Faced with the profound digital transformation of financial services, the growing interconnection of networks and critical infrastructures, and the increasing number of sophisticated cyberattacks, the European Union has adopted an innovative regulatory framework: the DORA regulation and its associated directive. Entering into force on January 16, 2023, following their adoption in November 2022, these texts aim to enhance the digital operational resilience of financial entities.
A New Regulatory Framework for Digital Finance
Aligned with the European Commission’s digital finance strategy, the DORA initiative aims to foster innovation and the adoption of new technologies while ensuring financial stability and consumer protection.
This new framework consists of two major legislative acts:
- Regulation (EU) 2022/2554, known as the DORA regulation, which establishes uniform requirements for managing information and communication technology (ICT) risks and ensuring the security of networks and information systems across the EU.
- Directive (EU) 2022/2556, which amends existing directives (CRD IV, PSD2, BRRD, Solvency II, IORP II, MiFID II, AIFM, etc.) to align them with the new provisions introduced by the DORA regulation.
For the first time, the DORA regulation provides a unique, detailed, and comprehensive legislative framework on digital operational resilience for financial entities within the EU. It also introduces a mechanism for direct oversight of critical ICT service providers at the European level.
Who Is Affected by DORA?
The DORA regulation applies to a wide range of actors in the financial sector, including:
- Financial institutions: banks, investment firms, payment institutions, electronic money institutions, asset management companies, insurance and reinsurance companies, insurance intermediaries, etc.
- ICT service providers: operating in financial services within the European Union.
Implementation Timeline
The DORA regulation will be directly applicable in all EU Member States starting January 17, 2025. Until then, the European Commission will publish delegated acts based on the regulatory and implementing technical standards (RTS and ITS) jointly proposed by European supervisory authorities (EBA, EIOPA, ESMA). These texts will specify certain requirements of the DORA regulation and constitute the second level of this new regulatory framework.
The 2022/2556 directive must be transposed by Member States before January 17, 2025.
It is therefore essential for financial entities and ICT service providers to prepare now by analyzing these new requirements and assessing their operational and strategic impacts.
From Risk Management to Digital Operational Resilience
The concept of digital operational resilience emphasizes a proactive approach to managing operational risks. Instead of focusing solely on risk prevention and loss mitigation, it assumes that incidents—even unlikely ones—will inevitably occur. Organizations must be prepared to handle them while maintaining the continuity of their critical activities and services.
This approach requires a deep understanding of the company’s internal operations and ecosystem to identify risks and threats, as well as to assess acceptable disruption levels from both organizational and client perspectives. By enhancing agility and responsiveness, companies can improve customer trust and loyalty.
Thus, the DORA regulation should not be seen as an additional constraint but as an opportunity for financial entities to differentiate themselves in the market by strengthening their operational resilience against IT, cyber, business continuity, and third-party risks.
The Five Pillars of Digital Operational Resilience
The DORA regulation identifies five essential pillars that financial institutions must implement to manage their digital operational resilience:
- ICT Risk Management: Develop a robust framework for managing risks associated with information and communication technologies.
- ICT Incident and Cyber Threat Reporting: Implement effective processes to detect, manage, and report cyber incidents and threats.
- Digital Operational Resilience Testing: Regularly conduct tests to evaluate and improve the organization’s ability to withstand disruptions.
- Management of ICT Third-Party Risks: Assess and manage risks associated with external ICT service providers.
- Cybersecurity Information Sharing: Collaborate with other stakeholders to exchange information on threats and best practices in cybersecurity.
How to Facilitate and Accelerate DORA Compliance?
Transform your diagnostic process with Smart Global Governance and its Auto-Eval solution. By leveraging the power of artificial intelligence, Auto-Eval automatically completes your assessment grids using your company’s internal documents. Say goodbye to tedious back-and-forth exchanges between various departments and collaborators!
Additionally, Smart Global Governance offers advanced modules for third-party assessment and optimized reporting through natively integrated Business Intelligence tools. Simplify your processes, save valuable time, and make informed decisions with an all-in-one solution.