Introduction to the new European standard DORA: Strengthening the operational resilience of financial institutions in the European Union
The European Commission recently proposed a draft regulation aimed at strengthening the IT operational resilience of financial services players within the European Union. This new standard, known as the Digital Operational Resilience Act (DORA), aims to put in place a specific governance and internal control framework to improve the management of cybersecurity and data protection risks.
Regulatory changes to strengthen operational resilience
Since the Basel II accords in 2005, operational risk has been recognized as an essential component of banking risk. It encompasses losses resulting from faulty internal processes, people and systems, as well as external events. Business continuity in the event of a major incident is assessed to measure the ability of financial institutions to maintain their core activities despite disruption.
However, the increasing complexity and diversity of IT incidents, and their increasingly serious consequences, have rendered this macroscopic assessment of technological risks insufficient. Information systems now play a central and strategic role in the functioning of the banking system, exposing financial institutions to a growing risk of sophisticated computer attacks.
Cyberattacks, such as ransomware, can target the internal systems of financial institutions or damage the external infrastructures that support interbank services. What’s more, the outsourcing of technical and operational services has also contributed to complicating risk management, as external service providers can become vectors of contamination in the event of an incident.
Faced with this critical situation, it has become necessary to improve the operational resilience of financial institutions and strengthen regulations to support them in managing their cybersecurity and data protection risks.
The European Parliament and the Council intend to grant a general implementation period of 24 months for the DORA Directive. Companies should therefore consider a 24-month implementation period for all DORA requirements, running from the second half of 2022 to the second half of 2024.
In the event of non-compliance with the DORA regulation, EU countries will be able to introduce specific criminal sanctions linked to digital operational resilience obligations. In addition, special responsibility will be assigned to managers in accordance with Article 46 of the DORA Regulation.
Penalties for non-compliance with the DORA directive may include:
- Fines of up to 10 million euros or 2% of annual worldwide sales.
- Administrative sanctions, such as injunctions, temporary or permanent bans on activity, or publication of warnings.
- Criminal penalties, such as imprisonment or fines.
The amount of the penalty will therefore be determined according to the seriousness of the violation, the size of the company and its revenues.
The objectives of the DORA standard
IT risk management
The DORA standard calls for effective IT risk management. Financial institutions will need to determine their level of risk tolerance, and put in place business continuity and disaster recovery policies to deal with major technological incidents. Audit plans will also need to be regularly reviewed to cover IT risks. In addition, outsourcing contracts for ICT services will need to be approved and closely monitored, to ensure that security requirements are met.
Reporting major incidents
The DORA standard also requires reporting of major technology-related incidents. Financial institutions will have to set up reporting mechanisms to a single European body, in order to strengthen incident management and improve cooperation in cybersecurity matters.
IT operational resilience testing
The standard requires regular testing of IT operational resilience. These tests will verify the ability of financial institutions to cope with technological incidents and maintain their essential activities in the event of disruption.
Third-party risk management
Financial institutions will have to supervise “critical” service providers more closely, and ensure that they comply with the security requirements defined by the regulations.
Ensuring effective management of technology-related risks
Strong governance and effective technology risk management are essential to ensure the operational resilience of financial institutions. The management of financial institutions must play a key role in this process. It must ensure that technology-related risks are properly assessed, that business continuity policies and disaster recovery plans are approved and regularly reviewed, and that outsourcing contracts for ICT services are properly managed.
It is also important that members of management have specific training in understanding and assessing IT risks, and their impact on financial operations. This training will enable them to make informed decisions and put in place the necessary measures to ensure the operational resilience of financial institutions.
The European directive will thus help strengthen the security of nearly 160,000 entities. It will also promote information sharing with the private sector and partners worldwide. According to Bart Groothuis, Member of the European Parliament, “if we are attacked on a large scale, we need to respond on an industrial scale. Ransomware and other cyber threats have targeted Europe for too long. It is essential that we act to make our businesses, governments and society more resilient to hostile cyber operations. The DORA directive offers a crucial opportunity to take concerted action to strengthen our security posture and protect our digital infrastructures from attack.”
In conclusion, the DORA standard represents a major step forward in strengthening the operational resilience of financial institutions within the European Union. By setting up a specific governance and internal control framework, this standard will enable financial players to better manage cybersecurity and data protection risks, and maintain their essential activities in the event of major technological incidents. Implementation of this standard will require adaptation of practices and processes within financial institutions, but it will help to strengthen the confidence of customers and business partners in the European Union’s financial sector.
At Ignimission, we understand the challenges of compliance and security. That’s why we offer advanced data collection solutions, designed to help and support companies in gathering relevant information to assess their DORA compliance. Thanks to our reliable and secure data collection solutions, companies can obtain key indicators on their compliance.
Want to know more about Ignimission? We’d love to hear from you: https://ignimission.ac-page.com/contact