EU Introduces Groundbreaking Digital Operational Resilience Act (DORA) to Strengthen Financial Sector
In a bold move, the European Union (EU) has unveiled the Digital Operational Resilience Act (DORA), a comprehensive framework that addresses the digital risks faced by the European Financial Services Sector. DORA seeks to ensure the integrity and availability of the financial industry in the ever-evolving landscape of financial regulations.
Under DORA, financial institutions are mandated to fortify their digital defenses beyond standard cybersecurity measures. The act emphasizes the need for robust administrative procedures, internal controls, and risk assessments to create a level playing field with a minimum level of ICT (Information and Communication Technology) risk management across all relevant entities.
Incident management is another crucial aspect of DORA, requiring financial entities to respond swiftly and efficiently to any digital incidents. Transparency and learning from disruptions are promoted through consistent and prompt reporting of incidents.
Recognizing the interconnected nature of the financial ecosystem, DORA also focuses on third-party risk management. Competent authorities are appointed as overseers to prevent unforeseen risks stemming from external service providers becoming weak links in the digital chain. Financial institutions will need to adopt a more prescriptive risk management approach with suppliers.
The Threat-led Penetration Testing (TLPT) aspect of DORA introduces a pragmatic approach to cybersecurity based on TIBER-EU guidance. Ethical hackers simulate cyber-attacks across systemically important institutions to strengthen their overall resiliency posture and enhance cybersecurity, going beyond a mere audit exercise.
Transparent governance is a key pillar of DORA, emphasizing the importance of establishing a robust reporting structure. This ensures that all stakeholders are well-informed about a financial institution’s digital resilience measures.
To effectively evaluate cybersecurity risks, the executive board is required to possess the necessary expertise and competencies. They must engage in constructive discourse on various activities and appraise policies and solutions that safeguard the establishment’s resources. This aligns with the NIS 2 Directive’s requirements, which call for appropriate training in cyber risk oversight for management.
DORA’s approach calls for an Integrated Risk Management (IRM) perspective, viewing digital risk in conjunction with other risks and linking risk management directly with cyber operations. It considers IT assets as the cornerstone of business capability and effective IT management, requiring financial institutions to identify and prioritize critical assets and understand the impact of digital risks on them.
While DORA is an EU regulation, its principles have global implications. It sets an important precedent for cybersecurity practices and shapes the global approach to digital operational resilience and integrated risk management.
DORA is more than just a set of rules; it represents a narrative that will shape the digital future of finance. It requires a significant maturing of cyber defense and cyber risk management capabilities. Smaller firms, in particular, will need to transform an underinvested area traditionally. Making cybersecurity relevant for business management is crucial for firms aiming to comply with NIS 2 and DORA. Embracing resilience, minimizing disruptions, and thriving in the ever-changing digital narrative are key objectives for entities in the financial sector.
Analyst comment
Positive news:
The introduction of the Digital Operational Resilience Act (DORA) by the EU is a groundbreaking move that strengthens the financial sector’s digital defenses. It mandates robust administrative procedures, incident management, and third-party risk management. DORA sets a global precedent for cybersecurity practices, enhancing digital operational resilience and integrated risk management.
Market impact:
The market will likely see increased investment in cyber defense and risk management capabilities, benefiting cybersecurity firms. Financial institutions will need to transform their underinvested areas and make cybersecurity relevant for business management. Overall, the market will experience increased resilience and reduced disruptions in the digital landscape.
