DORA Directive: The Climax of Resilience in the European Economic System

Originally published by Devoteam.

One in two cyber attacks was successful in the Eurozone (European Central Bank statistics for the year 2022). Despite efforts in recent years by various stakeholders, this figure struggles to decrease, indicating that only structural decision-making will be able to reverse this trend.

In the context of a persistent and evolving Cyber threat, the European Union aims to strengthen the defense lines of the entire financial sector with a new, broad, and ambitious text: the Digital Operational Resilience Act (DORA).

DORA should not be seen as just another text on cybersecurity in Europe. On the contrary, the European Union appears to be showing major pragmatism in two respects:

• By harmonizing rules at the European level, as each State has tended to impose its own cybersecurity strategies in recent years. This is especially true since DORA is part of a broader framework of the EU’s new cybersecurity strategy for the digital decade and the 2020-2025 strategy for a Security Union, alongside texts like the Cyber Resilience Act or NIS2.
• A comment could also be made about the adoption of a regulation that directly applies to Member States without needing transposition into national law, a method that allows the European Commission to ensure that the text is not distorted at the national level;
• By reversing the paradigm of a Europe being imposed a regulatory and technical framework, notably American.

This pragmatism is indeed the strength of this text, which starts from solid findings by enabling the financial industry to strengthen its capacity to prevent, contain, and respond to cybersecurity and operational incidents, counterbalancing the hegemony and internationalization of some regulations. More importantly, through this tool, operational resilience becomes a structural component in the European economic ecosystem and a cornerstone of its financial stability.

A central element of DORA lies in its approach that encompasses not only financial entities themselves but also all externalities: subcontractors, service providers, including Cloud service providers. To the traditional Risk Management is added the logic of accountability, proven in other regulations like the GDPR. This responsibility logic ensures that all processes within DORA’s compliance perimeters are taken into account and that resilience is guaranteed in an ecosystem where services are increasingly outsourced. This approach will require an increase in the importance of managing third-party inherent risks through strategies too often neglected by companies.

Third Party Risk Management is one of DORA’s major innovations: like the GDPR, cybersecurity consideration with third parties will require:

• A prior compliance for IT service providers to the financial sector. In this sense, DORA will apply by trickle-down to the entire chain of actors involved in the concerned perimeter;
• The obligation for financial entities to more finely identify important or critical digital assets of their information systems, and more broadly of externalities. The definition of an important or critical function in the texts is very broad in DORA, defined as “A function whose interruption, anomaly, or execution failure is likely to seriously harm a financial entity’s ability to continuously meet the conditions and obligations of its accreditation, or its other obligations arising from applicable financial services legislation, or to its financial performance or the solidity or continuity of its services and activities.”;
• The obligation for financial entities to have broader internal control means, involving an evaluation of the audit process and internal control and adjusting it as necessary. These obligations in terms of internal controls and resilience tests are the subject of many questions about their technical nature. In this respect, the European Commission should provide in the coming months guidelines and clarifications (these are the RTS or Regulatory Technical Standards and ITS Implementing Technical Standards) to help actors comply. One thing is certain: these will have to be proportional, periodic, but also comprehensive and documented, including third parties…

The success of financial entities’ compliance with DORA should, like the GDPR a few years ago, be a significant “challenge” for the actors of the European financial ecosystem while allowing them to guarantee a structured response to the resilience of systemic financial entities, ensuring homogeneous management of operational risks without reducing the sector’s capacity for innovation to meet market expectations.

This point is one of the complexities of the regulation not to be subject to the identification of loopholes by the concerned institutions, but to use it as an asset in a highly competitive environment.

For an even more complete analysis of the DORA directive, see our white paper : Ensure you Cyber Compliance with DORA