On 27 December 2022, the Digital Operational Resilience Act for the financial sector (DORA) has been published in the Official Journal of the European Union (EU). That means that timelines are now clear for when financial entities will need to have implemented DORA: Organisations should be done implementing by 17 January 2025.
The main objective of the regulation is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on ICT-related services that are increasingly vulnerable to disruptions and cyberattacks.
To counter this, DORA addresses four topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, cyber incident reporting, digital operational resilience testing and ICT third-party risk management.
Despite the novelty of DORA being the first legislation at the European level addressing the topic of digital operational resilience for financial services, the regulation is a piece of a bigger puzzle put together by the EU. As it happens, DORA is part of the ‘A Europe fit for the Digital Age’ strategy which includes over 14 regulatory initiatives aimed at shaping Europe`s digital future over the next decade. Next to DORA regulations such as the Artificial Intelligence Act (AI Act), the Digital Services Act (DSA), the Data Act and many others will transform the digital regulatory landscape in Europe.
In this wave of upcoming regulation, we think it is key to recognize common themes within the regulations and leverage existing compliance practices to build an effective approach for tackling this regulatory package as a whole.
We identified five common themes that return throughout the upcoming digital regulations and also point back at legislation already in place, such as the General Data Protection Regulation (GDPR). In our opinion, understanding these common themes is key to being able to implement DORA and the rest of the European digital regulatory package in an efficient manner. Let’s explore these themes and see how it all fits together.
Many new regulations introduce similar notification requirements in case of an incident, data breach or any other event to the government or supervisory authorities. DORA is no exception to this: According to the regulation, financial entities will have to report major ICT-related incidents to competent authorities within a specific timeframe. The reporting obligations do not stop here as organizations will also have to report the major ICT-related incident to affected users and clients without undue delay.
Sounds familiar? That’s correct: This strongly resembles the breach notification requirements as found in the GDPR, for personal data breaches. And when you dive into the other upcoming digital regulations you will find it is a recurring theme.
Another recurring theme is the obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require a more mature incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements.
Again these are requirements very similar to existing legislation such as the GDPR (that requires keeping a register of processing activities). And it can be found in other digital regulation initiatives – look for instance at the proposed AI Act, which basically requires you to know where in your organization algorithms are in use.
New laws raise the bar on how organizations collaborate with third parties and to what extent they remain responsible. This includes accountability regarding the additional control over vendors, business partners or other third parties such as software/cloud providers. In order to be compliant with DORA, financial entities are responsible for drafting contracts that govern the relationship with third parties with a required minimum set of information. Moreover, entities should have a clear ICT third-party risk management strategy in place.
Third-party management obligations can also be found throughout current and upcoming digital regulations. Have a look at the MiCA regulation: It establishes that crypto assets service providers maintain contractual arrangements with third-party entities that set out clearly their roles, responsibilities, rights and obligations. Next, notice how similar this is to controller-processor arrangements that you are already maintaining with your vendors because of the GDPR and you can understand how managing the requirements of all the acts together, makes for more efficient operations.
Obligations relating to governance structures and organizational measures that ensure effective risk management and regulatory compliance are a common theme for multiple digital regulations. When analysing the requirements for DORA, we observe that financial entities are required to have an internal governance and control framework, ensuring effective management of ICT risks. This process shall be documented and reviewed at least once a year, or in case of major ICT-related incidents, following supervisory instructions. Also, the management framework should be audited on a regular basis by ICT auditors.
Also in these requirements, we can find overlap. See for instance the AI Act that introduces mandatory management and governance system in place for ensuring a high quality of training, validation and testing data.
Obligations for conformity and risk assessments in the digital domain have become common. DORA stipulates that financial entities are required to conduct ICT risk assessments on legacy ICT systems on a regular basis. In addition, concentration risk assessments of all outsourcing contracts that support the delivery of critical or important functions will be mandatory.
Just like the Data Protection Impact Assessment established by the GDPR (which basically is a risk assessment), and the risk assessments that are defined for AI systems, you can expect that mandatory assessments that you will have to perform and document will remain a recurring pattern throughout the digital regulations.
DORA is expected to have a significant impact on the financial sector and the new requirements can come across as overwhelming. Also, it doesn’t stop there: Most likely, next to DORA, your organization will be subject to other digital regulations that the Europe fit for the Digital Age strategy introduces. All of these new rules will need implementation which can take a lot of effort and resources, and when not managed carefully, put a heavy burden on your organization.
So what you are looking for is efficiency in implementation. Not only when implementing DORA, but in implementing the whole digital regulations package. We believe that the key to efficient implementation is in the common themes. For instance being able to re-use your personal data breach notification procedure from GDPR for other breach notification obligations, save you time and effort in implementing that part of DORA, and other new legislation that also requires notification. For instance combining all contract and third-party management for all new and existing rules that require that (DORA, AI Act, GDPR, etc.) again makes implementation more efficient.
The five themes explored above are one of your starting points for this. A second action to take now is to perform an analysis, companywide, of which digital regulations created under Europe fit for a Digital Age your organization will be subject to. And thirdly it is also time by now to establish coordination of the implementation efforts for all these identified digital regulations, to make optimal use of similarities between the current and future legislation.
If you would like to know more about what can we expect from DORA and what actions you can already take, read our DORA blog here.