What is the DORA Regulation and why is it important?
The DORA (Digital Operational Resilience Act) Regulation aims to strengthen digital resilience and cybersecurity in the financial sector. From its first draft until today, it is having a great impact on the European Union due to its scope and ambitions in cybersecurity.
With its approval, the EU seeks to urge financial companies to identify and manage the potential digital risks they face. Thus, it focuses on a key sector that is particularly sensitive to cyberattacks, stipulating the obligations and procedures that must be respected.
We tell you all the details about the DORA Regulation, its importance and the keys to applying it.
What is the DORA Regulation
The DORA (Digital Operational Resilience Act) Regulation is based on the Digital Operational Resilience Act and seeks to regulate and unify legislation for the management of digital risks in the financial sector.
It thus represents a unified regulatory framework that brings together and updates various existing standards (EBA, PSD, EIOPA, eIDAS, etc.).
Proposed by the European Union in September 2020 and also known as the cybersecurity regulation, the DORA regulation seeks to mitigate risks in the financial sector arising from the implementation of ICTs.
In this sense, it puts the focus on financial organizations achieving cyber resilience: in a context where cyber attacks continue to proliferate, it seeks to ensure that organizations can continue to operate even in the face of serious digital disruptions.
In terms of its application, it affects financial institutions globally, including banks, insurance companies and investment firms. In turn, it also refers to essential third parties providing services to financial institutions (e.g. cloud platforms or data analytics services).
Although we go into detail about the obligations that the DORA Regulation entails later in this article, some of its objectives include the following:
- Systems risk management
- Cybersecurity incident classification and reporting
- Digital operational resilience testing
- Establishment of contractual agreements between service providers and financial institutions
- Creation of an oversight framework for critical service providers
- Secure information exchange regulations
In addition, the European Supervisory Authorities (ESAs), which will be in charge of the technical standards, have a prominent role to play. Finally, it will be up to the competent national authorities to supervise compliance with and application of the Regulation.
Why the DORA Regulation is important
Attacks on the global financial sector and the European one in particular are multiplying, in a context in which there is a global increase in cyber attacks.
Europe, through the DORA Regulation, seeks to generate a cyber-resilience framework that guarantees financial stability on the continent. Thus, a series of practices are adopted that proactively seek to help organizations mitigate the impact of cyber threats to their systems.
At the same time, the will to unify regulations at the European level is of vital importance within the DORA regulation. Whereas until now there were fragmented measures (each country had its own rules and frameworks for supervision), the law manages to unify and harmonize efforts in the area of cyber resilience. This is particularly important given the European context of legislative and economic unity that has been practiced in recent decades.
In addition, as a benefit for financial institutions and other entities affected by the DORA Regulation, there is greater legal clarity regarding their obligations regarding cybersecurity and cyber-resilience, also in a cross-border framework.
DORA Regulation Obligations
The official date for the entry into force of the DORA regulation is January 2025. This gives a two-year adaptation period for companies from the approval of the obligations listed below.
Thus, the reality is that a multitude of entities are going to have to adjust and develop new practices around their IT systems. In this regard, it is possible to divide the obligations set out in the law into the following four categories:
Having a management framework in place.
Financial institutions must develop and implement a risk management framework. They must regulate the internal procedures and action protocols to be implemented in relation to the specific technological risks faced by each institution. This is, in short, an inventory of risks and the tools available to avoid and mitigate them.
Periodic testing
The DORA Regulation also establishes the obligation to carry out periodic tests of the institutions' systems and protocols. The purpose of these tests is to check their robustness and reveal potential vulnerabilities.
Ensuring transparency
As part of the cyber resilience strategy it proposes, the DORA regulation also obliges entities to inform the parties involved in the event of an incident.
Monitoring the value chain
In addition, financial institutions must ensure the monitoring of any technological functions that they outsource or delegate to third parties. The exhaustive monitoring and control of suppliers must be reviewed periodically.
How to implement the DORA regulation?
As mentioned above, the DORA Regulation puts in place a series of obligations around cyber resilience for banks, insurance companies and investment firms and essential third parties in the sector. Before 2025, companies in the sector must review their internal processes and implement the required practices.
At S2 Grupo we are prepared to accompany European financial institutions in their transition to cyber resilience. Therefore, we have specialists in Governance, Risk and Compliance, as well as a variety of cybersecurity solutions and personalized support to adapt to the entry into force of the DORA Regulation. Contact us and find out how we can help you.