DORA will ‘bring structure’ to incident reporting, says legal mind

The countdown to DORA is in full swing, with less than two months to go

Since the pandemic, the financial sector has become increasingly dependent on digital technologies provided by external service providers.

This is making financial institutions more vulnerable to cyber-attacks and other disruptions.

The EU has now formulated a clear answer to that challenge: the Digital Operational Resilience Act (DORA), a piece of EU legislation that aims to promote the robustness and resilience of their operations, while at the same time fostering a sustainable digitalization of the financial sector.

The regulation applies to a wide range of financial institutions, including banks, investment firms, insurance companies, and payment service providers.

It also applies to some non-financial institutions that are critical to the financial system. These institutions are known as critical third-party service providers (CTTPs).

Incident reporting

One of DORA’s main pillars is to strengthen the digital operational resilience of the financial sector by standardizing how financial institutions identify, manage, and report major information and communication technology (ICT) incidents across EU member states and different sectors.

Hugo Zwartkruis
Hugo Zwartkruis

“This includes the ability to classify cyber threats that could cause the disruptions and the reporting thereof and allows competent supervisory authorities to adopt definitions and processes that are applied consistently across member states,” explained Hugo Zwartkruis, a legal consultant specialised in regulatory change and compliance at Synechron, a New York City-based IT consulting company focused on the financial services space.

While established incident management processes exist within many mature financial institutions’ risk management frameworks, DORA introduces new requirements for ICT-related incident management, classification, and reporting.

“DORA imposes enhanced regulatory obligations for incident management that are significantly more onerous than those in existing regulations,” Amsterdam-based Zwartkruis stressed.

“With the level of detail in this new rule-based framework, financial institutions will have to fully re-establish how they deal with incidents. The visual below offers a more in-depth representation of DORA’s incident management process,” he noted.

Coming in fast

With DORA’s deadline rapidly approaching, namely January 2025, financial services firms are bracing themselves for a host of new rules.

Many are in the process of creating a dedicated setup for incident management, which Zwartkruis thinks should include relevant roles and responsibilities to ensure institutional-wide coverage, consistent incident management and reporting, based on exhaustive policy, conventions and procedures.


“DORA imposes enhanced regulatory obligations for incident management that are significantly more onerous than those in existing regulations.”

– Hugo Zwartkruis

Zwartkruis argues for “a full sanity check of the current incident management process,” which includes the examination of existing incident management processes, procedures, and tools, to identify potential shortcomings, gaps, or inconsistencies in the current incident management framework.

“Based on the sanity check, the most critical gaps and risks are identified that need to be addressed to ensure compliance with DORA,” he pointed out.

Proportionality

In further technical standards the European Commission has urged for an eye to proportionality in applying incident classification criteria, steering financial institutions to look at incident reporting pragmatically.

“If the classification exercise leads to disproportionate incident reporting, they should adjust accordingly,” Zwartkruis explained.

“At the same time financial institutions should also assess incidents qualitatively as cyber attacks or if numerous small interruptions may not meet materiality thresholds.”

However, “they can be indicative to serious or structural shortcomings in risk management,” he concluded.


UPCOMING QA FINANCIAL EVENTS

READ MORE


Become a QA Financial subscriber – for FREE

News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events

REGISTER HERE TODAY