The EU DORA Act sets the scene to guide financial services firms into a digital future

George Ralph, Global Managing Director at RFA examines the introduction of this new legislation, and what regulatory requirements firms operating in Luxembourg will face moving forward

At the end of July 2022, the EU’s Digital Operational Resilience Act, otherwise known as DORA, was published. The act is representative of the EU’s regulatory initiative that covers both cybersecurity and operational resilience within the financial services industry. All financial market participants will be impacted by the introduction of this new legislation. This includes banks, management companies, investment firms,  insurance companies, trading venues and crypto asset providers.

With the implementation of DORA, the European Union is striving to create a competitive financial services market that ensures financial stability and that consumers have access to innovative financial products whilst simultaneously being protected when it comes to their money. Due to the pandemic, financial services providers have become increasingly more dependent on the role of digital when it comes to operating their systems and staff have migrated to hybrid working conditions. Changes in legislation and regulation have been necessary in order to protect both employees and consumers.

The DORA act follows various European regulators introducing regulatory initiatives, including the ECB (European Central Bank) and combines them all into one unified regulation. A key part of a firm’s implementation of DORA will include ICT risk management requirements. The legislation expects the financial firm’s management body to assume “full and ultimate accountability” for all management of ICT risks; for establishing and approving its digital operational resilience strategy and to be accountable for all policies in relation to ICT Third Party Providers (TPPs). Should firms not adhere to these requirements and breach any regulatory obligations, competent authorities have the right to apply administrative penalties under the DORA act.

The new legislation highlights a key shift in focus within the EU, defined by ensuring that not only can firms demonstrate financial resilience, but also maintain operational resilience should a severe incident occur such as a cyberattack or systems failure. The DORA act will see a greater focus on digital operational resilience testing by introducing new requirements. Firms will be required to show that they are able to conduct appropriate resilience and security tests on their “critical ICT systems and applications” on an annual basis. As a result of this, they will also need to be able to “fully address” any vulnerabilities that are identified within their stress testing. This will be expected to be carried out alongside the DORA business impact analysis requirement, which could see firms subject to a significant level of supervisory scrutiny and a need to demonstrate greater accurate testing and scenario analysis capabilities.

In addition to these measures, existing ICT incident classification and reporting have been further developed. The DORA act includes a consolidation of existing requirements that have been enhanced to help propel financial services firms into a digital future. This will be achieved by streamlining several existing EU incident reporting obligations into a single reporting framework. This decision means that there will be a new substantial new classification, notification and reporting frameworks that firms will have to adhere to. The act of streamlining this process will push firms to improve their overall capability to collect, analyse, escalate, and disseminate any information related to ICT incidents and cyberthreats. A critical reason behind the DORA act’s creation was due to the assumption by the EU that most financial services firms do not currently have the necessary level of capability to assess and analyse the quantitative impact of incidents. This will be set to change under DORA. It is worth noting that the final text within the list of events that firms must classify includes “significant cyber threats”. This addition reflects the developments of the cybersecurity landscape and it will be necessary for firms to record all significant cyber threats. This will most certainly require a greater demand within incident management teams to monitor, respond to and resolve any cyber incidents.

We are living through the era of digital transformation and whilst this presents firms within the financial services industry with more opportunities for innovation, it also creates an environment of greater risk with regards to cybersecurity. In order to embrace this digital future, the new compliance measures introduced by the DORA act ensure that firms will be able to operate safely. These measures are expected to come into force during Q1 2023, leaving very little time for firms to prepare for the regulation.

With the introduction of the DORA act, financial services firms have a tight timeframe of 24 months to implement the required changes to ensure they are fully compliant with the act issued by European Supervisory Authorities (ESAs). The DORA act should be seen as an opportunity for firms to use the legislation as a catalyst for managing risks which is a benefit to their operational resilience. Firms operating in the financial services should begin to start building a roadmap to help them achieve an “operational resilience framework by Q4 2024, which is coherent with expecations lined out in DORA’s new requirements”. 

In order to move forward under the guidance of the DORA act, firms should consider the following points:

• Set a framework for the next two years. Take a holistic view of policies and procedures in order to identify any shortfalls and understand where improvements can and should be made.
• Invest in cyber defence, monitoring and reporting systems. This can work best with an outsourced provider such as RFA who can provide your firm with specialist support. It also removes the financial and time burden that can be placed on in house security teams. An outsourced provider can also provide support as your business scales without an additional work burden on your internal team
• Work with your third party provider to implement stress testing regularly to look for vulnerabilities in your network; mitigating cyber risk is much more effective than managing a cyber attack. Your outsourced partner can also train your team regularly to help keep cyber security front of mind.