A series of recent high-profile outages and business disruptions at European banks has highlighted the threat that a lack of digital operational resilience poses to the financial industry. To guard against these risks and to increase stability and security of the European financial sector, the European Council has consolidated existing national regulations to create a more robust digital operational resilience across the financial industry. This has been done through the Digital Operational Resilience Act (DORA), which will take effect in January 2025. There is a lot to be done within organisations in order to comply with this regulation.
Financial entities which will be impacted by DORA will include credit institutions; payment institutions and electronic money institutions; investment firms; alternative investment fund and UCITS management companies; as well as (re)insurance undertakings and (re)insurance intermediaries.
These entities will need to ensure that they have the ability to build, assure and review their operational integrity and reliability through the use of information and communication technology (ICT). All this in order to protect the security of the network and IT systems which these entities use such that each entity can continue to provide financial services throughout any potential disruptions.
DORA’s key requirements will include:
· ICT risk management
· Reporting ICT events or significant cyber threats
· Testing digital resilience
· Contractual requirements for contracts entered into between ICT (third-party) service providers and financial entities
· Implementing an oversight framework for ICT third-party service providers.
DORA will have an extraterritorial impact due to the global nature of the financial industry and the fact that financial entities provide their services via certain IT platforms to clients in many different jurisdictions.
Source - DORA: More than meets the eye... by Trevor Dolan from Eversheds Sutherland (first published on GRIP 27 February 2024)