Rob Dartnall, CEO and director of intelligence for SecAlliance, describes the scope and remit of the upcoming Digital Operational Resilience Act (DORA) on the financial sector
DORA came into force in January 2023, and will apply from January 2025. But DORA is not completely new. It combines a lot of existing regulations, guidelines, and common practices. But all those cyber resilience guidelines and regulations were scattered among many different pieces of law, pieces of regulation and supervisory practices.
DORA brings the pieces together, reducing complexity and confusion. That’s a big step forward. It makes it much clearer exactly what is expected from the financial sector.
What does DORA cover?
DORA effectively covers everything of importance to cyber resilience in the whole financial sector.
All areas of financial sector supervision are covered by DORA, not just the banks. This is why it is key, not because the content is new. There are some new elements, as well as simplifying the landscape.
The purpose of DORA, simply put, is to improve the resilience of both individual entities and the sector as a whole, to bolster financial stability. It’s also about protecting deposits and in that respect, it’s a classic piece of supervision legislation.
DORA recognises the systemic and economic importance of individual financial entities – in that if a big bank, for example, was hit by a cyberattack, that could affect the functioning of a national economy.
It also addresses supervision of critical third-party service providers, such as Amazon and Google. Today, more and more financial entities rely on cloud service providers, especially the larger ones. When it comes to the Googles and Amazons of this world, they are becoming so important to resilience that they deserve dedicated supervision for the services they offer to the financial sector.
Why the two year wait to apply DORA?
Any new piece of EU legislation will commonly take two years to implement – the market needs time to prepare.
DORA is a Level One piece of legislation. Level Two legislation is the regulatory technical standards or the implementation standards, the expectations as drafted by the regulators, the European Banking Authority, European Securities Markets Authority and the European Pension Authority. These are currently being drafted. The two-year period is needed because once a piece of legislation is approved, the regulators have to become more specific, by drafting the regulatory technical standards.
The first set of these were published in January 2024, the next set halfway through 2024.
How will DORA sit compared to other regions?
DORA is about homogenisation across the EU, but it is possible that could cause complications internationally.
There is a risk of divergence between UK legislation and EU legislation, but DORA brings together a lot of requirements that are already out there in the markets in different ways. Many of these are simply what you should do as a financial entity to be cyber resilient.
Take what is currently in place in the UK, for example, which is enforced by the PRA, the Prudential Regulation Authority. There’s already a lot in place. And every financial entity in the UK which is also active in the European Union has to comply with European law, so DORA will mean they have to see where they have to tweak their systems and structures.
How will Dora impact cyber security controls?
The first thing DORA addresses is ICT risk management. It expects an organisation’s executive board to take full responsibility for cyber strategy – and that means fully understanding what the risks are.
DORA is also designed to help financial sector companies avoid single points of failure – such as relying on a single service provider. DORA is a push rather than a shake-up of the sector, but it is likely to trigger debate among larger players about whether they can do it all themselves, or to outsource DORA compliance to an expert.
Certainly, smaller financial entities with fewer resources and staff will think more about outsourcing of the back office, for example, but that means relying on third party service providers to have all the security controls and everything else that’s required already in place.
Is DORA about compliance?
It’s not black and white. DORA is more about setting a clear path of classic supervision and ticking the boxes.
There will be financial entities that do not have good answers for the supervisors, which will be deemed not compliant. They will have to show a remediation plan on how they intend to improve and address their non-compliant areas.
The cyber threat and the landscape is evolving so fast that organisations have to look forward. They have to anticipate what can be done in the future, and test themselves. Yes, things will go wrong, but we can ask what was learned when they went wrong, and what can be done to prevent it in the future.