DORA has arrived! No, not the explorer, the Digital Operational Resilience Act

From today, the new EU cybersecurity rules under this act apply to financial institutions, including banks, insurance companies, and investment firms.

What is the purpose of DORA?

DORA introduces comprehensive rules designed to protect the financial services sector and its customers from issues related to Information and Communication Technology (ICT). The Act focuses on risk management, classification, and reporting of cyber incidents. It also emphasises digital operational resilience testing and the management of IT third-party risks. These measures aim to ensure the financial sector’s resilience against severe operational disruptions, such as cyberattacks, affecting over 22,000 financial entities

How does DORA compare to other operational resilience regulations?

Regulators have been focusing on operational resilience lately. For example, the Central Bank of Ireland published guidelines in December 2023. But DORA is more demanding and time-bound.

DORA has specific rules for how companies should identify, respond to, report, and classify major ICT-related incidents. This will improve risk management in the sector. Another example is DORA’s requirements for digital operational resilience testing.

Many financial institutions are already doing testing but may not have strong documentation or processes. When DORA kicks in, institutions will need to show oversight, management, and governance of testing and other key parts of operational resilience.

The five pillars of DORA

ICT Risk Management 

Proactive ICT risk management instead of reactive. Risk assessments, mitigation strategies, incident response plans and risk awareness.

Incident Reporting 

Incident reporting within financial entities in the EU is standardised. Institutions need to monitor, detect, describe, report and analyse significant incidents. Transparency is key so incidents must be reported to internal and external stakeholders.

Digital Operational Resilience Testing 

Financial institutions must be able to handle cyber threats. Organisations must test their cyber defences regularly and improve based on the results.s.

Third-Party Risk Management 

The relationship between financial institutions and their critical third-party providers is strengthened. Institutions must have detailed contracts, ongoing due diligence and an offboarding process to ensure third-party relationships don’t compromise resilience.

Information Sharing 

Operational resilience awareness and sharing of knowledge and lessons learned across the sector is key. Organisations must share information securely to facilitate collaboration and resilience between financial institutions.

Non-Compliance penalities

The European Supervisory Authorities (ESAs) can impose heavy fines for non-compliance. Organisations that do not comply may have be fined up to 2% of their total annual global revenue. Individuals can be fined up to €1,000,000.

For third-party providers considered critical by the ESAs, the penalties are even steeper. They can face fines up to €5,000,000, while individuals can be fined up to €500,000. Additionally, if a financial entity fails to report a major ICT-related incident or threat, the ESAs can also impose fines.

Need help exploring DORA?

Reach out to us on 0818 987 900 or email us at hello@intuity.ie and our experts will be happy to help.

To stay up-to-date with the latest tech news and solutions, subscribe to our newsletter.