Strengthening Cybersecurity: The Impact of the Digital Operational Resilience Act

In an era where digital threats are ever evolving, the European Union has introduced the Digital Operational Resilience Act (“DORA”) to fortify the financial sector’s defences. DORA is part of the European Commission’s Digital Finance Strategy and is designed to ensure that financial entities can withstand, respond to and recover from ICT-related disruptions. DORA aims to create a more secure and resilient financial ecosystem by implementing robust ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing.

The scope of DORA encompasses a broad spectrum of regulated financial entities. This includes banks, payment processors, investment firms, crypto-asset service providers, trading platforms and both insurance and reinsurance companies. Additionally, for the first time, third-party ICT service providers are also brought under the scope of the European Supervisory Authorities (“ESAs”). This regulation not only safeguards financial institutions but also enhances the stability and trust in the financial system as a whole. From 17 January 2025, DORA will apply to all financial entities operating within the European Union.

The European Commission has introduced technical standards to support DORA that will provide regulatory guidance in respect of certain key areas. These standards will assist in-scope entities as they begin to prepare for compliance with DORA over the coming months.

5 Key Pillars of DORA

DORA breaks down digital operational resilience into five essential pillars.

1. ICT Risk Management: Entities regulated under DORA are required to establish an internal governance and control system that ensures the effective and prudent management of ICT risks, aiming to achieve a high level of digital operational resilience. The management body of the entity holds the ultimate responsibility for ICT risk management, including defining, approving, overseeing, and ensuring the implementation of all aspects related to the ICT risk management framework.

2. Incident Reporting: This pillar standardises the process for in-scope entities to report incidents to the ESAs. It requires that institutions implement adequate systems to monitor, detect, describe, report and analyse significant incidents of cyber threat. Due to DORA’s emphasis on transparency, the incident reporting framework must incorporate procedures for notifying both internal and external stakeholders about incidents.

3. Digital Operations Resilience Testing: This pillar mandates that financial institutions perform regular assessments to gauge their resilience against cyber threats. The objective of this pillar is to ensure that financial institutions can withstand potential cyber-attacks. They must analyse their responses and implement necessary improvements based on the test outcomes to enhance their practices.

4. Third Party Risk Management: This pillar seeks to safeguard operational resilience among European financial institutions by ensuring that third-party relationships are governed by comprehensive contracts. Furthermore, entities within the scope of DORA must perform continuous due diligence and maintain robust off-boarding procedures with their third-party providers.

5. Information Sharing: This pillar requires financial institutions to implement measures to collaborate with one another and share best practices and lessons learned across the sector. Organisations must ensure that information is exchanged securely and is GDPR compliant. The aim of this pillar is to enhance awareness of operational resilience within the industry.

Penalty for Non-Compliance

Entities that fail to comply with DORA’s mandates will face penalties enforced by the ESAs. These fines can reach up to 2% of the firm’s annual global turnover. Individuals may be fined up to €1 million.

Critical third-party providers, as designated by the ESAs, are subject to even steeper penalties for non-compliance, with fines up to €5 million or, for individuals, a maximum of €500,000. Additionally, financial entities that neglect to report significant ICT-related incidents or threats may incur fines from the ESAs.

Conclusion

DORA encompasses all entities within the financial services sector, including both traditional and digital banks, e-money and payment institutions, insurance and reinsurance companies, asset managers, credit institutions, and private equity firms. This regulation mandates that these organisations meticulously document the oversight and management processes of critical third-party providers within their ICT risk management frameworks.

The reliance on third-party services, such as cloud computing and SaaS providers, introduces new risks to financial institutions and the broader market. The July 2024 CrowdStrike outage, which disrupted operations for airlines, banks, professional services firms, and numerous other companies, exemplifies the far-reaching consequences of incidents involving third-party providers. DORA seeks to strengthen financial institutions’ procedures and policies for managing third-party relationships, ensuring thorough due diligence and effective response strategies in the event of third-party incidents.

For more information about DORA, please contact Yolanda Kelly, Director of Client Services.