The Digital Operational Resilience Act, what to expect?
Digital Operational Resilience Act Summary:
The Digital Operational Resilience Act (DORA), which will enter in application in January 2025, targets the wish to maintain “stability in the Union’s financial system” and maintain the confidence and “trust in financial markets” through framing the risks related specifically to the resilience of Information and communication technology (ICT) facing cyber attacks.
Our world is indeed extremely interconnected, the digitalization of services has become a must in all sectors, enabling more efficient business activities. During the past decade, the financial sector too has been relying more and more on ICT providers in order to function properly, and this trend will continue to grow.
Technology evolves quickly, which has a double consequence: positive in the sense of the constant optimization of services offered to clients, but also negative as cyber attacks become more and more complex and can quickly become systemic.
DORA’s objective is thus to integrate a dedicated ICT risk management framework to secure the “operational resilience, performance and stability of the Union financial system” (DORA, preamble 5).
Impact of DORA on financial institutions:
Compliance to DORA will require financial institutions to create a dedicated risk management framework for their ICT third party providers. Internal operational risk management also applies on the matter, as when the ICT provider is part of the financial entity, such risk management still needs to be implemented, although in a simplified version.
The scope of DORA’s framework emphasizes on ICT that are used for critical and important functions of the financial entity, but all ICT will still need to be monitored.
The top 3 areas of financial institutions that will strongly involve DORA compliance projects are:
the pre-contractualization process (mainly regarding the evaluation structure that needs to be created and the adaptation of the existing workflow process)
the operational risk management process (mainly regarding the creation of a dedicated ICT framework and its integration in the financial entity’s existing operational risk management but also all processes related to business continuity, technical recovery plan, detection of cyber incidents…etc…)
the compliance process (mainly regarding the auditing methods to assess the third party’s risk management maturity, as well as the reportings requested for the European Supervisory Authorities (ESAs) on the DORA compliance requirements).
The internal processes of financial entities are thus to be strongly impacted, in their structures but also in their content. Many months of internal projects will be necessary in order to ensure compliance to DORA, with an added importance to follow the program at a higher level in order to ensure consistency of all subprojects.
ICT companies and Digital Operational Resilience Act:
ICT companies will see impacts on the same 3 process-related aspects as above for the financial institutions, but not only.
In addition to these, ICT companies may be pressured to open an affiliate entity inside the European Union, if they are based overseas, as well as share a clear view on all their subcontractors and their subcontractors’ country of establishment.
Cooperation agreements are being strengthened with countries outside the Union in order for the ESAs to be able to completely assess the ICT company’s risk on operational resilience.
Strong penalties are defined for any ICT company that will not fully cooperate or pursue on the ESAs’ recommendations (although written justifications from the ICT company to disengage from such are possible, prohibitions for the uncooperative ICT company to work in the Union will be made public and pushed upon financial entities for contract termination).
Many ICT companies have subcontracted parts of their operations or services in third countries, for cost efficiency purposes. With DORA, they may consequently face a stronger strategic choice if they want to remain profitable, and we may guess that many “small” ICT companies will choose to target clients (financial institutions) outside the Union, leaving an increased market share to bigger ICT companies in Europe.
For the ICT companies that will remain, transparency and proofs of a resilient internal system are what will enable them to retain their customers and gain new ones. ICT companies responding to bid offers will also have to adapt their response, as a higher weight of decision will be put on the DORA compliance aspects during the pre-contractualization phase.
DORA Cybersecurity regulations:
The Digital Operational Resilience Act comes as a more detailed regulatory perspective within the existing Cybersecurity regulations. All applicable regulations on the matter, such as the regulation (EU) No 909/2014, (EU) No 648/2012, and many others, remain applicable.
Amendments to existing regulatory texts have though been made in order to preserve the legitimacy of each and enable a full coverage of ICT operational resilience through the supervisory authorities in charge of DORA’s audits.
The agenda behind DORA?
As mentioned above, DORA implies many internal transformation for both financial institutions and ICT companies.
Above the necessity to be DORA compliant, the objective of the regulators is to create a general mapping at the European level (and extend it as much as possible) in order to be able to quickly and, if possible, proactively, block the potential spread of cyber attacks in the whole financial system.
The regulators’ general mapping also intends to have a clear cartography of:
ICT companies holding strong shares in their market
Interdependencies of critical and important functions of financial entities that rely on ICT providers
Subcontracting chains behind ICT companies
The regulators promote a stronger communication of all parties regarding cyber incidents and cyber threats towards the European Supervisory Authorities. In the meantime, and before being able to provide these information under the standardized templates and with the standardized details, thousands of internal structures are being transformed as we speak, for financial institutions just as for Information and Communication Technology providing companies.