Preamble 31 to 40, Digital Operational Resilience Act (DORA)
The European Commission's Digital Operational Resilience Act (DORA) aims to strengthen the operational resilience of the EU financial sector against cyber threats and ICT-related risks. DORA promotes Union-wide measures for effective information sharing, collective action, and robust ICT risk management to safeguard financial stability. The following sections summarize key aspects of DORA, including enhancing information sharing, promoting collective action, and specific requirements for digital resilience.
31. Enhancing Information Sharing
There are reservations among financial entities regarding the sharing of information with other market participants or non-supervisory authorities like ENISA for analytical insights or Europol for law enforcement purposes. As a result, valuable information is often withheld, leading to limited and fragmented exchanges predominantly on a local level through national initiatives. There is a clear need for consistent Union-wide information sharing arrangements tailored to the integrated financial sector’s needs to enhance resilience against ICT risks effectively.
32. Promoting Collective Action And Information Sharing
Financial entities should be encouraged to collectively leverage their knowledge and practical experience across strategic, tactical, and operational levels to enhance their capabilities in assessing, monitoring, defending against, and responding to cyber threats. Establishing voluntary information sharing mechanisms at the Union level, conducted in trusted environments, would empower the financial community to prevent and collectively respond to threats swiftly, thereby mitigating the spread of ICT risks and potential contagion across financial channels. Such mechanisms must comply fully with Union competition law and data protection rules, particularly Regulation (EU) 2016/679.
33. Tailoring Digital Operational Resilience To Financial Entities
Recognizing significant differences in size, business profiles, and exposure to digital risks among financial entities, the application of digital operational resilience rules should be proportionate. Financial entities should allocate resources and capabilities to ICT risk management frameworks that align with their specific needs, while competent authorities continue to assess and adjust regulatory approaches accordingly.
34. Governance Requirements For Larger Financial Entities
Larger financial entities, which possess greater resources and organizational capacity, should establish more complex governance arrangements. These entities are better equipped to manage relationships with ICT third-party service providers, implement crisis management protocols, and adhere to the three lines of defense model in ICT risk management. Additionally, they should conduct in-depth assessments following significant changes to network and information systems, analyze risks associated with legacy ICT systems, and expand testing of business continuity and recovery plans to include scenarios involving primary ICT infrastructure and redundant facilities.
35. Targeted Requirements For Advanced Digital Resilience Testing
Only financial entities identified as significant for advanced digital resilience testing should be mandated to perform threat-led penetration tests. Administrative processes and financial costs associated with such tests should be proportionate, reflecting the scale and complexity of the entities involved. Furthermore, non-micro enterprises should regularly report to competent authorities on costs and losses stemming from ICT disruptions and outcomes from post-incident reviews following significant ICT disruptions to ease regulatory burdens.
36. Role Of Management Bodies In ICT Risk Management
Management bodies of financial entities play a crucial role in steering and adapting ICT risk management frameworks and overall digital resilience strategies. Beyond ensuring ICT system resilience, management bodies should promote a culture of cyber risk awareness and adherence to cyber hygiene throughout the organization. This approach underscores the management body's ultimate responsibility for overseeing ICT risk management and maintaining continuous engagement in monitoring these efforts.
37. Ensuring Financial Investment In Digital Operational Resilience
Management bodies must ensure sufficient ICT investments and budget allocation to achieve the financial entity's digital operational resilience baseline. This commitment is essential to support ongoing efforts in enhancing ICT systems and resilience capabilities, thereby safeguarding the entity against evolving cyber threats.
38. Compliance With International Standards
This Regulation draws inspiration from relevant international, national, and industry standards, guidelines, recommendations, or approaches in managing cyber risks. While financial entities are free to adopt ICT risk management models aligned with these functions (identification, protection, detection, response and recovery, learning and evolving, and communication), they must ensure compliance with specific supervisory instructions on using and incorporating international standards.
39. Maintaining Technological Resilience
Financial entities must maintain updated ICT systems with sufficient capacity to process data necessary for service performance, ensuring technological resilience to handle additional processing needs under stressed market conditions or adverse situations. While this Regulation does not mandate standardization of specific ICT systems, tools, or technologies, it promotes the use of European and internationally recognized technical standards or industry best practices, subject to supervisory guidance.
40. Business Continuity and Recovery Planning
Efficient business continuity and recovery plans are essential for financial entities to resolve ICT-related incidents, especially cyber-attacks promptly. Backup systems should initiate processing promptly without compromising network and information system integrity, security, or data confidentiality.
