The financial sector’s dependence on digital solutions is an almost total reality, as it is the only way to offer innovative and competitive services to its customers. However, this also increases exposure to general IT risks, particularly cybersecurity, affecting financial stability, consumer protection, market integrity and trust. In addition to this phenomenon, the financial sector is an ecosystem interconnected and, in many situations, internally dependent on service conversations, which can represent attack vectors, that is, points of vulnerability in the value chain.
On 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the EU, incorporating a set of legislative acts, in particular Regulation (EU) No. 2022/2554 of the European Parliament and of the Council, of 14 December 2022, Directive (EU) No. 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS 2), Directive (EU) No. 2022/2556 of the European Parliament and of the Council of 14 December 2022 and Directive (EU) No. 2022/2557 of the European Parliament and of the Council of 14 December 2022 (CER).
In reality, and a simplified form, it includes a regulation and a convention on digital operational resilience for the financial sector, and this regulation is already in force. It will be fully applied starting January 2025.
The Digital Operational Resilience Act (DORA) is a new regulation that aims to harmonise and reinforce existing rules on the digital operational resilience of financial institutions in the EU. DORA applies to all financial entities, including banks, insurance companies, asset managers, stock exchanges, clearing houses, investment market transactional infrastructures and crypto assets.
DORA’s four main objectives are:
More than serving as a defence mechanism, DORA represents an essential step towards ensuring a high and consistent level of digital operational resilience in the EU financial sector, contributing to the digital single market’s security, trust and competitiveness. The DORA Regulation also aims to align EU rules with international standards and best practices, such as those issued by Banking Supervision and other management and oversight bodies.
What are the main benefits and challenges of DORA for financial institutions?
The implementation of the DORA Regulation brings with it several benefits for financial institutions, such as:
However, not all financial institutions are yet prepared for its adoption since their maturity and business continuity plans, although they may exist, are generally oriented towards physical incidents and not digital and transversal incidents. In other words, more than ensuring that there are physical capabilities to change location teams or carry out disaster recovery of technological architectures, it is essential to ensure a straightforward implementation of Strategic Cybersecurity Plans. This is why DORA also involves several challenges for financial institutions, including:
Where to start, and where can Auren help?
Auren, through its specialised business and technology consultancy services, supports its clients in adopting DORA through the following five steps:
DORA is a new EU regulation that aims to improve the cybersecurity and resilience of financial institutions by establishing common requirements and standards for ICT risk management and providing services by third parties.
Auren Services allow for minimising the implementation risks of adopting the DORA Regulation, ensuring the maximisation of its benefits and the opportunity for financial institutions to strengthen their digital operational resilience and increase their confidence and competitiveness in the digital single market.
Rui Ribeiro, Consulting & Technology from Auren Portugal