The new EU Regulation DORA will soon be applied

The European Commission's “Digital Operational Resilience Act“ (DORA) has been in force since January 2023. DORA is designed to significantly strengthen the cybersecurity and digital resilience of European financial firms. Article 64 of DORA requires the affected companies to comply with all the requirements by 17 January 2025. This means that companies have less than two years to achieve DORA compliance. DORA has new and more extensive requirements than the existing regulations such as BAIT (banking), VAIT (insurance), KAIT (capital management) and ZAIT (payment services), To ensure that the necessary compliance measures are implemented quickly and effectively, affected financial institutions will have to take action in the coming months.

DORA: Overview

The use of information and communication technologies (ICT) plays a key role today in the entire financial services industry. In response to the rapid digitisation of the European financial sector and the associated dependence on digital technologies, the European Union has developed the DORA Regulation. DORA harmonises existing European and national standards, thus creating a uniform legal framework to safeguard digital operational resilience. To achieve the goal of a secure and resilient European financial market, DORA places far-reaching demands on financial companies and critical ICT third-party service providers. It extends the existing safeguards and integrates these into a single overall security system monitored by a networked European financial supervisory authority.

The DORA requirements cover a wide range of issues intending to strengthen the digital resilience of companies. These requirements are designed to ensure reliable operation in the event of a disruption; for example, one triggered by a cyberattack. To achieve this, DORA emphasises the need for an inter-organisational approach to ensure that digital resilience plays a key role within the enterprise and transcends departmental boundaries.

^{Fig. 1: DORA Timeline}

Scope: Who is affected?

DORA is targeted at a broad range of users and will include banks, insurance companies and payment service providers, as well as other companies such as trading platforms, information service providers, crypto service providers, insurance intermediaries, and a number of other financial firms.

It is particularly important to note that third-party ICT service providers serving financial firms are also affected if they are classified as critical by the European Supervisory Authorities (ESAs). The classification is based primarily on the criticality of the services provided and the firm’s dependence on the ICT third-party service provider. It should also be noted that affected third-party ICT service providers based in a third country will have to establish a subsidiary within the EU in order to continue to provide critical services to European financial companies.

Only "micro-enterprises" with fewer than ten employees and € 2 million in annual turnover are generally exempt from DORA.

Overview of DORA’s scope and requirements

Governance requirements

The financial firms’ business strategies should be more closely aligned with ICT risk management. Management will hereby have to play a crucial, active role in overseeing the overall ICT risk management and ensuring that cyber hygiene measures are strictly maintained.

ICT risk management requirements

To keep up with a rapidly changing threat situation, financial firms need to establish and maintain resilient ICT systems and tools. These systems should be designed to perform the following functions: Minimise the impact of ICT risks, continuously identify all causes of ICT risks, adopt protective and preventive measures, promptly detect any abnormal activities, establish dedicated and comprehensive business continuity strategies, and establish contingency and recovery plans as an integral part of the business continuity strategy.

Reporting ICT-related incidents

Financial firms should be required to establish and implement a management process for monitoring and logging ICT-related incidents. All incidents must be classified according to the criteria specified by DORA. Incidents classified as serious by DORA must be reported to the competent public authorities within the prescribed time limits.

Testing the digital operational resilience

The capacities and functions made available in the context of ICT risk management must be regularly reviewed for their ability to identify and correct weaknesses, deficiencies, or gaps and for their readiness to implement corrective measures immediately. This Regulation allows for the proportionate application of the requirements for verifying digital operational resilience depending on the size, and business and risk profiles of financial enterprises. 

Risks associated with ICT third-party providers

The Regulation aims to enable financial firms to strongly monitor the risks posed by ICT third-party providers. The first step in achieving this objective is to adhere to policy-based rules that apply to monitoring risks through ICT third-party providers. The contracts governing this relationship must, in particular, take into account a complete description of the services provided.

The Regulation’s ultimate objective is to unify the various supervisory approaches to ICT third-party provider risk in the financial sector by subjecting critical ICT third-party providers to an EU supervisory framework. 

The three European Supervisory Authorities (ESAs), which have been designated as the lead supervisory authority for anyone considered a critical ICT third party, are given powers to ensure that technology providers that play a vital role in the functioning of the financial sector, are adequately monitored at the pan-European level.

Exchange of information

To raise awareness of ICT risks, minimise their spread, and support financial firms' defences and threat detection techniques, the Regulation allows financial firms to reach agreements among themselves on sharing information and intelligence related to cyber threats.

Publication of first concrete regulatory and implementation standards

The first drafts of the Implementation Standards (ITS) and Regulatory Standards (RTS) were published on 19 June 2023. These indicate how exactly the requirements should be implemented and define, for example, specific thresholds. The following thresholds have been published:

• RTS for the risk management framework and RTS for simplifying the ICT risk management framework
• RTS for assessing and classifying ICT incidents
• RTS for defining the outsourcing policy for ICT services
• ITS for the information register for outsourced ICT services

The drafts of the implementation and regulatory standards currently available will be finalised by the European Commission by mid-2024. There are also plans to publish additional standards.

Outlook / conclusion

DORA highlights the need for financial firms to strengthen their efforts to enhance cybersecurity and address its related issues. The broad spectrum of issues covered by DORA demands a holistic, cross-departmental approach to dealing with the multitude of new requirements. DORA can also be seen as an opportunity, as implementing the requirements creates the kind of strong digital resilience necessary to help financial companies survive an emergency. Affected companies should therefore now already start a coordinated project to implement the DORA requirements, taking into account the published implementation and regulatory standards.

Our services (Mazar's approach / support / audit / assessment)

Mazars helps you achieve DORA compliance by using a detailed gap analysis, taking the steps necessary to meet any unfulfilled requirements, closing any identified gaps, and determining audit assurance.