RiskXchange can help you stay on the right side of data privacy regulations anywhere in the world.
The ever-increasing risk of cyberattack has prompted the EU to adopt a legislation to improve the cybersecurity and operational resiliency of the financial services sector – the DORA act. The Digital Operational Resilience (DORA) Act was implemented to ensure that the European financial sector is able to remain resilient during volatile times.
The main aim of the DORA act is to strengthen the IT security of financial entities such as banks, investment firms and insurance companies. It also complements laws such as the General Data Protection Regulation (GDPR) and Network and Information Security Directive (NISD).
What does the DORA act do?
The Digital Operational Resilience Act sets requirements for the security of information systems and networks of organisations operating in the financial sector. It also covers critical third parties which provide ICT (Information Communication Technologies)-related services to these organisations, such as data analytics services or cloud platforms.
The DORA act creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
The Digital Operational Resilience Act package
The DORA act is part of a larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).
According to the European Council of the European Union, this package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.
Adoption of the DORA act
The DORA proposal has now been formally adopted by the EU and aspects that require national transposition will be passed into law by each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance monitoring and enforce the regulation as necessary.
The DORA act across Europe
EU member states will each need a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. According to DORA, critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.
Digital Operational Resilience Act 101
According to the official DORA website, digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.
Let’s take a closer look at what governance and organisational steps should be considered following the implementation of the DORA act:
- The internal governance and control frameworks should ensure an effective and prudent management of all ICT risks.
- The management body bears the final responsibility for managing the financial entity’s ICT risks and must set clear roles and responsibilities for all ICT-related functions.
- Determining the appropriate risk tolerance level of ICT risk of the financial entity, approving, exercising oversight, and reviewing the implementation of the financial entity’s ICT Business Continuity Policy and ICT Disaster Recovery Plan.
- Approving and periodically reviewing the ICT audit plans, ICT audits and material modifications.
- Allocating and periodically reviewing appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including training on ICT risks and skills for all relevant staff.
- Approving and periodically reviewing the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers, and be informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements.
- The sound, comprehensive and well-documented ICT risk management framework, to address ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience.
- The need for an information security management system based on recognised international standards and in accordance with supervisory guidance.
- The segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
- The rules for the timely verification and remediation of critical ICT audit findings, taking into consideration the conclusions from the audit review, while having due regard to the nature, scale and complexity of the financial entities’ services and activities.
- The digital resilience strategy setting out how the framework is implemented.
- The identification, classification and documentation of all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems.
- The identification of all sources of ICT risk, in particular the risk exposure to and from other financial entities, and the assessment of cyber threats and ICT vulnerabilities relevant to the ICT-related business functions and information assets.
- The detection of anomalous activities, including ICT network performance issues and ICT-related incidents, and the identification of all potential material single points of failure.
- The ICT Business Continuity Policy through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms.
- ICT-related incident reviews after significant ICT disruptions of core activities, including analysis of the causes of disruption and identification of required improvements to the ICT operations or within the ICT Business Continuity Policy.
- Communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts, as well as to the public.
- The need to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, as an integral part of the ICT risk management framework.
- ICT concentration risk, and sub-outsourcing arrangements.
- Designation of critical ICT third-party service providers.
- The role of the Lead Overseer to assess whether each critical ICT third-party service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks.
- Investigations of ICT third-party service providers.
- Information-sharing arrangements on cyber threat information and intelligence.
- Administrative penalties and remedial measures.
- Criminal penalties.
- Professional secrecy.
Benefits of the Digital Operational Resilience Act
By adhering to DORA guidelines, organisations in the financial sector will become more robust. Addressing DORA security concerns will improve the cybersecurity posture of any organisation and increase its viability in the financial services industry. With that in mind, the benefits of the Digital Operational Resilience Act include:
- Better risk assessments
- Faster decision-making
- Strengthening IT estate management
- A pathway for investment and growth
RiskXchange and the DORA act
RiskXchange offers a wide range of security services alongside the RiskXchange Platform to help any organisation build the best cybersecurity plan. RiskXchange can also help you stay on the right side of data privacy regulations anywhere in the world. Some of the areas in which support can be provided include:
- Building an understanding of which privacy regulations impact your organisation
- Keeping your projects on track without running into compliance blockers in the future
- Helping you recognise what information you can collect from your customers and users
- Advising with how you can prove compliance to investors or business partners, including FISMA compliance
- Assessing which third-party tools are compliant
- Helping you identify privacy risks or gaps that you may be unaware of.
Get in touch with RiskXchange to find out more about how the Digital Operational Resilience Act (DORA) affects you.