Cyber resilience for the European financial market

Competitiveness and innovation for the EU financial sector

The Digital Operational Resilience Act, or DORA for short, provides for the introduction of a comprehensive legal framework at EU level. The current draft of the planned EU regulation “on the operational resilience of digital systems in the financial sector” contains requirements relating to ICT risk management, the classification and reporting of ICT incidents, resilience tests for ICT-related incidents, contractual agreements between third-party service providers and financial companies, regulation of critical IT service providers under direct EU supervision and rules for the corresponding exchange of information.

The proposed Digital Operational Resilience Act (DORA) is part of the package of measures for the digitalization of the financial sector (Digital Finance Package), which the European Commission presented in September 2020. With this package, the Commission wants to promote the competitiveness and innovation of the EU financial sector. The DORA draft was provisionally approved by the Commission in July 2022 and is due to be adopted by the European Parliament this November.

The aim of the legislation is to harmonize existing EU and member state requirements as well as European Central Bank (ECB) guidelines.

From banks to insurance brokers - DORA affects all market participants in the EU

DORA applies to all financial companies regulated at EU level. The draft mentions trading venues, credit, payment and crypto institutions, investment and management companies, pension funds, insurers and reinsurers, as well as rating agencies and audit firms by name. However, the EU Commission explicitly points out that the requirements of DORA should be implemented in accordance with the principle of proportionality, i.e. taking into account systemic relevance, business model and risk profile. This means that smaller financial companies, for example, will have to take less extensive measures to report incidents and carry out resilience tests.

Risk management - mandatory reporting and resilience tests. The focal points of DORA

IT Risk Management

Companies must identify, classify and document IT risks that pose a threat to business processes. This also applies in particular to system areas that are networked with internal and external IT systems. In addition, all necessary guidelines, procedures and technologies must be implemented to ensure continuous monitoring and control of IT systems and to detect anomalous activities and potential vulnerabilities.

Companies are obliged to carry out a business impact analysis (BIA) and draw up appropriate emergency planning to maintain and restore business operations, namely for the areas of incident response, business continuity and disaster recovery.

Reporting on IT incidents

Financial companies must set up and apply a specific incident management process to identify, track, log, categorize and classify IT incidents. The classification of ICT incidents must be based on a set of criteria to be further developed by the Joint Committee of the ESAs. Companies are obliged to report serious IT incidents to the competent authority within prescribed deadlines.

Implementation of resilience tests

DORA requires companies to implement a robust and comprehensive digital business resilience program that encompasses the organization, processes and IT systems. The specified periodicity and the exact scope are currently still being agreed by the committees. Annual tests or tests every three years and possibly “advanced tests” for certain market participants are under discussion.

Management of third-party risks

Financial companies must manage the risk from third-party IT providers in accordance with the risks defined in risk management. This relates in particular to responsibilities and liability, but also to a risk analysis before, as well as a periodic review of the risks during the performance period and a corresponding exit strategy.

Exchange of information on cyber threats

DORA is intended to create a framework in which financial companies can exchange information and knowledge about cyber threats with the aim of strengthening digital resilience. This includes, in particular, vulnerability and threat indicators, as well as Technics, Tactics & Procedures (TTPs)

Conclusion

DORA will affect practically all European financial market participants DORA is expected to come into force in the member states from 2023. While the thrust of DORA is clear, many important details are still being negotiated by EU legislators. What is foreseeable is that the requirements will be within the framework of already established standards. This means that companies that have already implemented the relevant standards in the areas of cyber risk management, cyber resilience and business continuity are likely to have fewer problems with DORA. However, we recommend that market participants, as well as service providers for corresponding market participants, identify the potential impact of DORA in a timely manner and plan accordingly.

How can Pragmatica provide support?

Thanks to our experts with many years of experience in the implementation of governance, risk and compliance requirements, we are able to support your organization in important activities and relieve your organization:

  1. DORA impact analyses
  2. Implementation of measures and governance frameworks
  3. Digital operational resilience testing
  4. Support in meeting regional requirements
  5. Support for cloud transformations for financial service providers

Further topics