DORA
In France, as elsewhere, the accelerated digitalisation of financial services has amplified the risks in terms of cybersecurity and operational resilience. It is against this backdrop that the European Union has introduced the Digital Operational Resilience Act (DORA), a regulatory framework aimed at strengthening the resilience of financial institutions to digital threats. Adopted in November 2022 by the EU Council, DORA and its associated directive came into force on 16 January 2023.
Why DORA?
The Digital Operational Resilience Act is a made-in-Europe regulation. It was proposed in September 2020 by none other than the European Commission, as part of its strategy for digital finance. Why is this legislation necessary? Because the authorities have recognised the growing vulnerability of financial infrastructures to cyber attacks and technological disruption.
DORA therefore aims to ensure that all financial entities in the EU have the necessary capabilities, resources and tools to prevent, detect, manage and recover from ICT (Information and Communication Technology) incidents.
What are DORA’s main objectives?
- Strengthen the operational resilience of financial institutions, i.e. ensure that financial entities can continue to operate in the event of disruptive incidents.
- Harmonise regulatory requirements across the EU by creating a consistent and uniform framework for all financial institutions – thereby reducing regulatory disparities between Member States.
- Improve risk monitoring and management by putting in place robust mechanisms to proactively identify and manage technological risks.
Who is DORA for?
DORA applies to a (very) wide range of financial entities. Here is a non-exhaustive list:
- banks and credit institutions ;
- investment firms ;
- insurers and reinsurers ;
- asset management companies ;
- Financial market infrastructures (clearing houses, central securities depositories);
- payment service providers.
And that’s not all: DORA also imposes obligations on third-party providers who supply essential services to financial entities. The critical interdependence between these suppliers and the financial sector has therefore (finally) been recognised!
The 5 pillars of DORA regulation
#1 Risk management
First and foremost, DORA requires financial entities to put in place a robust and documented risk management framework. It must take into account several components: prevention, detection, response and learning.
An effective risk management strategy therefore includes :
- the implementation of appropriate safety measures to prevent incidents;
- continuous monitoring of systems to detect incidents and vulnerabilities;
- designing detailed plans for responding to incidents and restoring services ;
- organising post-incident assessments to improve processes and controls.
#2 Operational resilience testing
Operational resilience testing is the first level of testing introduced by DORA. What does it involve? Simulate an IT attack on an asset, to identify its main vulnerabilities.
Mandatory for all organisations involved in DORA, these tests are divided into two categories:
- internal tests, which must be carried out regularly to assess the ability to withstand and recover from incidents;
- Threat-based penetration tests (TIBER-EU), which are much more advanced and dedicated to critical entities.
Test results must (of course) be shared with regulators to ensure transparency and compliance in all circumstances.
#3 Managing third parties and service providers
Just because service providers are external to the company doesn’t mean they don’t count! On the contrary: relationships with these players are crucial to operational resilience.
In keeping with its mission, DORA imposes specific obligations in terms of third-party management:
- carry out a thorough preliminary evaluation of suppliers before concluding contracts;
- include specific contractual clauses to guarantee the resilience and security of the services provided ;
- put in place monitoring mechanisms to evaluate suppliers’ performance and risks on an ongoing basis;
- prepare exit plans to manage the termination of contracts without disrupting operations.
#4 Incident reporting
Preventing incidents is all very well. But when they unfortunately happen, you can’t keep them to yourself! On the contrary, reporting incidents is a crucial part of the DORA regulations (and of cybersecurity in general).
To provide a framework for this practice, DORA first imposes strict notification deadlines: entities must notify the competent authorities of major incidents within 24 hours of detection. This rapidity requirement is designed to ensure a rapid and coordinated response to minimise the potential impact of the incident.
Incident reports submitted to the authorities must be detailed and complete. They must include :
- the nature of the incident (precise description of what happened, including the type of attack or breakdown);
- its impact on company operations, customers and partners (financial losses, service disruption, data security breaches, etc.);
- the actions taken to contain and mitigate the incident (technical measures, communication actions, disaster recovery operations, etc.);
- analysing the causes of the incident and formalising preventive measures to avoid similar incidents in the future (improvements to security processes, software updates, staff training, etc.).
#5 Governance and oversight
The DORA regulations emphasise the responsibility of the board of directors and senior management of financial entities, who must be directly involved in risk management. Their main obligation? To ensure that all staff are trained and aware of risks and resilience measures.
But national and European regulators are not to be outdone: they also have a role to play, since they are responsible for monitoring compliance, carrying out inspections and imposing penalties in the event of non-compliance.
DORA emphasises cooperation and coordination between different regulatory authorities within the EU. They are required not only to share information, but also to work together to ensure that the overall response is consistent and effective. Or how collaboration and protection can go hand in hand.
What are the implications for financial institutions?
1. Increased investment in technology
Since DORA came into force, financial institutions have had to invest significantly in their technological infrastructures to comply with these new requirements.
These investments may concern :
- improving global cyber security systems;
- the implementation of advanced surveillance and detection solutions;
- the automation of risk management processes.
Financial institutions also need to invest in ongoing training for their staff to ensure they understand both the new cyber risks and resilience protocols.
2. Changes to policies and procedures
Another change is that companies’ internal policies and operational procedures must be revised to incorporate the new DORA requirements. Business continuity plans, incident response procedures, supplier management protocols… everything needs updating!
3. Engaging with suppliers
To ensure they are (and remain) DORA compliant, financial institutions need to strengthen their relationships with their service providers. This may involve:
- renegotiating contracts ;
- the establishment of new service level agreements (SLAs);
- the implementation of stricter monitoring mechanisms.
Challenges in implementing the Digital Operational Resilience Act
1. Complex regulations
DORA is a useful and relevant regulation… but it is complex and demanding. So for small and medium-sized businesses with limited resources, it can be difficult to implement. In any case, compliance with DORA requires careful planning, considerable investment and constant monitoring.
And since we’re talking about integrating new requirements into an existing system, financial institutions need to ensure that their systems can interact effectively with the new resilience and monitoring solutions.
2. Third-party management issues
Managing service providers – no mean feat in itself – can prove particularly difficult under DORA regulations. The main areas concerned? Ongoing monitoring and assessment of the risks associated with their suppliers.
A number of requirements are imposed on financial institutions:
- Implement monitoring mechanisms and regular audits to ensure that suppliers comply with security and operational resilience standards;
- assess the risks posed by their suppliers, particularly in terms of business continuity, through analyses of the entire supply chain.
In short, they need to work closely with their suppliers to ensure compliance with DORA requirements without compromising operations. This may involve detailed contracts, specific incident management clauses, or transparency and reporting obligations.
3. Unavoidable regulatory coordination
To ensure that the DORA regulations are implemented harmoniously in all the countries concerned, the (many) national and European authorities need to communicate and work together. The aim? To harmonise DORA requirements and processes, to make things easier for companies operating in several countries.
This is a good thing – although for financial institutions, it means navigating an even more complex and evolving regulatory landscape… They need to remain vigilant to adapt to potential changes in regulations, through ongoing regulatory monitoring.
What are the advantages of DORA regulations?
As its name suggests, the Digital Operational Resilience Act aims to… improve the operational resilience of financial institutions. Its aim is simple (but twofold): to reduce the likelihood and impact of security incidents, and thereby strengthen stability and confidence in the European financial system.
1. Reducing risk
By imposing strict cyber risk management requirements, DORA is helping financial institutions to better understand and manage their technological vulnerabilities. The result: reduced risk of cyber attacks and operational disruption.
2. Maintaining consumer confidence
DORA is helping to build consumer confidence in digital financial services by providing enhanced data protection and operational resilience. The result: because consumers know their data and transactions are secure, they are more inclined to use these services.
3. Harmonising the European regulatory landscape
Last but not least, DORA harmonises operational resilience requirements across the EU, creating a consistent regulatory framework for all financial institutions. As well as simplifying and standardising processes, this act aims to facilitate cross-border operations.
DORA therefore represents a major step forward in cybersecurity for the financial sector. Its recent entry into force is no accident, as it is a reaction to the exponential growth in the cyber threat, particularly in such a sensitive area. However, on the bright side, DORA is also an opportunity to build a stable and resilient financial ecosystem in which consumers can have confidence.