DORA affects the EU financial services sector, and this legislation is about to make waves in the financial industry. Here is a look at some of the DORA obligations that financial institutions must adhere to.
The financial services sector has long been a technology innovator and first mover. Advances in banking and finance have meant that digital transformation in the industry has surged ahead. But new technology and new ways of working entice cybercriminals. The result is that attacks against the financial sector are soaring.
In 2021, banking experienced a 1,318% increase in ransomware attacks, and 65% of large financial organisations experienced a cyber attack in 2020. The severe nature of increasingly complex and damaging cyber attacks within the financial sector has led to new legislation entering the financial services regulation lexicon, and its name is DORA (Digital Operational Resilience Act).
The first draft of DORA was published on 24 September 2020, and on 10 September 2022, the European Parliament approved. The legislation will play a central part in the ‘digital finance package,’ used to enable digital finance innovation and competition while mitigating the risks arising from the industry’s digitisation.
As such, Article 114 of the Treaty on the Functioning of the European Union (TFEU) is used as the legal basis for DORA; the legislation focuses on harmonising cyber security guidelines across the sector.
The EU likes to use regulatory means to consolidate and harmonise best practices; the GDPR is an example of a harmonised data privacy regulation; DORA is the EU’s attempt at consolidating and upgrading ICT risk management across the financial sector, with DORA impacting EU financial services firms and their (critical) ICT providers.
DORA will require financial sector firms to implement measures that protect them against ICT-related risks: as such, DORA extends requirements to include third parties, such as cloud providers.
What Obligations Does DORA Require from the Financial Sector?
The goal is to create a resilient environment across the financial services ecosystem. The underlying framework of DORA is built upon a set of rules that are designed to help financial institutions develop robust risk management processes. Some of the core requirements and coverage of DORA include the following:
Scope of DORA
Almost all types of financial entities will come under DORA. Covered entities include credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment funds, insurance managers, etc. The exception is auditors, who are currently not subject to DORA rules, but this is likely to change in future versions of the Act. For a complete list of covered entities, see Article 2 of DORA.
ICT providers who service covered entities under DORA must also adhere to the Act. ICT providers are viewed as pivotal to the financial sector and, as such, are subject to stringent rules under DORA. Critical non-EU-based ICT service providers to financial entities in the EU must establish a subsidiary within the EU.
ICT Providers and DORA
Third-party risk management is a key part of DORA. The focus on ICT providers is a reaction to the increase in supply chain attacks such as the SolarWinds Orion software update. The European Union Cybersecurity Agency (ENISA) reported increased sophistication and volume of supply chain attacks, with attackers targeting the supply chain to steal data and financial assets. DORA coordinates requirements using existing frameworks such as the European Banking Authority (EBA) Outsourcing Guidelines. (See also DORA Article 14)
Under DORA, financial firms can define some ICT providers as ‘critical.’ As such, a critical ICT provider that services a DORA-covered entity will come under stringent rules enforced via direct engagement with the EU FS (financial services) authorities.
Key Cyber Security Measures
The core values of DORA legislation are to maintain resilient ICT systems. To achieve this, the following guidelines have been set out:
Risk Management and Resiliency
At the core of DORA are risk management guidelines to help the financial services sector build more resilient infrastructures. The resulting risk management programs and assessments are used as a basis for resiliency testing. In addition, the legislation expects that business impact analyses based on “severe business disruption” scenarios must be carried out.
Resiliency and vulnerability testing are expected to be carried out by independent experts and include regular threat-led penetration testing. Importantly, all critical ICT systems should be tested annually.
Protection Measures (see also Article 8)
Examples of protection measures required include:
- Use appropriate and comprehensive policies for patches and updates.
- Implement policies and protocols for strong authentication mechanisms
- Follow a risk-based approach to establish a sound network and infrastructure management
- Implement policies that limit the physical and virtual access to ICT system resources and data
- Prevent information leakage
Article 15 contains details about requirements to manage and control security incidents, including procedures to “detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts.”
Reporting Cyber Security Incidents
Covered entities must provide a means to monitor, describe, and report any significant ICT-based incidents to relevant authorities. Reporting rules are stringent for critical ICT providers. They include making an initial notification no later than the end of the business day, or if the significant incident occurred later than 2 hours before the end of the business day, no later than 4 hours from the beginning of the next business day.
From there, an intermediate report is required no later than one week after the initial notification; this is followed by a final report when the root cause analysis has been completed no later than one month after sending the initial report.
Management and Security Accountability
DORA places accountability for ICT risks and cyber threats at the door of the management group of financial services. Providing Security Awareness Training will help ensure the C-level, and the entire company are security-focused.
DORA also covers essential cyber security management and response aspects such as information sharing (see Article 40).
What Next for DORA?
The regulation has a 24-month implementation period for financial entities and their critical third-party service providers from legislation go-live. Therefore, covered entities are advised to use the 24 months between the legislation going live date and implementation of compliant measures to do a gap analysis: measures such as threat-led penetration testing and stringent reporting rules could otherwise fall through that gap.