women looking at a credit card

The EU Digital Operational Resilience Act (DORA) Will Mean Significant Changes for Financial Institutions and ICT Providers

The European Commission's legislation aims to create EU-wide laws to ensure the operational resilience of the financial services industry. The legislative proposal builds on existing Information and Communications Technology (ICT) risk management requirements established by various EU institutions and combines recent EU initiatives into a single Regulation. DORA is expected to be approved in 2022 and enforced by 2023.

What does this mean for organizations?

The DORA proposal has been introduced as authorities around the world examine how they may improve the operational resilience of the financial sector and individual enterprises within it. It aims to establish a consistent approach across Europe, across regulators, as well as within the financial services industry. In turn, this will also have an impact on the Fintech-Bank collaboration.

This act would subject a wide range of Information and Communications Technology (ICT) enterprises that provide products and services to the finance industry under the regulatory authority of the EU. This could have a significant operational impact on many businesses within the technology industry.

These businesses would be overseen by one of the European Supervisory Authorities (ESAs), who would have the authority to request information, perform off-site and on-site inspections, provide recommendations and requests, and, in certain cases, issue fines.

Who is affected?

ICT Companies based in the EU or do business with a financial entity within the EU.

Financial Entities  Information and Communications Technology (ICT) Service Providers
  • Payment solutions providers
  • Data storage solutions providers
  • Cloud providers / SaaS / Outsourcers
  • Software providers
  • Collaborative tools providers
  • Fraud management providers
  • Information management systems/ CRM solutions providers
  • Critical ISV and systems integration providers
  • Penetration testing providers
  • Governance, Risk Management and Compliance (GRC) / Risk management providers

 

What is the impact?

Financial Entities  Information and Communications Technology (ICT) Service Providers

Financial entities must examine their partners' and third-party suppliers' policies and practices to ensure that they fulfill the new criteria.

Financial entities are responsible for ensuring that the ICT suppliers that they use have policies and processes in place to comply with the regulations.

ICTs must ensure that all policies and processes in place comply with the new regulations. Auditability is required for these rules and practices.

ICT providers will have to collaborate with financial entities to which they supply products and services.

ICT’s will be liable for the processes and policies they implement, as well as regulatory oversight.

 

DORA will have an impact on ALL financial entities and ICT enterprises in the EU that supply products and services to financial entities

 

Whilst official regulation is still in draft form within Europe, regulators expect financial institutions to start focussing on operational resilience. Organizations cannot afford to wait for the regulatory process to be completed and should begin planning for effective implementation immediately.

Operational resilience is a well-established key strategic component in the financial services industry, as well as more broadly across information communications, and technology enterprises that provide services to financial services companies.

What are DORA’s Objectives?

The specific objectives of DORA are as follows:

  • Address ICT risks and strengthen digital resilience
  • Improve ICT incident reporting
  • Provide supervisors with access to ICT incident-related information
  • Ensure that preventive and resiliency measures are evaluated
  • Improve the process for testing results to be accepted across borders
  • Govern the monitoring of ICT third-party providers
  • Oversee key third-party ICT providers
  • Exchange threat intelligence.

Start Preparing For DORA

Operational resilience is not an option for financial institutions and ICT service providers. Although DORA primarily affects the financial industry, these regulations which are aimed at increasing cyber resilience, will have a significant impact on IT roles and tech companies. DORA explicitly states that financial entities must address “any reasonably identifiable" IT risks, including malicious events, that may impact enterprise networks. 

Organizations that demonstrate they've taken adequate precautions to address known cyber threats will be more accessible to investors and clients seeking to protect their assets and data. It will give those companies an immediate competitive advantage over those who reject change.

Other countries outside of the EU should also consider this new regulation. Europe has been a regulation leader in many areas, such as data protection, privacy, and quality. Therefore, DORA could serve as a model for regulation in other regions of the world as digital operational resilience is scrutinized more.

Utimaco products provide compliant, flexible, and innovative cybersecurity solutions to organizations and critical infrastructures, delivering the reliability of an advanced and robust architecture in compliance with DORA's high operational resilience standards.
 

 

About the Author

Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.

Related products

Related products

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.