.svg)
The Digital Operational Resilience Act (DORA) has made its way through the EU’s political institutions. VIXIO speaks to industry experts to explain why companies will need to get ready for an overhaul of their ICT policies.
DORA has been in the process of being crafted for some time. Much like a lot of the European Commission’s work, it has a focus on digitisation and how best to grapple with this.
The regulation seeks to address vulnerabilities in the financial sector related to ICT and was unveiled as part of the commission’s digital finance strategy.
“The EU's DORA regulation will have wide-ranging impacts on how European financial services firms assess and monitor cyber risk, particularly for third parties that they share data with,” said Ronan Lavelle, chief executive of security company Validato.
As with other recent regulations, such as the Digital Markets Act, the Digital Services Act and the Markets in Crypto Assets regulation (the latter being proposed at the same time as DORA), it particularly appears to be targeting large international entities. This has been an increasingly geopolitical issue for the EU and elsewhere too.
"ICT risks are expanding tremendously and operational resilience has become a major topic,” said Alexandre Vandeput, principal consultant at Capco, noting how it correlates with other EU initiatives.
“The market is going to have to comply with NIS2 as well as regulations like the Data Governance Act and the Data Act.”
Through DORA, the 27 member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services.
Meanwhile, these critical third parties are now required to identify the relevant risks that may significantly disrupt the provision of essential services, while taking appropriate measures to ensure their resilience and notify disruptive incidents to the national competent authorities.
"The pain will be felt differently, but will be all around,” said Michael Huertas, head of financial institutions regulatory Europe, at PwC. “The pain will be felt on the resource side, as they do not have as much flexibility as they thought to dictate terms.”
In major areas DORA will apply to only a handful of firms offering these services, he noted.
Meanwhile, financial services, small and large, will be at different levels of maturity in terms of how they approach this. DORA catches a wide range in its net. Large banks will be in scope, but so will payment services, electronic money firms and crypto service providers.
“Large institutions may not be as agile as smaller firms but smaller firms won't have expertise and will be competing with others to do contractual work,” Huertas said.
What does it mean for payments firms?
The final consolidated text does more than touch upon requirements for payments service providers (PSPs). For example, with the introduction of DORA, ICT rules in the Payment Services Directive are also amended to align.
Furthermore, to reduce the administrative burden and avoid complexity and duplicative reporting requirements, the incident reporting rules in PSD2 will cease to apply. This will allow financial entities regulated under that directive and subject to DORA to benefit from a single and fully harmonised incident reporting mechanism with regard to all operational and security incidents, whether payments related or not.
Changes are coming
"Financial institutions will need to now make some changes internally to ensure that they can withstand disruption, and have a sufficient response to risks such as security incidents,” said Luke Scanlon, head of financial institutions at Pinsent Masons.
Financial institutions will now need to test resilience in their systems, and map people and processes, as well as considering issues such as back-ups and business continuity, he noted.
"When it comes to third parties, firms need to be thinking about what the risk is and how they write up contracts.”
For Huertas, this is the biggest challenge. “Everyone who is involved is going to have to renegotiate their agreements with major IT providers.”
“The market completely underestimates how long it takes to deal with safeguarding what DORA requires and what it means to grapple with issues such as concentration risks,” he said.
Implementing this regulation will be an uphill struggle, the Frankfurt-based lawyer said. “Certain legal teams at IT firms are going to be flooded with work, but are also going to need to consider that they will be audited by the regulator for the first time."
"This is a massive change and we have been warning clients about it for some time, advising that firms carry out document reviews, inventory checks, work with their cloud providers and go through various committees so they can front load the work,” noted Huertas.
He continued to caution that, so far, it has seemed like most people think that these contracts are not too interesting. “But, if you start to think about what is behind it in granular detail, there is a lot more work than just amending two or three sentences or adding a new schedule.”
On the other hand, Vandeput noted that the testing component of the regulation will be challenging for firms to deal with.
DORA requires significant financial entities to regularly perform so-called Threat Led Penetration Tests. This is based on standards set by the TIBER-EU programme, the system developed by the European Central Bank to test cyber resilience.
It is hoped that by simulating attacks that could have been performed by actual bad actors, it will deliver evidence-based results that can be used to justify targeted investments and improvements in entities’ cyber capabilities.
"The testing component of DORA will be one of the most impactful elements that the market is going to have to grapple with,” he said.
For example, the big four insurance companies in Belgium are already improving their testing capabilities. According to Vandeput: “This has to be end-to-end and live. To set up those kinds of testing models will require lots of effort."
Like Huertas, Vandeput warned that dealing with DORA will not be easy sailing.
“This could take years for financial institutions to put into practice,” he said. “They need to work out what their most critical assets are. Banks will need to do a thorough, ground-up business analysis which will be difficult and involve various silos."
Once in the EU’s official journal, the regulation dictates that member states should adopt and publish the laws, regulations and administrative provisions necessary to comply within 24 months.
