What Is the New EU Dora Regulation and Who Does It Apply To?
Technology is now the foundation of many business operations. Companies wanting to stay relevant in competitive markets must embrace digital systems to ensure they keep up.
While tech use is rising in many industries, its prominence can be seen particularly in the financial sector. Adopting and implementing new systems in this industry has various benefits, including speedier transactions and efficient business across borders. However, due to the reliance finance companies place on technology, a small system failure can result in severe disruption and significant financial loss.
The European Union (EU) has recognised the importance of ensuring its financial sector remains resilient when facing such incidents. Therefore, on 17 January 2023, it introduced the Digital Operational Resilience Act (DORA). DORA is a detailed regulatory framework designed to promote financial stability by ensuring firms can withstand, recover from, and adapt to various tech-related incidents, including cyberattacks.
DORA forms a critical component of the EU’s broader digital finance strategy, marking a notable shift in how financial entities must manage digital risks. The regulation will apply to the relevant organisations from 17 January 2025, so firms that haven’t already done so must take the necessary steps to comply, in light of this deadline.
Who does the regulation apply to?
DORA applies to all financial entities in the EU and their third-party ICT providers, including:
- Banks and credit institutions, like Deutsche Bank and BNP Paribas.
- Payment and e-money institutions that handle digital payments, such as PayPal and Revolut.
- Investment firms and asset managers, such as Vanguard.
- Insurance companies like Allianz and Axa.
- Market infrastructures and stockbrokers such as Euronext and Deutsche Börse.
- Information computer technology (ICT) third-party providers, including cloud service providers like AWS and Microsoft Azure.
What are the main elements?
DORA’s overall objective is to improve the security of financial institutions’ IT systems, and it does this through addressing six key issues:
1. ICT risk management
Entities must implement appropriate measures to handle ICT risks. This includes having clear policies and processes for mitigating risks and minimising the negative impacts of a tech-related incident. The relevant financial institutions must:
- Continuously monitor and assess potential risks arising from ICT systems, including cyber threats, software vulnerabilities, and hardware failures.
- Develop and implement mitigation strategies, such as firewalls, intrusion detection systems, and data encryption, to minimise a disruption’s impact.
- Establish clear policies for responding to ICT-related incidents, ensuring their businesses can recover quickly.
2. Third-party risk management
Contracts with third-party ICT service providers must include specific provisions for managing digital risks, ensuring these providers also comply with DORA’s standards. For example:
- Before entering into agreements, entities must conduct thorough due diligence on third-party providers to assess their risk management capabilities and compliance with DORA.
- Contracts should include specific clauses that address security requirements, incident reporting, and audit rights. For example, a clause might require the provider to notify the financial entity within a specific time frame if a data breach occurs.
- Financial entities should monitor the performance and security of third-party providers to track their compliance.
3. Digital operational resilience testing
Firms must conduct regular tests and vulnerability assessments to ensure their ICT systems are fit for purpose. They should:
- Conduct regular penetration testing (simulating cyberattacks to identify and rectify system vulnerabilities).
- Carry out scenario-based testing to see how well systems handle extreme incidents.
- Do red team exercises, in which a group of security professionals attempt to breach the company’s security systems while another team tries to detect and prevent them.
4. ICT-related incidents
Financial entities must implement procedures for identifying, categorising, and reporting ICT-related incidents. This includes:
- Implementing systems that detect incidents early by picking up on suspicious activity.
- Categorising incidents based on their severity and impact. For example, a minor incident might involve temporary delays, while a major incident could involve a data breach affecting customer information.
- Reporting major incidents, such as those leading to significant data loss or service disruption, to competent authorities within a specified timeframe.
5. Information sharing
The regulation encourages collaboration by requiring entities to share information on cyber threats to improve protection across member states. The relevant organisations should:
- Share threat intelligence with other financial institutions and relevant authorities.
- Participate in sector-specific information sharing and analysis centres (ISACs) to exchange information about emerging threats and best practices.
- Work with international counterparts to manage global threats, such as a ransomware attack targeting multiple countries.
6. Oversight of critical third-party providers
An authority in each member state, known as the “Lead Overseer”, must assess and review third-party ICT provider’s compliance with DORA. This competent authority’s responsibilities include:
- Designating certain third-party providers, such as large cloud providers, as “critical” based on their importance to the financial sector.
- Conducting regular assessments of these providers, reviewing their risk management practices, security measures, and incident response capabilities.
- Taking enforcement action if a critical provider fails to comply with DORA’s requirements. The Lead Overseer can impose fines, corrective measures, or restrict operations within the EU.
- Auditing and inspecting the critical provider’s systems to ensure compliance.
How will the DORA regulation impact businesses?
For many organisations, DORA’s implementation will profoundly alter their daily operations. For most, it will mean a significant overhaul of their existing digital risk management frameworks and increased investment in new resources to meet the regulation’s requirements.
Introducing complex new measures to ensure compliance will likely involve companies hiring cybersecurity experts, developing new internal protocols, and improving reporting systems. For larger institutions with sufficient resources, allocating funds to implement new compliance measures effectively is crucial. However, compliance responsibilities will be particularly challenging for smaller financial entities with more limited means.
The regulation also imposes a new level of scrutiny on third-party ICT providers, which could lead to changes in contractual relationships and service agreements. The impacts and obligations vary depending on whether a provider is “critical or “non-critical”:
Critical ICT providers
The Lead Overseer will identify critical providers as fundamental to a financial system’s stability and security. These companies will face regular compliance reviews, including on-site inspections and audits, with severe penalties for breaches. They may also have to regularly provide details of their operations and risk management strategies for assessment.
Non-critical ICT providers
These providers are less crucial to a system’s functioning and won’t be subject to as much oversight and monitoring. They will be responsible for self-assessments to ensure compliance but must ensure their contracts cover the necessary DORA requirements, such as incident reporting.
Despite these challenges, DORA’s introduction will lead to a more secure economic future for the EU, so the initial teething problems are expected to pay off in the long run.
How will the regulation impact the UK post-Brexit?
While no longer part of the EU, DORA’s implementation is still likely to have significant implications for the UK, particularly for financial entities and ICT providers that operate internationally.
UK institutions and service providers operating within the EU or serving EU clients must comply with DORA. They may also face dual regulatory obligations, meaning they must abide by DORA and the UK’s domestic regulations. This added layer of complexity will likely lead to increased expenses for UK firms to ensure compliance.
Implementing equivalent regulations may also be necessary for many UK entities to attract business from EU companies that will prefer to forge relationships with firms adhering to the regulation’s strict requirements.
Proposal for a UK DORA Regulation
Recognising the importance of digital operational resilience and DORA’s impact on UK businesses, the UK is discussing introducing a UK equivalent to DORA. While the UK has various domestic regulations to promote financial resilience, it equally acknowledges the need for revisions to align more closely with enhanced systems and an increasingly connected business world.
The timing of any new legislation will depend on ongoing consultations and the perceived urgency of aligning with global standards. Either way, a UK DORA regulation would ensure added protection for UK financial firms and the sector as a whole.
How can organisations ensure compliance?
Financial entities should undertake several key steps to meet the strict requirements of DORA:
1. Audit and assessment
Companies should start by conducting a detailed audit of their current systems and processes to identify gaps in compliance. The audit should include a risk assessment to prioritise threats based on their potential impact and likelihood.
2. Develop a compliance plan
They should then create a detailed plan to address and prioritise identified gaps based on severity. The plan should outline each compliance activity’s objectives, tasks, and deadlines. It should also assign roles and responsibilities to ensure accountability, including appointing a compliance officer or team.
3. Training and awareness
Companies should organise tailored training sessions for staff at all levels to ensure awareness and understanding of DORA’s requirements. Organisations should also update their training programs to reflect evolving risks. Conducting simulations and scenario-based exercises is a great way to help staff practice responding to potential incidents.
4. Collaboration with third parties
The relevant entities must engage with third-party ICT providers to ensure compliance and renegotiate contracts if necessary. They should also maintain regular communication with providers to ensure they are up to date with compliance expectations and regulatory changes.
5. Monitoring and reporting
Ongoing monitoring and reporting are vital to ensuring compliance. Institutions should, therefore, implement systems to allow this. Advanced monitoring tools can track system performance, detect anomalies, and identify potential threats. The relevant teams should develop protocols for responding to incidents, including containing, eradicating, recovering from, and reporting incidents.
Conclusion
The DORA regulation is vital to strengthening the EU’s financial sector’s digital defences. By imposing stringent requirements on financial entities and their third-party ICT providers, it seeks to ensure these organisations can withstand, recover from, and adapt to various technology-related incidents.
DORA’s impact will likely be significant, affecting everything from internal processes to cybersecurity measures, as well as relationships with third-party providers. Financial entities must make considerable changes to their operations to align with the regulation, including thorough audits, detailed compliance plans, ongoing training programs, and improved collaboration with external providers.
Compliance may be challenging and require ample business resources, placing an extra burden on smaller financial entities. However, the benefits of adhering to DORA are substantial, including enhanced protection from disruptions and an overall improvement in the stability and integrity of the EU’s broader financial system. DORA seeks to improve economic security across member states, ensuring all relevant institutions remain resilient in an increasingly complex digital environment.
As the January 2025 compliance deadline approaches, financial entities must act swiftly to align their operations with DORA’s requirements. This regulation represents a critical step in securing the EU’s financial infrastructure and sets a precedent for global standards in digital operational resilience. Organisations that effectively implement DORA’s provisions will create a more secure, stable, and trustworthy economy for all stakeholders across the EU.
Contact TechLab
Find out how TechLaB can help you reach your goals with our business-oriented, fast, innovative, multilingual yet detail oriented legal advice