Explainer: The EU’s Operations Resilience Act (DORA)

(Source: ESCO)
(Source: ESCO)

The EU’s Digital Operations Resilience Act (DORA) received a lot of coverage in recent months, as banks, financial services firms and third party providers race to get ready for the new European-wide regulation.

From today, the DORA rules will start to applying, meaning a whirlwind change in rules that European banks and other financial firms face.

As the new regulatory regime has come into force, QA Financial takes a deep dive into the question: what exactly is DORA? What are its goals and provisions, and what is the framework’s impact on the financial services space?

Firstly, DORA is a regulation that was proposed by the European Union aimed at improving the resilience of the financial sector’s digital operations.

It was introduced to address the growing reliance on technology and digital infrastructure in financial services, which has led to increasing risks associated with cyberattacks, technical failures, and other disruptions.


ALSO READTime is up for banks and finance firms as DORA is here


Key goals

Firstly, cyber resilience, to ensure that financial institutions are prepared to manage and respond to cyber threats and disruptions.

Secondly, operational continuity, namely to strengthen the ability of firms to maintain and restore critical business operations in case of digital disruptions.

Further, third-party risk management. The rules aim to improve oversight of critical service providers and third-party vendors (e.g., cloud services) that financial institutions depend on.

Also, incident reporting, to establish clear rules for reporting significant operational disruptions or cyber incidents in a timely manner.

Finally, testing and risk management: Encourage firms to regularly test their digital systems for vulnerabilities and put in place strong governance and risk management frameworks.

Key provisions

In terms of ICT risk management, financial firms must implement comprehensive policies and procedures to manage ICT risks. This includes identifying critical systems, protecting them, and maintaining their functionality.

When it comes to digital operational resilience testing, banks and institutions are required to perform regular resilience tests to assess the robustness of their digital systems and mitigate risks.

Much focus is also on third-party service providers. Financial firms must assess and manage risks posed by third-party service providers, especially those who offer critical services. DORA includes provisions to ensure these third parties follow security practices and compliance standards that align with the institution’s own risk management.

Another major element is incident reporting. Firms must report significant ICT-related incidents, such as cybersecurity breaches or system failures, to regulators within strict timelines. This ensures that disruptions can be addressed promptly and lessons learned are shared across the sector.

Finally, oversight and enforcement. The regulation provides for supervisory authorities to enforce compliance with the digital operational resilience standards, including penalties for non-compliance.

Impact on finance firms

DORA will have a significant impact on all main actors in the financial services space, most notably financial institutions.

Banks, insurance companies, and other financial firms will need to invest in upgrading their digital systems and risk management processes to comply with DORA.

Think of increased investment in cybersecurity and ICT infrastructure. Financial firms will need to invest more in robust digital infrastructure, cybersecurity measures, and risk management strategies. This includes upgrading systems to ensure they can withstand and recover from potential disruptions.

Also, enhanced risk management frameworks: Institutions will need to adopt comprehensive risk management frameworks focused on ICT risks, including governance structures to oversee digital operational resilience and continuity planning.

Moreover, operational resilience testing. Financial institutions will be required to conduct regular tests, such as stress tests and vulnerability assessments, on their digital systems to identify weaknesses and ensure that they are prepared for potential cyberattacks or system failures.

In addition, incident reporting. Firms will need to create processes to quickly identify, assess, and report significant operational disruptions or cyber incidents to regulators within the specified timeframes. This can be a resource-intensive process but ensures greater transparency and quicker responses to emerging threats.

Compliance costs are also a factor firms will need to consider more. Institutions will incur costs associated with meeting the regulatory requirements of DORA, including implementing new technologies, enhancing cybersecurity practices, and establishing dedicated teams to manage compliance and reporting.

Regulators

Regulators will also be impacted: National and EU-level regulators will play an active role in monitoring compliance, particularly in managing risks related to third-party vendors and major cyber incidents.

Firstly, there is going to be increased oversight responsibilities: Regulatory authorities will have enhanced responsibilities for overseeing financial institutions’ digital operational resilience, including assessing ICT risk management processes, compliance with testing standards, and the effectiveness of incident reporting.

Also, interagency cooperation: Given the cross-border nature of many financial institutions and their reliance on global third-party vendors, regulators will likely need to collaborate across borders to ensure effective enforcement of DORA. This might require increased international cooperation among financial and cybersecurity regulators.

Finally, penalties for non-compliance will become a main issue for regulators as they will have the authority to impose penalties for non-compliance with DORA, incentivizing financial firms and third-party vendors to meet the established standards.

Looking ahead

Overall, DORA aims to strengthen the EU’s financial system by ensuring that firms can continue to operate securely and efficiently even in the face of increasing digital threats and disruptions.

Overall, DORA aims to strengthen the EU’s financial system by ensuring that firms can continue to operate securely and efficiently even in the face of increasing digital threats and disruptions.

It is expected to significantly impact the operational landscape of the EU’s financial sector. It will increase the focus on cybersecurity, operational continuity, and the management of third-party risks.

While it may impose additional costs and compliance burdens, it will ultimately strengthen the sector’s resilience, improve the safety of financial services, and enhance trust in the EU’s financial system.

However, it could also lead to challenges for smaller firms and third-party vendors, who may need to adapt quickly to meet the new standards.


REGULATION & COMPLIANCE

Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.


NEXT MONTH


DO NOT MISS


QA FINANCIAL FORUM LONDON 2024: RECAP

In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Why not become a QA Financial subscriber? It’s entirely FREE

* Receive our weekly newsletter * Priority invitations to our Forum events *

REGISTER HERE TODAY