DORA: Strengthening the EU's Digital Resilience

The EU DORA Act stresses the importance of operational resilience for the continent’s digital future.

Words by George Ralph, originally published in Techsense magazine.

The EU published its Digital Operational Resilience Act, otherwise known as DORA in the summer of 2022. The act is a regulatory initiative that covers both cybersecurity and operational resilience within the financial services industry. It is a piece of legislation that will impact all financial market such as banks, management companies, investment firms, insurance companies, trading venues and crypto asset providers. The new legislation highlights a key shift in focus within the EU which requires that firms can both demonstrate financial resilience and maintain operational resilience should a severe incident occur such as a cyberattack or systems failure.

The term “digital transformation” has been rampant throughout the last two years and has been used to describe the new era for finance and the way companies will be operating in the future. Whilst this presents firms within the financial services industry with more opportunities for innovation, it also creates an environment of greater risk with regards to cybersecurity. In order to embrace this digital future, there are new compliance measures being introduced in the DORA act ensure that firms will be able to operate safely.

These new measures are reflective of the fact the DORA act was created due to the assumption by the EU that most financial services firms do not currently have the necessary level of capability to assess and analyze the quantitative impact of incidents. In order to change this, the DORA act will see a greater focus on digital operational resilience testing by introducing new requirements that firms will be expected to have implemented by Q4 2024. Within this tight timeframe, firms will be required to show that they are able to conduct appropriate resilience and security tests on their “critical ICT systems and applications” on an annual basis. As a result of this, they will also need to be able to “fully address” any vulnerabilities that are identified within their stress testing. This will be expected to be carried out alongside the DORA business impact analysis requirement, which could see firms subject to a significant level of supervisory scrutiny and a need to demonstrate greater accurate testing and scenario analysis capabilities.

In order to move forward under the guidance of the DORA act, George Ralph, Global Managing Director at RFA outlines what firms operating in Luxembourg can do to ensure they are adhering to regulatory requirements and the law:

“Firms should start by setting a framework for the next two years. They must take a holistic view of policies and procedures in order to identify any shortfalls and understand where improvements can and should be made. This will help them prepare for worse case scenarios whilst understand where they can be continuously looking to maintain operational resilience. It goes without saying that firms should be investing in their cyber defense, monitoring and reporting systems. This can work best with an outsourced provider who can provide firms with specialist support. This strategy can be beneficial as it removes the financial and time burden that can be placed on in house security teams. An outsourced provider can also provide support as a company’s business scales without an additional work burden on their internal team. Companies should be implementing stress testing regularly to look for vulnerabilities in their network. Mitigating cyber risk is much more effective than managing a cyberattack. Embracing the legal requirements set out in the DORA act will be vital for firms operating across Europe in the next 24 months. It will be vital to a company’s survival in finance’s increasingly digital future.”