DORA regulations: 5 key areas and how they’ll impact EU financial services
In recent years, widespread system outages and cyber threats, along with the effects of the Covid-19 pandemic have placed operational resilience at the top of the priority list for financial regulators, and EU regulatory bodies are no exception.
In fact, on 24 September 2020, the European Commission released its draft Digital Operational Resilience Act (DORA). The legislative proposal is based on existing European risk management regulations that impact information and communications technologies (ICTs) and is expected to come into force in the first half of 2022.
Once the new regulations come into force, EU financial firms will be expected to comply with new rules in the following five key areas:
Digital operational resilience
DORA will establish standardised EU-standards for digital operational resilience testing. The testing requirements will include vulnerability and network security assessments, gap analysis and software solutions’ testing, as well as scenario-based testing, performance testing and penetration testing.
These requirements aim to establish a unified approach to operational resilience standards, bringing them under the EU’s scope for the first time.
Under the new rules, firms in the financial services sector will be expected to establish and maintain resilient ICT systems and tools that are equipped to identify and mitigate ICT risks consistently and reliably.
They will also be required to put in place comprehensive business continuity policies and disaster recovery plans.
ICT incident reporting and management
According to the legislative proposal, financial firms will be required to implement management systems to monitor, describe, and report any major ICT-based incidents to relevant authorities.
This new, standardised approach is likely to result in the creation of a new centralised EU body to oversee and facilitate incident reporting and management.
Building on existing regulations, DORA will encourage financial firms to share cybersecurity information and intelligence with firms in other member states, in an effort to reduce the impact of cyber threats in financial services and strengthen response and recovery capabilities in the European financial sector as a whole.
Third-party risk management
The new regulations establish that third-party ICT providers, including cloud service suppliers, will regulated by one of the European Supervisory Authorities (ESAs), which will be empowered to request information, issue recommendations and requests, conduct inspections and even impose penalties for non-compliance with the new EU risk management and operational resilience regulations.
Financial services firms will also be required to assess and document any potential risk associated with their third-party ICT service providers and will be responsible for ensuring their contracts with such firms specify their regulatory obligations under the new legislation
The upcoming Digital Operational Resilience Act marks a new chapter for EU institutions, bringing them closer to the requirements set out by UK regulatory bodies to bolster operational resilience in the financial services sector.
Read our whitepaper to know more about the upcoming regulation changes and the growing importance of operational resilience in other regions.