the security of networks and information systems, DORA aims to strengthen the digital operational resilience of the EU's financial sector and ensure the continuity of financial activities in the face of cyber threats. As financial institutions prepare to implement DORA in 2025, they must align their operational resilience frameworks with the new regulations, focusing on ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. By embracing the principles of DORA, the European financial sector can enhance its cybersecurity posture and maintain the stability and trust necessary for sustainable growth in the digital age.