11 Months to DORA: EU's New Framework For BFSI

Written by [email protected], AuditCue.

In September 2020, the European Commission unveiled a landmark proposal - the Digital Operational Resilience Act (DORA) - as part of its sweeping Digital Finance Package aimed at fortifying cybersecurity across EU financial institutions. Once finalized, DORA will enforce strict standards for risk management, reporting, resilience testing and more. This far-reaching regulatory shift intends to safeguard financial stability in an increasingly digitized and interconnected finance system facing escalating cyber threats.

With the compliance deadline set for January 2025, financial entities operating in the EU must urgently assess implications and chart their path toward improved operational resilience. Institutions that embrace DORA as an opportunity could transform digitally, reinforcing customer trust and systemic defenses. However, delayed or ineffective adaptation risks leaving firms severely exposed.

The Digital Operational Resilience Act (DORA) and the General Data Protection Regulation (GDPR) are distinct EU regulations, with DORA focusing on enhancing the operational resilience against ICT disruptions in the financial sector, and GDPR aiming to protect personal data and privacy rights across all sectors. Unlike GDPR, which mandates strict data handling and breach notification protocols to safeguard individual privacy, DORA introduces requirements for financial entities around ICT risk management, resilience testing, and incident reporting, specifically targeting the stability and integrity of the financial sector's digital infrastructure. While both regulations prescribe penalties for non-compliance, their objectives, scope, and enforcement mechanisms are tailored to address different aspects of the digital and data protection landscape.

The 5 Pillars of DORA

DORA focuses on digital resilience across 5 key pillars:

• ICT Risk Management: It is essential to have robust frameworks that continuously monitor and identify key digital systems, data, and connections. These frameworks should link potential threats to their possible effects on financial operations, reputation, and more, while also adapting to new cyber threats. This approach guides investment towards the most critical risks.

• ICT-Related Incident Reporting involves two key aspects:
  • Internal Reporting aims to swiftly pinpoint and evaluate operational incidents to mitigate impacts on customers or regulators and to uncover the underlying issues.
  • External Reporting ensures that significant incidents are reported to authorities, providing regulators with insights necessary for policy development and industry-wide analysis.
• Digital Operational Resilience Testing: Financial institutions are required to conduct stress tests on their resilience strategies through scenarios such as DDoS attacks and widespread service outages, establishing clear recovery objectives. This process checks the effectiveness of contingency plans and fosters continuous improvement.

• Management of ICT Third-Party Risk: It's imperative for financial organizations to maintain strong contracts, monitoring policies, and testing procedures for all critical external ICT service providers. This ensures adherence to the same standards of security and resilience.

• Information Sharing: Promotes the exchange of cyber intelligence among national agencies and between companies. This collaboration enhances understanding of threats, vulnerabilities, and new tactics, helping to stay one step ahead of cybercriminals.

Forward-leaning institutions should embrace DORA, not just for compliance, but for underpinning long-term digital resilience. Elevating defenses now will pay dividends in customer confidence, operational continuity, and preparedness for the challenges of 21st century finance.

If you'd like to be a part of a working group of experts who're building their companies to be ready for DORA-specific changes, please reach out to [email protected].