DORA Cybersecurity Regulation

The Digital Operational Resilience Act (DORA) is a regulation of the European Union designed to establish a unified framework that standardizes how financial entities should manage digital risk in finance within the European Union.

This framework aims to use a single approach to cybersecurity and ICT risk management to streamline management across organizations. In this way, all financial entities and ICT providers will follow the same guidelines to maintain the continuity of their digital operations and services in case of incidents, technical failures, cyberattacks, or other events that could affect their technological infrastructure.

The new regulation came into effect on January 16, 2023, although according to the law itself, financial entities and digital service providers have until January 2025 to comply with its requirements.

DORA’s objective is to strengthen the ability of financial companies to withstand and recover from operational disruptions. DORA is framed in the context of an increasingly interconnected financial sector that relies on information technology, making it more vulnerable to cyber risks.

The scope of DORA is broad, and it applies to financial entities and providers operating in the EU, regardless of whether they are headquartered in the European Union or a third country.

• Financial entities offering financial services in the European Union, including banks, investment firms, insurance companies, insurance intermediaries, asset management companies, fintechs, cryptocurrency and crypto asset management companies, and pension funds.
• Digital service providers offering services relevant to the provision of financial services, including information technology (IT) companies, cloud service providers, electronic payment service providers, and other digital service providers.

The first step is the identification of essential services and critical functions.

For these, the requirements include:

• Assessment and management of operational risks.
• Implementation of security measures and business continuity.
• Incident notification and crisis management.
• Regular operational resilience testing.

Alongside DORA, an associated regulation called the “Regulation on the Operational Continuity of Critical Financial Market Infrastructures” (CRO) has been developed. This regulation establishes specific requirements for financial entities that provide critical financial services and are considered of critical importance, meaning that their disruption could have a significant impact on the overall functioning of the financial system.

The CRO Regulation sets stricter standards regarding the identification of essential services and critical functions, operational risk management, resilience testing, and contingency plans. It also mandates these entities to provide national supervisors with detailed information about their contingency and operational resilience plans and allows supervisors to conduct tests.

The CRO Regulation was published in the Official Journal of the European Union on December 20, 2019. The regulation entered into force on June 9, 2021, which was 20 days after the publication of the DORA Act. However, the CRO Regulation establishes a transition period for affected financial entities to adapt to the new requirements. Specifically, the regulation sets a 12-month deadline for financial entities affected by the regulation to submit contingency and operational resilience plans to national supervisors that comply with the regulation’s requirements. Additionally, the regulation states that national supervisors can grant an additional six-month extension if they believe the financial entity is making significant progress toward meeting the regulation’s requirements.

Compliance management of the DORA Act can be carried out using the Three Lines of Defense framework. This approach is widely used in the financial industry and is based on the division of responsibilities and functions among different areas of the organization.

The first line is the responsibility of business areas, including IT teams, who must implement and maintain resilience and operational continuity controls. This includes risk identification, control implementation, and monitoring and supervision of their effectiveness.

The second line is the responsibility of risk management and compliance areas, who must ensure that risks have been identified and managed appropriately and that implemented controls are effective. They must oversee compliance with resilience and operational continuity requirements.

The third line is the responsibility of internal audit, which must assess the effectiveness of controls and the operational resilience and continuity program. This includes conducting resilience testing and reviewing the implementation of contingency and recovery plans.

From GlobalSuite Solutions, we can assist you in implementing DORA and managing compliance through GlobalSuite®, our GRC software that helps with the implementation and monitoring of standard requirements, improving the resilience of the company through:

• Risk assessment: Conducting structured and systematic risk assessments, helping your organization identify and evaluate digital risks associated with its critical systems, processes, and services.
• IT business continuity planning and digital operational resilience: Assisting in designing IT business continuity plans for your critical systems, processes, and services.
• Incident management: Serving as a centralized platform for incident management, we can improve incident detection and enable rapid responses to cybersecurity incidents and other events that may affect digital resilience.
• Supplier monitoring: Enabling the monitoring and evaluation of digital service providers to ensure they comply with DORA standards.
• Compliance management: Offering ongoing compliance management support for organizations seeking continuous DORA compliance.