TALKING
‘‘ business
The European Union ’ s ( EU ’ s ) Digital Operational Resilience Act ( DORA ) entered into force on January 16 , 2023 , with an application date set for January 17 , 2025 . The legislation , which mandates that financial institutions strengthen their IT security and operational resilience , has forced businesses to adopt stringent new protocols or face serious penalties . Now the transition period has drawn to a close , organisations need to remain vigilant and ensure that they and their partners are fully compliant .
As set out in the initial mandates , there are five core pillars to DORA . These include :
• ICT risk management – Financial institutions need to understand internal and external threats , evaluate their impact and develop appropriate strategies to mitigate them
• Incident reporting – Organisations must be transparent about data incidents and have robust systems to detect , report and analyse all incidents
• Digital operational resilience testing – Organisations must conduct a range of assessments and testing to demonstrate compliance and safety at all times
• Third-party risk management – Financial institutions have a responsibility to conduct due diligence and monitoring third-party risk
• Information sharing – This includes establishing a framework for information sharing and ensuring this is done confidentially and in compliance with current data protection laws
DORA was designed to accomplish two main things . Firstly , to address ICT ( information and communications technology ) risk management in the financial services sector to prevent or reduce the harm posed by cyberattacks , data leaks and outages . Secondly , to harmonise risk management regulations that already exist in individual EU member states .
Initially , organisations were concerned with the scope of the DORA mandates . According to a report by McKinsey , enterprises felt that there was not much clarity regarding the key items or terms . For example , the definitions of ‘ critical ’ or important functions and which companies were considered critical third-party ( CTP ) providers .
There was also concern over the timeline , especially given the complexity of some of the regulatory requirements , which required significant lead time
for implementation , such as updating all relevant third-party contracts . Of which , contract lifecycle management tools proved invaluable . As well as uncertainty over scoping , which , for organisations , led to increased budget allocations in order to meet the DORA obligations on time .
There were also reactions from industry bodies and membership organisations . For example , the Futures Industry Association ( FIA ) responded to the European
Supervisory Authorities ’ ( ESAs ) consultations on DORA ’ s policy products in September 2023 . The FIA was also concerned with the classification of ICT-related incidents and the approach followed to incorporate proportionality in the Regulatory Technical Standards ( RTS ).
Lastly , there are the penalties themselves . Those businesses that are considered critical third parties , could face fines of up to € 5,000,000 . Whereas financial institutions that are not compliant could be fined up to 2 % of their annual worldwide turnover compared to individuals who can be fined up to € 1,000,000 respectively .
Jason Smith , Senior Principal , Strategy & Transformation , Conga
As a first step , financial institutions must ensure that they understand the regulations and how it applies to them and their partners , particularly as they agree to new partnerships in the future .
www . intelligentcio . com INTELLIGENTCIO EUROPE 35