Securing financial futures: Decoding the DORA in EU financial regulation

The European Union has taken a significant leap forward with the implementation of the Digital Operational Resilience Act (DORA), as outlined in Regulation (EU) 2022/2554. This pivotal regulation addresses a crucial gap in the management of operational risk within financial institutions, with a specific focus on digital operational resilience. Let’s explore the key elements of DORA, understand its implications for financial entities, and delve into recent developments.

Before the introduction of DORA, financial institutions primarily managed operational risk by allocating capital. However, this approach was often confined to traditional risk categories. DORA signifies a paradigm shift, compelling financial entities to broaden their approach to operational resilience. The regulation introduces explicit rules for the protection, detection, containment, recovery, and repair capabilities against incidents related to information and communication technology (ICT).

DORA’s foundational provisions are encapsulated in Article 1, which outlines the subject matter. The regulation aims to establish a high common level of digital operational resilience by laying down uniform requirements for the security of network and information systems supporting the business processes of financial entities. These requirements span various aspects, including ICT risk management, reporting of major ICT-related incidents, digital operational resilience testing, information sharing on cyber threats, and measures for the sound management of ICT third-party risk. DORA also addresses contractual arrangements with ICT third-party service providers and establishes an Oversight Framework for critical ICT third-party service providers.

As of 29th September 2023, the European Supervisory Authorities (EBA, EIOPA, and ESMA) published joint technical advice in response to the European Commission’s call for advice on delegated acts under DORA. This advice specifies criteria for critical ICT third-party service providers and determines oversight fees levied on such providers. This collaborative effort among regulatory bodies emphasises the commitment to refining and enhancing the digital operational resilience framework, indicating a collective dedication to staying abreast of industry dynamics.

To further elucidate the relationship between the NIS 2 Directive and DORA, the Commission issued guidelines on 18th September 2023. These guidelines clarify concerns regarding entities’ compliance with either directive. Notably, DORA’s cybersecurity risk-management measures, if at least equivalent in effect to the obligations laid down in the NIS 2 Directive, may render the relevant provisions of the NIS 2 Directive inapplicable to such entities. The guidelines underscore the importance of an ‘all-hazard approach’ in cybersecurity risk management, emphasising protection against a diverse range of threats to the security of network and information systems.

DORA, with its explicit focus on ICT incidents and operational resilience, acknowledges the potential to jeopardise the soundness of the entire financial system. The regulation positions itself as a comprehensive framework for the digital age, emphasising risk management, incident reporting, and collaboration among competent authorities. As financial entities navigate an increasingly digital landscape, embracing DORA becomes not just a compliance requirement but a strategic move to fortify resilience in the face of evolving challenges. The recent developments and guidelines underscore the commitment to refining this regulatory framework, ensuring its relevance and effectiveness in the digital frontier. In embracing DORA, financial entities stand poised to meet the demands of a digital era with robust risk management and operational preparedness. 

• business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com