DORA on the horizon: key changes for the financial sector 🏦
8 August 2024 / Articles
DORA – new standards for cyber security 🔒
In the digital age, when most financial transactions take place online, the security of our data and funds is becoming a priority. We’ve all seen recently – with the example of Microsoft’s operating systems crashing – what happens when one of the more commonly used online services for business, Office 365, is affected. ✈️🚫
Airline connections were cancelled, the London Stock Exchange did not work, and bank customers also reported problems (in Poland, Santander Bank and PKO BP, among others, were affected). Microsoft estimated that up to 8.5 million Windows devices were affected by the incident. The effects of what turned out to be ‘just’ a crash brought part of the world to a halt for a moment. The scale of the disruption to the operations of entities in many industries makes one wonder what might happen when we are dealing not with a crash, but with a successful cyber-attack. 🤔💻
The European Union, recognising the growing risks in the area of digital security for the financial sector and its customers, in December 2023 enacted the Digital Operational Resilience Act (DORA for short), which sets new standards for the cyber-security of financial entities, aiming to ensure their resilience to all ICT-related disruptions and threats. 🌐📜
The new regulations aim to:
Minimise the risks associated not only with cyber attacks, but more broadly with security incidents. By establishing uniform standards and procedures, DORA is expected to contribute to protecting the integrity, security and continuity of financial services in the European Union. 🛡️🇪🇺
The countdown is on ⏳
Financial entities have until 17 January 2025 to comply with DORA. After this date, there will be no concessionary tariffs – the FSA, during trainings and meetings with the financial sector, warns that it will not wait for latecomers and plans to verify and enforce the implementation of the new obligations from day one. 📅🔍
Importantly, DORA is not a directive (as is the case with another cyber-security-relevant act such as NIS2), but a regulation. This means that it is binding in its entirety on the entities to which it is addressed and is directly applicable in all countries of the European Union, without the need to implement it into local legal orders by means of laws. 📜⚖️
Who is affected by DORA? 🏦💼
DORA primarily – but not exclusively – covers a broad spectrum of financial institutions and digital finance entities. Among others, banks, insurance companies, investment funds, credit institutions, cryptocurrency providers, e-money institutions and other financial services providers are obliged to comply with the new regulations. 💳🏢
In addition, DORA introduces certain obligations for technology providers, including cloud service providers and other ICT service providers. ☁️💻
What does DORA mean for the financial sector? 📊🔒
DORA imposes obligations on financial sector players, requiring financial institutions not only to respond to incidents, but also to take a number of preventive measures, based on the principle that prevention is better than cure. 💡🔧
In practice, this means taking action primarily in the following key areas:
- ICT risk management 🖥️⚠️Instytucje finance should develop and implement a comprehensive ICT risk management strategy. This strategy should include identifying, assessing, monitoring and controlling ICT risks to ensure the security and integrity of IT systems.
- ICT incident management 🛡️🚨Classification and reporting of ICT incidents are key to effective security management, according to DORA. Financial institutions will be required to follow clear guidelines for incident classification, which is expected to lead to appropriate tracking, analysis and response.Responsibilities in this area will include, but are not limited to:Creating and implementing uniform incident classification guidelines to categorise incidents by level of severity and type of threat.Regular reporting of incidents to relevant authorities and stakeholders, in accordance with applicable standards and regulations.Conducting root cause analysis of incidents to identify vulnerabilities and implement corrective actions.
- Risk management from external ICT service providers 🤝🔍Financial institutions should define policies for managing cooperation with external ICT service providers. Responsibilities in this area will include, among other things, developing criteria for the evaluation and selection of ICT service providers to ensure that they meet security and compliance requirements, ensuring that contracts entered into with ICT providers comply with the requirements set by DORA, and regularly monitoring and evaluating the performance of providers.
- Operational digital resilience testing 🔄🛠️Obowiązki in this area will include, among other things, the establishment of a comprehensive operational digital resilience testing programme. Financial entities other than micro-enterprises will be required to test all ICT systems and applications at least once a year. For some obliged entities, DORA also provides for an additional obligation to carry out advanced penetration testing (TLPT) for threat searches at least every 3 years.
Where there are obligations, there are also sanctions ⚖️💰
Understanding and adapting to the requirements of DORA are essential from the point of view of financial actors, not only for the need to ensure an adequate level of operational digital resilience, but also to avoid serious legal and financial consequences.
DORA implies that the competent authorities (in Poland this will primarily be the FSA) will be granted broad powers to supervise and enforce DORA. They will be entitled to request access to any documents and data they deem relevant in the context of their investigations. Financial institutions must be prepared for possible audits and inspections. Failure to cooperate or provide the requested information may lead to additional sanctions. 🔍📋
In the event of violations of DORA, various administrative sanctions may be applied by the supervisory authorities. These include, inter alia, cease and desist orders for non-compliant activities, the requirement to terminate practices contrary to the regulations and the application of financial sanctions aimed at enforcing compliance. 💼💸
Summary 📊✍️
Of course, a full assessment of the impact of the new regulations will only be possible after some time, but we already dare to hypothesise that DORA is a milestone towards ensuring digital operational resilience in the EU financial sector. With the introduction of new ICT risk management standards and the requirement for a proactive approach to digital security, DORA should not only help protect financial institutions, but also increase customer confidence in financial services. The move is now on the side of the financial sector – achieving the goal of DORA and the associated benefits will only be possible if the implementation of the new regulations is taken seriously. 🔜🔧
Need help with this topic?
Write to our expert
Articles in this category
What must an employer bear in mind when employing minors?
What must an employer bear in mind when employing minors?What should the Policy on the use of AI systems contain?
What should the Policy on the use of AI systems contain?Signallers – how to prepare for the coming changes?
Signallers – how to prepare for the coming changes?Article synopsis: “GPT chat vs personal data”.
Article synopsis: “GPT chat vs personal data”.Very large online platforms and the obligation to publish advertising repositories
Very large online platforms and the obligation to publish advertising repositories