2 minute read
DORA – adding value to financial services
The COVID-19 pandemic prompted consumers to move online and, in response to the changing nature of the demand, the financial services sector answered accordingly by adopting services, tools and functions which are increasingly dependent on Information and Communications Technology (ICT). In addition, as a way of achieving economies of scale, firms relied on ICT Third-Party Providers to support their changing ICT needs. While this meant that the sector had been able to successfully answer to the shift in demand, it also introduced significant cyber risk.
Against the backdrop of this post-pandemic reliance on ICT and outsourcing, the European Union’s (EU) regulatory framework on cybersecurity for the financial sector was fragmented and complex, which placed unnecessary barriers to market players. In 2020, the Commission released a proposal for a Regulation known as the Digital Operational Resilience Act (DORA), which aims to increase the financial sector’s digital operational resilience by setting new requirements for firms and harmonising the regulatory framework. The DORA Regulation is expected to come into force in the first quarter of 2023 and to become fully applicable within the first quarter of 2025, following a two-year implementation period.
The scope of the Regulation is broad and will impact most of the financial services sector. The Regulation introduces requirements for financial entities in the areas of ICT risk management, incident reporting, digital operational resilience testing and advanced testing through Threat Led Penetration Testing (TLTP), the management of ICT third-party risk including an oversight framework for critical ICT third-party providers, and voluntary information sharing arrangements between financial entities. Moreover, the Regulation is built upon the principle of proportionality, consisting of three principal proportionality layers. The first layer is about the application of the main provisions in accordance with financial entities’ size, overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. The second layer is essentially a simplified ICT risk management framework for specific financial entities. The third layer is an exemption for microenterprises from some of the requirements.
While DORA is arguably a job for a firm’s compliance, risk management, audit and ICT functions, the Regulation impacts the business in a holistic manner. By setting requirements that contribute towards increasing resilience, the Regulation can contribute to adding trust and value to businesses and their partners. For instance, by regularly subjecting themselves to testing regimes, firms can learn from the outcomes of these tests and potentially mitigate, deter or be able to better manage a possible ICT-related incident. In turn, this builds stakeholders’ trust in the entity’s ICT capabilities and resilience, in addition to preventing immediate capital loss and a drop in consumer confidence following an incident. This is especially important for the financial sector, which is increasingly being targeted by threat actors.
