By: Joseph Philipose, Managed Services Leader, iGCB, Intellect Design Arena Ltd.
Digital Operational Resilience Act (DORA) for the financial sector is a regulatory requirement that sets out minimum standards for financial firms to ensure the availability, integrity and resilience of their critical services and systems. This act would establish a regulatory framework for digital service providers to ensure their systems and services are secure, reliable and can continue to function during a crisis.
The purpose of DORA is to protect national security, public safety and the economy by improving the resilience of critical digital infrastructure against cyber threats. The act would create a new regulator with powers to enforce compliance and impose penalties for non-compliance, and would require service providers to implement cyber security standards, have robust incident management plans, assess and manage supply chain risks, and share information about cyber threats and incidents.
This is a recently introduced legislative initiative on cyber security in the European Union, specifically targeting the financial sector. From my understanding of the requirements, it is designed to complement current horizontal cyber security regulations, such as the Network and Information Security Directive (NISD) and the widely recognized General Data Protection Regulation (GDPR).
DORA vs GDPR
The General Data Protection Regulation (GDPR) is a set of rules governing the protection and privacy of personal data for individuals in the EU and the U.K. These regulations apply to the processing of personal data across all sectors.
While both DORA and GDPR aim to ensure the protection and security of data, they serve different purposes and have different scopes. DORA focuses on ensuring the resilience of financial services, while GDPR focuses on protecting personal data and privacy rights.
The European Union is actively responding to the increasing risk of cyber attacks by implementing measures to strengthen the IT security of financial institutions, including banks, insurance companies, and investment firms. One such measure is the Digital Operational Resilience Act (DORA), which seeks to ensure that the financial sector in Europe can maintain its resilience in the face of a significant operational disruption.
DORA encompasses critical third-party providers of Information and Communication Technologies (ICT) services, including cloud platforms, data analytics, and audit services, which are utilized by financial entities. These service providers are also subject to the regulations outlined in this new legislation. It establishes a regulatory framework for digital operational resilience, requiring all firms to ensure they have the ability to withstand, respond to, and recover from all forms of ICT-related disruptions and threats.
The Digital Operational Resilience Act (DORA) provides a comprehensive digital resiliency framework that covers multiple domains.
1. ICT Risk Management Framework: Cyber security standards that service providers would be required to implement appropriate cyber security measures to protect their systems and services from cyber threats. To establish and maintain robust ICT systems and tools that mitigate the impact of ICT risks.
2. ICT Incident Management, Classification & Reporting: Service providers would be required to have robust incident management plans in place to respond to and recover from cyber incidents.
3. Digital Operational Resilience Testing: Any deficiencies or gaps must be identified and addressed promptly, in accordance with their severity, by either swiftly eliminating them or implementing suitable counteractive measures.
4. Third-Party Provider Risk Management: Service providers would be required to assess and manage risks posed by their suppliers, including third-party providers.
5. Information Sharing: Financial entities are encouraged to share information about cyber threats and incidents to improve the overall security and resilience of the digital infrastructure.
These pillars aim to ensure that critical digital infrastructure is secure, resilient and can continue to function during a crisis.
On December 27, 2022, the Official Journal of the European Union published the definitive text of the Digital Operational Resilience Act (DORA) as Regulation (EU) 2022/2554.
This timeline was captured from an article published by Deloitte.
This timeline was captured from an article published by White & Case LLP.
© 2022 White & Case LLP