DORA who? D.O.R.A. regulation.

Introducing DORA: A Game-Changing Regulation for Digital Data Governance

by Federica Massa and Federico Lusian

Dora parva consulting services

The Digital Operational Resilience Act (DORA) will enable digital operational resilience across the financial sector: financial entities (insurance companies, banks, crowdfunding companies, cryptocurrency service providers, etc) will have two years to comply with this regulation starting from the regulation’s entry into force (January 16th, 2023).

The EU regulatory environment

The rising innovation and use of digital technologies to financial activities combined with the threats and disruptions to which they could be subjected, pushed the EU in 2018 to adopt an action plan on digital finance. This approach is implemented in the “EU Digital Finance Package,” which is comprised of three legislative initiatives that have been developed since 2020:

  1. MICA – Markets in Crypto-Assets.
  2. DLT – Digital Ledger Technology
  3. DORA

DORA implements pan-European harmonization of the requirements established regarding ICT (information communication technology) security through the creation of an ICT risk management framework. DORA takes up, and strengthens, several elements already outlined in the “guidance on information and communication technology security and governance” enacted by EIOPA and also introduces new obligations for entities operating in the financial sector and for third parties providing ICT services that are considered critical.

Digital Operational Resilience: Empowering Businesses for the Next Era of Uncertainty

Digital operational resilience refers to the ability of financial services entities to withstand any kind of ICT-related disruption or threat: this includes ensuring continuity of digital service even in the presence of possible security threats, incidents or breaches of IT infrastructure.

As a result of the implementation of the regulatory requirements introduced by DORA will ensure the integrity, soundness and reliability of financial operators, representing a vehicle for awareness regarding cyber and security risks and pushing technological enhancements, stability and consumer protection in the financial sector.

DORA’s six pillars

  1. Crucially important in this compliance process is the role of the Board of Directors, which not only has the purpose of defining a strategy for managing ICT-related risks, but will also have to maintain an active role in the administration of these risks, including the reporting it will receive (at least once per year) from the head of IT regarding the outcomes and evidences of the resilience tests performed. There is also a training requirement on cyber-security for the entire company population (employees, managers and administrators).
  2. In order to ensure adequate risk management, the legislator introduces some specific requirements for financial entities, impacting both infrastructures (e.g. implement resilient ICT tools and systems and ensure adequate protection measures, carry out continuous detections of cybersecurity threats, …) and corporate policies and procedures (e.g. business continuity, disaster recovery, backup and recovery, operational and digital resilience).
  3. Regarding ICT services provided by third parties, continuous and comprehensive risk monitoring is required at all stages of the contractual relationship, from pre-contractual (e.g. due diligence on potential suppliers) to “business as usual” (e.g., periodic audits on ICT outsourcers, maintenance of a register of all existing contractual agreements, assesment on contracts, …). There are also specific elements and minimum terms to be included in all ICT outsourcing contracts. Third-party providers of critical ICT services are supervised by the Supervisory Authorities, who can request in any time the transmission of all the necessary information (business or operational documents, contracts, incident reports, audit reports, …) to fulfil its control duties.
  4. An incident monitoring, managing and reporting process must be developed including the process of incidents detection (with the support of early warning indicators) and the subsequent classification of such incidents according to the criteria described in the regulation. There is also an additional obligation to report incidents classified as critical to the Supervisory Authorities and to communicate them to internal and external stakeholders, consistently with the communication plans developed ex-ante by a specific corporate figure (the designation of which is part of DORA’s provisions).
  5. One of the major innovations introduced by DORA concerns the requirement to plan and carry out periodic threat-based penetration tests aimed to identify any weakness so that appropriate corrective measures can be implemented. Addition operational resilience tests are required for functions that are considered critical or important; they must be repeated at least every three years, as well as following any major incident or significant system change.
  6. Finally, a European information exchange mechanism regarding cyber threats is introduced, with the aim of facilitating “systemic” collaboration between financial entities that can reduce the propagation of threats in the financial universe, strengthening overall defence capability and resilience. Joining such mechanism is discretionary.

At Parva, we have initiated conversations with many clients and prospects on DORA regulation, and we recognize that there’s not a “standard” roadmap to become DORA-compliant, as each financial entity starts from a different situation. For instance, big international players are usually already compliant with many DORA requirements (banks and insurances have already adopted EIOPA/ESMA/EBA cyber-security guidelines, which have many common areas with DORA), while smaller ones have more steps to do – especially ICT services providers, that under DORA become supervised entities. And you? What’s your plan for DORA?

Parva Consulting Services

CBI Discussion Paper 8 – Outsourcing – CBI ups the ante on outsourcers in financial services sector

In this article, I want raise what I believe are a few important points on Outsourcing and Offshoring for which I will use the CBI taxonomy

Evolving Substance Requirements for Fund ManCos – Ireland & Luxembourg

by Stephen O'Brien With the ever-growing number of funds and…
market data

Market Data: what they are and why it is important to know how to manage them

The number of products and services related to the Market Data used in Financial Services is enormous. Consider that, globally, there are more than 3000 products / services.

Best Wishes

  Parva for Chicchi di Caffè   Since the foundation…

© Copyright - Parva Consulting - designed and optimized by Luke Calber