SER Blog Information Governance
Digital Operational Resilience Act (DORA)
What requirements will banks and insurers face?
The number of cyber risks is increasing, while financial companies are becoming even more dependent on digital technologies. As a result, the European Union adopted the EU DORA regulation at the end of 2022. It harmonizes the security and resilience practices of financial companies in the EU.
This article explains what DORA means and who the regulation affects. You’ll also find an overview of how businesses are implementing the regulations to maintain continued operations and provide network security for their information systems in the event of serious incidents.
What is DORA?
DORA stands for Digital Operational Resilience Act, which means it deals with digital operational resilience. This is a financial sector-wide regulation at EU level. With this regulation, the EU is creating uniform rules on how financial markets – including banks and insurance companies – address the issue of cybersecurity and minimize ICT (information and communication technology) risks. By doing so DORA tightens the regulations regarding the use of ICT systems.
What guidelines does DORA contain?
DORA’s guidelines are primarily preventive in nature. The EU wants to prepare businesses for increased cyber risks on the financial market. When incidents occur, the DORA regulations are intended to enable financial companies to respond better and, more effectively.
With the ongoing advances in digitalization, risks have grown in recent years, often arising from the ICT systems or technologies in use. Financial companies frequently depend on these technologies, which are often sourced from third-party ICT service providers. For this reason, DORA establishes binding requirements for businesses in financial markets with regard to their ICT strategies and cooperation with ICT companies and ICT service providers.
Developing strategies in ICT risk management
With DORA, the EU is calling on banks, insurance companies and other organizations in the financial sector to develop strategies for digital resilience. The strategies serve as a framework and are based on the requirements of international standards for ICT risk management. In ICT risk management, financial companies set clear objectives for information security.
Report serious ICT-related incidents
Financial companies are required to classify and report ICT incidents. As part of the ICT risk management framework, DORA provides communication plans for financial companies. These plans must be activated as needed, especially in the case of serious ICT-related incidents
Testing and replacing risks
At the same time, the EU requires certain financial companies to conduct regular and independent tests for ICT incidents related to cybersecurity. Specifically, these are digital operational resilience tests.
The testing is used by financial companies and regulators for monitoring purposes. Source code tests, performance tests or threat-led penetration tests show whether the aim of digital operational resilience has been achieved. They are an integral part of risk management.
To reduce ICT risks in general, DORA also regulates how businesses can voluntarily exchange information on ICT risks within trusted financial communities.
Collaborate with third-party ICT providers
When financial companies work with third-party ICT providers, DORA’s measures also apply to those providers. Companies must keep detailed records of their contractual relationships and develop plans for potential contract termination. The focus is on the strategies both financial companies and their ICT partners use to prevent and manage risks. In short, DORA establishes standards for how financial institutions work with third-party ICT services.
Your must-have guide to modernizing your legacy systems
This must-have guide shows banks and insurance the benefits of modernizing their enterprise content management and how to modernize successfully. Download your free copy.
Read nowWho does DORA apply to?
DORA affects businesses across Europe that work in the financial sector or provide ICT services to companies in the European financial sector. In Germany, the DORA legislation applies to all financial companies regulated by the Federal Financial Supervisory Authority (BaFin), including:
What DORA means for ICT service providers
The importance of DORA is particularly relevant for ICT service providers. ICT companies now have to implement DORA legislation in their processes, regardless of whether or not they are headquartered in the EU. If they work with financial companies in the EU, then DORA requirements also apply to them.
Also, the legislation creates a new supervisory framework for ICT service providers. This includes supervision of critical ICT service providers by European supervisory authorities. This represents a major step toward harmonizing regulatory requirements at EU level.
Implementation
Hey Doxi, when does DORA need to be implemented?
On December 14, 2022, the European Parliament and the European Council adopted DORA, i.e. Regulation (EU) 2022/2554. It officially came into force on January 17, 2023, as part of the package for the digitalization of the financial world. At the same time, the EU set an implementation period of 24 months.
DORA therefore goes into effect on January 17, 2025. From this date forward, financial companies and ICT companies operating in the European financial sector will have to comply with the laws.
Background to DORA
Behind DORA is the European Commission’s idea of creating digital operational resilience in the financial sector. These four main problems express the core idea behind DORA:
- Increase in serious cyber incidents in financial companies: DORA strengthens digital resilience and cybersecurity in the financial sector.
- Regulatory fragmentation in dealing with cybersecurity issues in the EU: DORA harmonizes and standardizes requirements for digital operability and cybersecurity at EU level.
- Serious business interruptions due to cyberattacks: DORA sets standards so that businesses are better prepared for cyber risks and can respond to them effectively.
- Maintaining trust in the financial sector: DORA helps to ensure that consumers and investors continue to view the financial sector as trustworthy and secure.
How the EU is implementing DORA
Since the DORA Regulation came into force, regulators have been developing draft regulatory technical standards (RTS) and implementation standards (ITS).
On January 17, 2024, the final drafts of the technical regulatory and implementation standards for DORA were published, and they were adopted by the European Commission on March 13, 2024. They are currently in a three-month testing phase.
How Germany is implementing DORA
Since DORA is an EU regulation, it's also directly applicable in national law. As part of the digitalization of financial markets, the Federal Ministry of Finance has presented a government draft. A Financial Market Digitalization Act (FinmadiG) is planned, which brings together several laws, including the DORA package.
Executive Summary: Total Economic Impact™ study
Long-time customer SEW-EURODRIVE achieved a 336% ROI over a three-year period and a payback in less than six months. We have summarized the study results for you.
Read nowPrepare for DORA and ensure BaFin-compliant collaboration
The government, the supervisory authority BaFin and players in the financial sector must comply with the DORA regulatory framework by January 17, 2025. As an IT service provider, we are of course also preparing for DORA. What’s more, an enterprise content management platform like Doxis can make a significant contribution to meeting the requirements of DORA by supporting the management, security and continuity of information and processes in financial institutions.
FAQs about DORA
The latest digitization trends, laws and guidelines, and helpful tips straight to your inbox: Subscribe to our newsletter.
How can we help you?
+49 (0) 30 498582-0Your message has reached us!
We appreciate your interest and will get back to you shortly.