Overview

The financial sector’s dependence on digital solutions is an almost total reality, as it is the only way to offer innovative and competitive services to its customers. However, this also increases exposure to general IT risks, particularly cybersecurity, affecting financial stability, consumer protection, market integrity and trust. In addition to this phenomenon, the financial sector is an ecosystem interconnected and, in many situations, internally dependent on service conversations, which can represent attack vectors, that is, points of vulnerability in the value chain.

On 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the EU, incorporating a set of legislative acts, in particular Regulation (EU) No. 2022/2554 of the European Parliament and of the Council, of 14 December 2022, Directive (EU) No. 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS 2), Directive (EU) No. 2022/2556 of the European Parliament and of the Council of 14 December 2022 and Directive (EU) No. 2022/2557 of the European Parliament and of the Council of 14 December 2022 (CER).

In reality, and a simplified form, it includes a regulation and a convention on digital operational resilience for the financial sector, and this regulation is already in force. It will be fully applied starting January 2025.

The Digital Operational Resilience Act (DORA) is a new regulation that aims to harmonise and reinforce existing rules on the digital operational resilience of financial institutions in the EU. DORA applies to all financial entities, including banks, insurance companies, asset managers, stock exchanges, clearing houses, investment market transactional infrastructures and crypto assets.

DORA’s four main objectives are:

• Establish common requirements and standards for IT and Cybersecurity risk management, including identifying, classifying, mitigating, monitoring, testing and reporting incidents.
• Create a coordinated supervision and inspection framework between national and European authorities, including the possibility of imposing administrative sanctions and corrective measures in case of violation of DORA rules.
• Define a specific supervision and inspection regime for critical contracted service providers, such as Cloud service providers, who must comply with certain information, audit and access obligations and register in an EU public repository.
• Promote cooperation and exchange of information between competent authorities, financial institutions and service providers, as well as participation in information-sharing initiatives and alerts on computer threats.

More than serving as a defence mechanism, DORA represents an essential step towards ensuring a high and consistent level of digital operational resilience in the EU financial sector, contributing to the digital single market’s security, trust and competitiveness. The DORA Regulation also aims to align EU rules with international standards and best practices, such as those issued by Banking Supervision and other management and oversight bodies.

What are the main benefits and challenges of DORA for financial institutions?

The implementation of the DORA Regulation brings with it several benefits for financial institutions, such as:

• Improve the ability to prevent, detect and respond to IT and cybersecurity incidents, reducing the potential impact on business continuity, reputation and legal liability.
• Increase the confidence of customers, investors and authorities in the quality and security of digital financial services, strengthening customer loyalty and satisfaction and attracting new business and market opportunities.
• Harmonize and simplify rules and procedures applicable to digital operational resilience, eliminating fragmentation and duplication between national and sectoral regimes and facilitating cooperation and communication between interested parties.
• Promote innovation and competitiveness in the financial sector, encouraging the adoption of advanced and efficient digital solutions, such as cloud computing, artificial intelligence, and blockchain.

However, not all financial institutions are yet prepared for its adoption since their maturity and business continuity plans, although they may exist, are generally oriented towards physical incidents and not digital and transversal incidents. In other words, more than ensuring that there are physical capabilities to change location teams or carry out disaster recovery of technological architectures, it is essential to ensure a straightforward implementation of Strategic Cybersecurity Plans. This is why DORA also involves several challenges for financial institutions, including:

• Compliance with DORA requirements and standards, which may require significant investments in human, technical and financial resources and organisational and cultural changes.
• Adapting to regulatory changes and authorities’ expectations, which may involve greater scrutiny and accountability for digital operational resilience practices and greater exposure to sanctions and corrective measures.
• More scrutinised and demanding management of relationships with service providers, who may have to comply with additional information, auditing and access obligations to collaborate in this financial sector.
• Recurrent maintenance of updates and preparation for emerging IT and cybersecurity threats and risks, which are increasingly sophisticated and complex.

Where to start, and where can Auren help?

Auren, through its specialised business and technology consultancy services, supports its clients in adopting DORA through the following five steps:

• Awareness
  • Training activities and explanation of the DORA Regulation
  • Discussion of strategic DORA adoption models, according to the organisation and existing technical and cultural processes
• Assessment
  • Assessment of maturity and current level of digital operational resilience
  • Identification of the main gaps and central areas for improvement within the scope of DORA requirements and standards.
• Strategy Delivery
  • Development of the DORA and Cybersecurity Strategic Plan, based on five pillars: assets, culture, technology, methodology and ecosystem
  • Develop and implement the action plan to comply with DORA requirements and standards, including allocating resources, defining responsibilities, reviewing policies and processes, updating systems and tools, carrying out tests and training, and preparing reports and documentation.
• Operational Reporting
  • Establishment and maintenance of effective and transparent communication models with competent authorities, service providers and other stakeholders on the measures and progress made about digital operational resilience.
• Operations and Continuous Improvement
  • Regularly monitor and review digital operational resilience performance and compliance, as well as regulatory changes and market trends, adapting to new circumstances and needs.

Conclusion

DORA is a new EU regulation that aims to improve the cybersecurity and resilience of financial institutions by establishing common requirements and standards for ICT risk management and providing services by third parties.

Auren Services allow for minimising the implementation risks of adopting the DORA Regulation, ensuring the maximisation of its benefits and the opportunity for financial institutions to strengthen their digital operational resilience and increase their confidence and competitiveness in the digital single market.

Rui Ribeiro, Consulting & Technology from Auren Portugal