DORA who? D.O.R.A. regulation.

Introducing DORA: A Game-Changing Regulation for Digital Data Governance

by Federica Massa and Federico Lusian

Dora parva consulting services

The Digital Operational Resilience Act (DORA) will enable digital operational resilience across the financial sector: financial entities (insurance companies, banks, crowdfunding companies, cryptocurrency service providers, etc) will have two years to comply with this regulation starting from the regulation’s entry into force (January 16th, 2023).

The EU regulatory environment

The rising innovation and use of digital technologies to financial activities combined with the threats and disruptions to which they could be subjected, pushed the EU in 2018 to adopt an action plan on digital finance. This approach is implemented in the “EU Digital Finance Package,” which is comprised of three legislative initiatives that have been developed since 2020:

  1. MICA – Markets in Crypto-Assets.
  2. DLT – Digital Ledger Technology
  3. DORA

DORA implements pan-European harmonization of the requirements established regarding ICT (information communication technology) security through the creation of an ICT risk management framework. DORA takes up, and strengthens, several elements already outlined in the “guidance on information and communication technology security and governance” enacted by EIOPA and also introduces new obligations for entities operating in the financial sector and for third parties providing ICT services that are considered critical.

Digital Operational Resilience: Empowering Businesses for the Next Era of Uncertainty

Digital operational resilience refers to the ability of financial services entities to withstand any kind of ICT-related disruption or threat: this includes ensuring continuity of digital service even in the presence of possible security threats, incidents or breaches of IT infrastructure.

As a result of the implementation of the regulatory requirements introduced by DORA will ensure the integrity, soundness and reliability of financial operators, representing a vehicle for awareness regarding cyber and security risks and pushing technological enhancements, stability and consumer protection in the financial sector.

DORA’s six pillars

  1. Crucially important in this compliance process is the role of the Board of Directors, which not only has the purpose of defining a strategy for managing ICT-related risks, but will also have to maintain an active role in the administration of these risks, including the reporting it will receive (at least once per year) from the head of IT regarding the outcomes and evidences of the resilience tests performed. There is also a training requirement on cyber-security for the entire company population (employees, managers and administrators).
  2. In order to ensure adequate risk management, the legislator introduces some specific requirements for financial entities, impacting both infrastructures (e.g. implement resilient ICT tools and systems and ensure adequate protection measures, carry out continuous detections of cybersecurity threats, …) and corporate policies and procedures (e.g. business continuity, disaster recovery, backup and recovery, operational and digital resilience).
  3. Regarding ICT services provided by third parties, continuous and comprehensive risk monitoring is required at all stages of the contractual relationship, from pre-contractual (e.g. due diligence on potential suppliers) to “business as usual” (e.g., periodic audits on ICT outsourcers, maintenance of a register of all existing contractual agreements, assesment on contracts, …). There are also specific elements and minimum terms to be included in all ICT outsourcing contracts. Third-party providers of critical ICT services are supervised by the Supervisory Authorities, who can request in any time the transmission of all the necessary information (business or operational documents, contracts, incident reports, audit reports, …) to fulfil its control duties.
  4. An incident monitoring, managing and reporting process must be developed including the process of incidents detection (with the support of early warning indicators) and the subsequent classification of such incidents according to the criteria described in the regulation. There is also an additional obligation to report incidents classified as critical to the Supervisory Authorities and to communicate them to internal and external stakeholders, consistently with the communication plans developed ex-ante by a specific corporate figure (the designation of which is part of DORA’s provisions).
  5. One of the major innovations introduced by DORA concerns the requirement to plan and carry out periodic threat-based penetration tests aimed to identify any weakness so that appropriate corrective measures can be implemented. Addition operational resilience tests are required for functions that are considered critical or important; they must be repeated at least every three years, as well as following any major incident or significant system change.
  6. Finally, a European information exchange mechanism regarding cyber threats is introduced, with the aim of facilitating “systemic” collaboration between financial entities that can reduce the propagation of threats in the financial universe, strengthening overall defence capability and resilience. Joining such mechanism is discretionary.

At Parva, we have initiated conversations with many clients and prospects on DORA regulation, and we recognize that there’s not a “standard” roadmap to become DORA-compliant, as each financial entity starts from a different situation. For instance, big international players are usually already compliant with many DORA requirements (banks and insurances have already adopted EIOPA/ESMA/EBA cyber-security guidelines, which have many common areas with DORA), while smaller ones have more steps to do – especially ICT services providers, that under DORA become supervised entities. And you? What’s your plan for DORA?

Case Study – Digital transformation project for an international Loan & Leasing company

An international Loan & Leasing company selected Parva Consulting to oversee a digital transformation initiative that would enable all its business divisions to function under a unified framework, while being locally compliant.
Read more

DORA and contractual arrangements

Tight deadline, big challenges: DORA's contractual requirements put pressure on financial entities and providers. Uncertainties and timelines raise industry concerns. Explore the key issues and emphasizes early action for a smooth DORA compliance journey.
Read more

RAIF and Luxembourg market

Approximately seven years after the introduction of RAIF funds into the Luxembourg fund market, we aim to explore their distinct features, amendments, updates, and evaluate their entry within the Luxembourg fund market.
Read more

Travel Rule Guidelines: EBA’s Blueprint to Combat the Abuse of Crypto-Assets Transfers for Money Laundering

The EBA published draft Guidelines on preventing the abuse of funds and certain crypto-assets transfers for money laundering and terrorist financing purposes under Regulation (EU) 2023/1113 (‘The Travel Rule Guidelines’).
Read more

Parva SpA P.Iva e C.F. 04747210963

Legal Info | Corporate Social Responsibility

MEMBER

ALFI ASSOCIATE MEMBER

ASSOCIATE

CETIF SPONSOR

MEMBER

ASSOCONSULT MEMBER

AWARDS

AWARDS

SUPPORTER

chicchi di caffè christmas

SUPPORTER

parva consulting support

© Copyright - Parva Consulting - designed and optimized by Luke Calber
Parva Consulting Earns Great Place to Work Certification™AIFMD Regulatory processTowards AIFMD II, the ongoing legislative process: where are we?