DORA Spotlight: Time is running out for finance firms across Europe

As the implementation deadline for the Digital Operational Resilience Act (DORA) draws near, on 17 January of next year so in less than four weeks, banks and financial firms across Europe are rushing to make sense of the new rules and, perhaps more importantly, to be fully compliant by the end of January 2025.

Because there is no doubt about it: bankers, legal experts, regulators and others have all stated DORA may mean a whirlwind change in the regulatory climate that banks and other financial firms face in relation to their digital infrastructure and assets.

A whirlwind since many European banks are simply not yet prepared for DORA. At least that was the stark warning from the European Central Bank (ECB) last month.

The ECB stated that a host of banks across Europe still face major IT challenges and their software testing practices are not up to scratch.

In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the central bank.

The ECB, the central bank of the European Union countries which have adopted the euro, wrote in a damning article in its latest compliance newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”

The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”

Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB observed.


“DORA has caused concern in the financial services community.”

– Jonathan Armstrong

As DORA’s deadline rapidly approaches, Jonathan Armstrong, a partner at Punter Southall Law and expert in compliance and technology regulation, agrees with the ECB and wanrs firms should not underestimate the impact of the new regulation.

“DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions,” explained Armstrong, pointing out it applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers, like cloud computing services.

Jonathan Armstrong

“At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure,” he continued, adding that “many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”

Armstrong singled out the global digital CrowdStrike drama, when – in July – millions of computers went down, primarily in the US, following a faulty software test. It demonstrated how “interconnected the global infrastructure is,” he added.

“DORA has caused concern in the financial services, tech and cyber security communities so it’s important for businesses to understand fully their responsibilities,” Armstrong wrote in recent legal analysis.

DORA rules

The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.

The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.

“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” EIOPA recently explained.

“When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” the body stressed.


“Many finance firms rely on a few key services providers, meaning that one incident could have a significant effect on financial services across the EU.”

– Jonathan Armstrong

Armstrong pointed out that DORA extends its reach beyond the financial services sector and introduces an EU oversight framework for critical ICT providers such as cloud service providers.

“It is important to remember that the main DORA Regulation is binding legislation that is directly applicable in Member States after its entry into force,” he added.

The DORA Directive will need to be transposed into each Members States’ national law.

Enforcement

EU Member States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons.

Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals.

“Member States may also choose to establish criminal penalties for breaches of DORA. In this respect DORA mirrors another recent compliance trend with a concentration on personal liability in an effort to reinforce cybersecurity measures,” Armstrong observed.

DORA spells out detailed criteria for the classification, management, and reporting of ICT risks.
It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.

Not just finance firms

What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.

The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.

With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify ‌vulnerabilities, and repair them in a timely manner.

In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.

Armstrong was keen to stress that any organisation that is in the DORA regime, or provides services to those that are, will need to consider how to meet its responsibilities under DORA.

“This is likely to be a significant project for most and will include steps such as a gap analysis, to focus on the work that needs to be done, training on operational resilience, which is likely to include the IT team, communications professionals and the compliance function.”

He said that for banks and financial services organisations, “working out key dependencies, mapping devices and storage locations” may be vital, namely, to ensure that compliant contracts are in place with all third-party providers.

In summary, Armstrong warns that by January 17 “financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.”


NEXT WEEK


QA FINANCIAL FORUM LONDON: RECAP

Last month, on September 11, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Become a QA Financial subscriber – for FREE

* Receive our weekly newsletter * Priority invitations to our Forum events

REGISTER HERE TODAY