DORA is on the horizon
This directive is applicable to all financial institutions operating within the EU, as well as critical third-party ICT service providers. DORA officially came into effect on January 16, 2023, and its provisions will be enforceable as of January 17, 2025. The primary objective of DORA is to enhance the information and communication technology (ICT) security and operational resilience within the financial sector.
The increasing digitalization within this sector necessitated the creation of a comprehensive framework that addresses the capacity of financial entities to construct, safeguard, and evaluate their operational soundness from a technological standpoint. This encompasses ensuring the security of the networks and information systems utilized for providing financial services, as well as mitigating associated risks.
DORA's core principles can be summarized as follows:
- ICT Risk Management: DORA mandates that financial entities establish a robust risk management framework specifically tailored to ICT risks. This framework must systematically identify, assess, and mitigate ICT risks, and it should undergo periodic review and updating.
- ICT-Related Incident Reporting: Under DORA, financial entities are obligated to promptly report specific ICT-related incidents to their supervisory authority. These incidents encompass those that exert a significant impact on the financial entity's operations or services, or those that could potentially pose a risk to other financial entities or the entire financial system.
- Digital Operational Resilience Testing: DORA necessitates financial entities to conduct routine resilience testing, evaluating their ability to endure and recover from severe operational disruptions caused by ICT incidents. This testing regimen should be carried out on a consistent basis and should encompass all critical business processes and systems.
- ICT Third-Party Risk Management: DORA requires financial entities to effectively manage third-party ICT risks. This entails conducting thorough due diligence on third-party ICT service providers, implementing suitable risk mitigation measures, and continuously monitoring the performance of these providers.
- Information Sharing: DORA actively encourages financial entities to engage in the sharing of information regarding ICT risks and incidents, both among themselves and with their respective supervisory authorities. This collaborative exchange of information serves as a mechanism to facilitate mutual learning from experiences and to identify and counter emerging threats.
These five foundational pillars are designed to synergize and collectively fortify the ICT security and operational resilience of the EU's financial sector. Beyond these core pillars, DORA encompasses several additional provisions, including the stipulation that financial entities develop a digital operational resilience strategy and establish a governance framework dedicated to digital operational resilience.
DORA represents a comprehensive and ambitious piece of legislation, expected to exert a profound influence on how financial entities navigate the terrain of ICT risk management and operational resilience within their operations.