DORA: Impact on Financial Institutions and ICT Providers

The European Commission's legislation aims to create EU-wide laws to ensure the operational resilience of the financial services industry.

The legislative proposal builds on existing Information and Communications Technology (ICT) risk management requirements established by various EU institutions and combines recent EU initiatives into a single Regulation. DORA entered into force on 16th January 2023 and will apply as of 17th January 2025.

DORA Regulation: What does this mean for organizations?

The DORA proposal was introduced as authorities around the world examined how they could improve the operational resilience of the financial sector and individual enterprises within it. The aim was to establish a consistent approach across Europe, across regulators, as well as within the financial services industry. In turn, this also has an impact on the Fintech-Bank collaboration.

This act subjects a wide range of Information and Communications Technology (ICT) enterprises that provide products and services to the finance industry under the regulatory authority of the EU. Its wide-ranging requirements have a significant operational impact on many businesses within the technology industry.

These businesses will be overseen by one of the European Supervisory Authorities (ESAs), who would have the authority to request information, perform off-site and on-site inspections, provide recommendations and requests, and, in certain cases, issue fines.

Who is affected by DORA regulation?

ICT Companies based in the EU or do business with a financial entity within the EU.

Financial Entities	Information and Communications Technology (ICT) Service Providers
Banks/Payments and eMoney providers, including information service providers, crypto-assets & crowdfund Insurance & Reinsurance providers Investment companies & Investment funds Capital markets entities Credit institutions & Credit rating agencies Brokers/Central Securities Depositories (CSDs)/Central Clearing Counterparties (CCPs)	Payment solutions providers Data storage solutions providers Cloud providers / SaaS / Outsourcers Software providers Collaborative tools providers Fraud management providers Information management systems/ CRM solutions providers Critical ISV and systems integration providers Penetration testing providers Governance, Risk Management and Compliance (GRC) / Risk management providers

What is the impact?

Financial Entities

Information and Communications Technology (ICT) Service Providers

Financial entities must examine their partners' and third-party suppliers' policies and practices to ensure that they fulfill the new criteria.

Financial entities are responsible for ensuring that the ICT suppliers that they use have policies and processes in place to comply with the regulations.

ICTs must ensure that all policies and processes in place comply with the new regulations. Auditability is required for these rules and practices.

ICT providers will have to collaborate with financial entities to which they supply products and services.

ICT’s will be liable for the processes and policies they implement, as well as regulatory oversight.

DORA will have an impact on ALL financial entities and ICT enterprises in the EU that supply products and services to financial entities.

Organizations now need to plan for effective implementation in order to meet the deadline of 17th January 2025, when the DORA Act comes into force.

DORA's objective is to fortify the IT security of financial entities, encompassing banks, insurance companies, and investment firms. The goal is to ensure that the European financial sector maintains robust resilience in the face of significant operational disruptions.

Operational resilience is a well-established key strategic component in the financial services industry, as well as more broadly across information communications, and technology enterprises that provide services to financial services companies.

What are DORA’s Objectives?

The specific objectives of DORA are as follows:

Address ICT risks and strengthen digital resilience
Improve ICT incident reporting
Provide supervisors with access to ICT incident-related information
Ensure that preventive and resiliency measures are evaluated
Improve the process for testing results to be accepted across borders
Govern the monitoring of ICT third-party providers
Oversee key third-party ICT providers
Exchange threat intelligence.

Prepare For DORA

Operational resilience is not an option for financial institutions and ICT service providers. Although DORA primarily affects the financial industry, these regulations which are aimed at increasing cyber resilience, have significant impact on IT roles and tech companies. DORA explicitly states that financial entities must address “any reasonably identifiable" IT risks, including malicious events, that may impact enterprise networks.

Organizations that demonstrate they've taken adequate precautions to address known cyber threats will be more accessible to investors and clients seeking to protect their assets and data. It gives those companies an immediate competitive advantage over those who delay change.

Other countries outside of the EU also need to consider this new regulation. Europe has been a regulation leader in many areas, such as data protection, privacy, and quality. Therefore, DORA also serves as a model for regulation in other regions of the world as digital operational resilience is scrutinized more.

Utimaco products provide compliant, flexible, and innovative cybersecurity solutions to organizations and critical infrastructures, delivering the reliability of an advanced and robust architecture in compliance with DORA's high operational resilience standards.

Take Strategic Action. Explore Utimaco's Critical Event Management solution for safeguarding both individuals and valuable business assets.