It's a DORA world, EU regulators say

The Digital Operational Resilience Act (DORA), which was introduced by the European Union on Dec. 22, 2022, to improve operational efficiencies in information and communications technology (ICT), has been formally adopted.

The far-reaching guidance is formally identified as "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)," according to the Official Journal of the European Union.

Cyber Risk GmbH, a Swiss research firm that follows DORA developments, stated the guidelines address widespread ICT vulnerabilities in risk management, incident reporting, operational resilience testing and third-party risk monitoring. DORA's best practices, the firm noted, will harden security across the financial ecosystem, helping organizations withstand, respond to and recover from ICT-related disruptions and threats.

"Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience," Cyber Risk GmbH researchers wrote. "After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents."

Impending deadlines

Researchers further noted that plans are underway to enforce all DORA guidelines beginning Jan. 17, 2025, the twentieth day after the ruling's publication in the Official Journal of the European Union.

"Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States," they wrote, urging financial entities to fully enforce the horizontal cybersecurity framework to ensure consistency with existing cybersecurity strategies across EU member countries.

Noting that DORA guidance aggregates disparate guidance across numerous operational siloes, EU regulators encouraged financial supervisors to be aware of cyber incidents affecting other sectors, such as third party service providers that intersect the financial community.

"The Digital Operational Resilience Act (DORA) aims first at consolidating and upgrading the ICT risk requirements addressed so far separately in the different Regulations and Directives," they wrote. "While those Union legal acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they could not comprehensively tackle, at the time of their adoption, all components of operational resilience."

U.S. implications

Mark Young, cyber resilience and IT recovery lead at Morgan Franklin, mentioned that DORA implementation and compliance will be complex and time-consuming, which is why his firm is already helping U.S. enterprises meet the following requirements:

• Validate that previous operational resilience requirements have been achieved, starting with clear definitions and mapping of critical business services.

• Assess that policy, procedures and security control comply with all DORA requirements.

• Assess that third-party contracts are aligned with risk and resilience impact data.

• Fully document operational and digital resilience capabilities.

"Challenges to cyber resilience are expanding in the financial sector and regulatory guidance is increasing to meet these challenges globally," Young wrote in a June 21, 2023 post on LinkedIn, adding that DORA-compliant organizations will be required to show their core operational resilience requirements, including oversight for information communications technologies in planning, testing, and recovery capabilities. In addition, he noted, they must demonstrate that risk management, incident reporting, governance policies and procedures and third-party provisions align with DORA requirements.

Consistency, simplicity

"The use of a regulation helps reducing regulatory complexity, fosters supervisory convergence, increases legal certainty, while also contributing to limiting compliance costs, especially for financial entities operating cross-border, and to reducing competitive distortions," Cyber Risk GmbH researchers wrote. "The choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities appears therefore the most appropriate way to guarantee a homogenous and coherent application of all components of the ICT risk management by the Union financial sectors."

Additional information on DORA regulations can be found at www.digital-operational-resilience-act.com/

Additional updates on the DORA are available in a free monthly newsletter published by Cyber Risk GmbH and on the firm's website at www.digital-operational-resilience-act.com/DORA_Links.html

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.