With the deadline for complying with the EU’s Digital Operational Resilience Act (DORA) set for 17 January of next year, pressure is mounting on financial institutions and service providers across the industry to start preparing for the new regulatory framework.
Despite the uncertainty among many financial services firms, and the impression within the industry DORA will become a major challenge for many companies, the legislation should not be seen as an obstacle.
In fact, DORA is an opportunity, not a burden, argues a UK-based industry insider and specialist.
According to Emma Smales, a principal security consultant and legal counsel at Huhtamaki, “many companies recognise that achieving compliance may be more than their limited resources can bear.”
“But rest assured, there’s no reason to panic about the DORA deadline. With a sound strategy, and trusted tools and partners in place, there is still time to cross the finish line,” Smales argued in a recent blog post.
“While complying with DORA is mandatory, don’t think of it as a burden—it’s actually an opportunity. The framework, systems, and reporting DORA requires will absolutely make firms more secure and resilient,” she argued.
In fact, for the wider industry, DORA will create standardised processes and a centralised EU reporting hub to improve the flow of information around significant incidents.
“That means if firms detect suspicious activity, the industry can offer insight on how to respond. Individual companies contributing to this shared knowledge base will bolster EU-wide situational awareness and harmonization around real and perceived threats and mitigation activities,” Smales said.
“Failure to achieve DORA compliance would cost organizations their reputation, market trust, and future business.”
– Emma Smales
Smales pointed out that, “given the complex, interconnected, and far-reaching nature of the financial services industry, more than 22,000 entities are subject to the new regulation.”
That includes any financial organisation or service provider operating in or doing business in the EU, regardless of its headquartered location.
“Just like GDPR, DORA has potentially global implications,” she stated.
Organisations that fail to comply before the January 2025 deadline are subject to multiple sanctions, including steep penalties, a ban on certain parts of their operations, or a prohibition against using certain third-party providers until compliance is assured.
“Not to mention, failure to achieve DORA compliance would cost organizations their reputation, market trust, and future business,” Smales warned.
Resistance testing
Despite the uncertainty and concerns around DORA, “the good news” is that many firms have likely already met some of DORA’s requirements, Smales said.
She pointed out that DORA complements other good governance and operational frameworks like ISO 27001 and SS2/21, and achieving compliance “may require only some adjustments to policies, procedures, and risk management strategies, as well as the implementation of specific resilience testing procedures, in addition to what they’re already doing,” she explained.
Smales pointed out that red and purple teaming exercises are mandated in the legislation, and there’s some indication that DORA may align with standard TIBER testing, but this is still to be determined.
“Regardless, every financial organisation will need to conduct these scenario-based drills regularly, which can be daunting in scope, resources, and costs for those who’ve never previously performed these tests.”
She added: “Likewise, scenario testing for insolvency is also mandatory under DORA”, pointing out that financial regulators recognize approaches such as software escrow agreements as vital components of stressed exit plans for significant suppliers.
A host of industry insiders have warned that many banks and finance firms do not fully realise they could face substantial fines and penalties within a year if they do not significantly expand or adjust their testing capabilities.
In fact, DORA will require the creation of new pressure tests and other critical testing infrastructure.
Test coming
In preparation for DORA, large banks, financial institutions and other financial services (FS) players across the European Union have been urged to take part in a voluntary training exercise ahead of DORA coming into force, as QA Financial reported last week.
Banks across all EU member states, as well as insurers, asset managers and other financial firms have been invited by the European Supervisory Authorities (ESA) to join the mass-testing exercise, which is scheduled to take place next month. An exact date has not been set yet.
The test is co-coordinated by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA).
Firms that agree to take part will be asked to hand over the agreements they have in place with any ICT third party providers they work with.
“Every financial organisation will need to conduct scenario-based drills regularly, which can be daunting in scope, resources, and costs.”
– Emma Smales
Starting in May, participating firms will be expected to forward their registers to the ESA through their relevant national watchdogs before the end of August.
Providing this information is an important part of DORA because, once in effect, financial firms will be required to register any contractual arrangements they have with third party ICT firms.
In the invitation letter to firms, which was sent last week, the ESA explained they plan to offer extensive help, support and guidance to firms to help them create and maintain a register.
The regulator indicated it will soon propose a standard format and data quality testing will become an important part of the process.
Firms will then be asked to hand over their registers to the ESA through their relevant national watchdogs, most likely between early July and late August.
Tighter regulation
DORA is among several recent and emerging regulations in the EU, created to enhance and standardise requirements for enterprise cyber resiliency.
The rules are specifically for financial entities operating across the EU 27 — including banks, insurance companies, credit agencies and more — and third-party service providers that serve them.
Ahead of the January 2025 deadline, the European Commission formally adopted a number of DORA stipulations in February.
The EU’s executive body issued a whole set of secondary legislation that set out detailed, technical rules specifying some of the key provisions of DORA.
Firstly, it has now been confirmed that DORA will introduce an ‘oversight framework’, which did not exist under pre-existing outsourcing regulations.
ICT third-party service providers that are designated as ‘critical’ will be made subject to regulatory scrutiny, largely overseen by the ESA, which are the above-mentioned ESMA, EBA and EIOPA.
This approach allows the ESA to investigate and inspect providers in relation to IT security, risk management and governance issues.
“Just like GDPR, DORA has potentially global implications.”
– Emma Smales
The framework also gives ESA the power to make recommendations and issue fines of up to 1% of the ICT third-party provider’s annual worldwide turnover.
Moreover, the EC also detailed the criteria “for the designation of ICT third-party service providers as critical for financial entities.”
In other words, it set out what ‘critical ICT providers’ are. In addition, the EU body also introduced a vast and fairly complex structure for oversight fees.
‘Two step’ approach
To determine whether an ICT third-party service provider is ‘critical’ for banks, insurance firms and other financial entities, the ESAs will use sub-criteria in a two-step approach assessment.
Firstly, the ESAs will take into account important ICT services and the diversity and number of financial institutions that use those services.
This is primarily done to “filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers.”
After this ‘first selection’ of ICT third-party service providers, a further in-depth analysis will be carried out that focuses on a range of sub-criteria.
So far, the EC has not set out these standards but has hinted that, in some cases, it will be left to individual member states to fill these gaps.
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
EARLIER THIS MONTH
DO NOT miss coverage of our recent conferences in Chicago and Toronto
READ MORE
