Meet DORA: not the TV character, but the Digital Operational Resilience Act, a new EU regulation for the financial sector.
Enforceable from January 2025, its primary objective is to establish a unified framework for managing ICT risks in the EU financial industry.
By setting standardized requirements and guidelines, DORA aims to ensure financial entities can effectively withstand disruptions, cyber threats, and other challenges in an increasingly digital landscape. This article explores its impact on financial entities and critical third-party providers, including cloud service providers and data centers.
Key Drivers Behind DORA
- ICT’s Role in the Digital Age: In a tech-driven world, ICT’s importance has surged, especially post-pandemic, amplifying both its benefits and risks. The act recognizes this by highlighting that increased digitalization and interconnectivity heighten the vulnerability of society, particularly the financial system, to cyber threats and ICT disruptions.
- Systemic Vulnerability and Financial Stability: The European Systemic Risk Board (ESRB) underscores how interconnected ICT systems in finance can trigger systemic vulnerability. Even localized cyber incidents can swiftly spread across financial entities, jeopardizing the entire system, leading to liquidity issues, and eroding trust.
- Elevated Resilience Priority: While previous reforms focused on economic and market aspects, resilience took a backseat. Now, DORA deems resilience pivotal, ensuring uninterrupted financial service provision across the Union, even in challenging situations, while upholding consumer and market trust.
- Harmonization and Supervision: Despite a unified Single Rulebook and European financial supervision, inconsistencies persist. DORA addresses this gap by emphasizing that digital operational resilience and ICT security must be harmonized to ensure stability, rectifying the present discrepancy.
DORA - It’s not just about cybersecurity
DORA goes beyond cybersecurity, highlighting the importance of preventing Internet disruptions. The act underlines the continuous “monitoring and control of the security and functioning of ICT systems and tools” to mitigate risks.
Notable components include:
Article 8, Identification: Financial entities must “identify all sources of ICT risk” and assess relevant cyber threats and vulnerabilities concerning their ICT-supported functions and assets.
Article 9, Protection and Prevention: Financial entities must “continuously monitor and control the security and functioning of ICT systems and tools,” minimizing the impact of ICT risks through effective security tools, policies, and procedures.
Article 10, Detection: The regulation calls for mechanisms to “promptly detect anomalous activities,” including ICT network performance issues, incidents, and potential single points of failure.
Impact of DORA on Financial Institutions and Third-Party Providers
DORA’s implication for financial institutions is huge, holding boards accountable for ICT risk. Additionally, they must map their dependencies on ICT third-party providers, diversify their procurement mix, and establish comprehensive incident management processes.
While the financial industry is no stranger to stringent regulations and government oversight, third-party IT providers that support financial entities – like data centers and cloud services – are not. DORA’s implementation will require them to adhere to stringent cybersecurity and operational resilience standards, ensuring their ICT systems and tools are continuously monitored and controlled to mitigate risks.
DORA grants regulators the authority to investigate and review the software and hardware of financial services companies, impose changes to bolster network resilience, and levy fines for non-compliance. Furthermore, regulators can terminate contracts between financial entities and third-party IT service providers if stability or security risks to the financial network are identified.
Resilience: The Key to Meeting DORA’s Mandate
DORA unequivocally emphasizes the need for continuous monitoring and control of security and ICT tools to mitigate risk. Yet, while most companies nowadays have monitoring tools in place, they tend only to monitor their own applications and tools. Further complicating matters, the Internet has become the primary enterprise network and is now more vulnerable than ever.
Meeting DORA’s mandate demands a broader approach. Companies must extend their visibility beyond their applications and services using an Internet Performance Monitoring solution encompassing the entire Internet Stack, the tangled web of networks, protocols, agents, and sub-systems beyond their applications and services, including core elements of the Internet like BGP, DNS, and CDNs. Only then will they achieve the type of robust resilience mandated by DORA.