A new regulation everybody dealing with technology in financial services talks about, conjures up smiles on many faces. It was named like the famous American family TV series “Dora the Explorer“, but unfortunately it has does not have much in common with the little Hispanic girl who goes on adventures with her red boot wearing monkey.
With the Digital Operational Resilience Act (DORA), the European Union has published regulations for the entire financial services industry on cyber risks, ICT risks and digital operational resilience (Regulation (EU) 2022/2554).
- Almost all supervised institutes and companies within the European financial services sector need to comply to the regulations.
- It aims to unify the regulatory space by collecting various requirements prevalent for institutes and companies in the fields of cyber risks, ICT risks and digital operational resilience.
- compliance is required by the 17th of January 2025
Unlike the guidelines published by the European Banking Authority, DORA requirements are European law and directly applicable to institutes and companies in the European financial service sector – no national implementation by local authorities needed.
In the context of DORA, the national supervisory authorities will need to transform their supervisory practice and implement new processes like:
- oversight of assigned critical ICT third-party service providers
- act as national reporting hubs for ICT-related incidents in the financial sector
- act as national reporting hubs for third-party ICT risks and provide a macro view on the ICT risk of the financial sector.
DORA regulations deal with six major topics:
- ICT risk management
- Reporting of ICT incidents and significant cyber threats
- Digital operational resilience testing including threat-led penetration testing (TLPT)
- ICT third party management
- European monitoring framework for critical ICT third party service providers
- Information sharing and cyber crisis and emergency exercises
The European supervisory authorities (ESMA, EBA and EIOPA) work together in further developing technical regulation and implementation standards (RTS/ITS).
In parallel with the DORA publications, guidelines were published to ensure consistency with existing guidelines like Solvency II, Mifid II or PSD II.
Stay tuned for new posts in our DI DORA series.