cybersecurity and encryption
The regulation Digital Operational Resilience Act, or DORA for short, has introduced a comprehensive EU-wide regulatory framework that includes rules on digital operational resilience for all financial institutions.
What is DORA?
On January 16, 2023, entered into force a new regulation about how financial firms manage digital risk. This Digital Operational Resilience Regulation is known by the name DORA or Digital Operational Resilience Act.
It is the European Commission’s bid to homogenize and strengthen the regulatory environment on digital operational resilience in the European financial sector in an environment of digital transformation, new players and large technological organizations. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all the components of operational resilience (ability of the organization to continue operating in the face of any adverse event).
It is a regulation that is part of the digital finance package, a package of measures to further build and support the strength of digital finance in the current financial context, in terms of innovation and competition, while mitigating the risks associated with it.
In addition to this proposal, the package also includes a proposal for a Regulation on cryptoasset markets, a proposal for a Regulation on a pilot regime for market infrastructures based on decentralized registry technology and a proposal for a Directive to clarify or amend certain related EU financial services rules.
What are DORA's objectives?
The evolution of technology in the financial sector and the emergence of new digital payment systems that are increasingly used among the population, together with the rise and growing use of cryptocurrencies, and cryptoassets in general, represent a revolution. In this context, the new resilience regulations should increase confidence and attract investment.
DORA aims to consolidate and improve ICT risk requirements. That is, information and communications technologies, in all financial institutions to ensure that all companies are subject to a common set of standards to mitigate ICT risks.
We can thus say that the main objective of DORA is the innovation and improvement of existing standards and the standardization of the incident reporting model, ensuring that the Union embraces the digital revolution and drives it forward with innovative European companies at the forefront, making the benefits of digital finance available to consumers and businesses.
Which companies are affected by DORA?
DORA will have a very broad application and will cover all authorized European financial institutions, in total about 20, including ICT service providers.
Despite its intentionally broad scope, DORA provides some elements of proportionality, i.e., financial entities included in the scope will have to comply with DORA taking into account their size and overall risk profile, as well as the nature, scale and complexity of their operations. services, activities and operations, among other variables, and may also apply to SMEs.
Do you want to know if you should apply DORA in your organization?
Contact our specialist
What are the implications DORA? practices
Regarding its scope and implications, the way in which DORA impacts institutions is as follows:
- ICT risk management.
- Incidents and notifications of ICT-related incidents.
- Digital operational resilience testing.
- Third-party risks in ICT and the exchange of information between financial institutions.
In particular, it will improve and streamline the management of ICT risks by financial institutions, establish comprehensive testing of ICT systems, increase supervisors’ awareness of cybersecurity risks and ICT-related incidents faced by financial institutions, and empower financial supervisors to monitor risks arising from financial institutions’ reliance on external ICT service providers.
The proposal will create a consistent incident reporting mechanism that will help reduce administrative burdens for financial institutions and strengthen supervisory effectiveness.
When is DORA expected to be approved and published?
Although the Regulation entered into force 20 days after its publication in the Official Journal of the European Union, it will be fully applicable as of January 17, 2025, so financial institutions will have a period of 2 years to comply with it. .
Furthermore, it is important to note that DORA is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.
OSV is the solution that meets Dora's requirements.
Our OSV solution for DORA has all the necessary specifications, detailed below, to help entities comply with the regulatory framework.
We identify and minimize ICT risk, determining protection and prevention measures, and establishing continuity policies.
Notification of incidents
We will notify the appropriate authorities of significant ICT-related incidents.
Digital operational resilience testing
We identify weaknesses, gaps and deficiencies in the ICT risk management framework.
We will exchange information about cyber-attacks on other financial institutions, acting as a single team in the fight against cyber-crime.
Third-party ICT risks
We assess, monitor and document the risk of third parties in ICT matters.