DORA came into force in January 2023, and will apply from January 2025. But DORA is not completely new. In fact, it simply combines a lot of the existing regulations, guidelines, and common practices that were already in place, especially for banks. If you talk about digital operational resilience, cyber resilience, all those guidelines, regulations and so on were scattered among many different pieces of law, pieces of regulation and supervisory practices.
DORA brings all these different pieces together in one piece of legislation, reducing complexity and confusion. That’s a big step forward. It makes it much clearer exactly what – in the field of digital operational resilience – is expected from the financial sector.
What is the scope of DORA?
Understandably, then, the scope of DORA is quite broad. It’s effectively covering everything of importance in the financial sector – and that includes banks and credit institutions, but also payment institutions, e-money institutions and asset management. On top of those, it also covers issuers of crypto assets, insurers and reinsurers.
So, it’s not only that the EU banking supervisor is enforcing this piece of legislation on the banks, but also financial market supervisors will address financial market participants, asset managers, the Stock Exchange and so on. And pension fund insurance supervisors will address the pension funds and insurance companies.
In short, all branches of financial sector supervision are covered by DORA. And that’s why this piece of legislation is of key importance – not because the content is really new. There are some novel elements, and it simplifies the landscape, bringing together a unified approach towards digital operational resilience.
The purpose of DORA, simply put, is to improve the resilience of both individual entities and the sector as a whole, and so aims to bolster financial stability. It’s also about protecting deposits as well and in that respect, it’s a classic piece of supervision legislation.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
DORA recognises the systemic and economic importance of individual financial entities – in that if a big bank, for example, was hit by a cyberattack, that could affect the functioning of a national economy.
It also addresses critical third-party service providers, such as the big cloud service providers like Amazon and Google. Today, more and more financial entities rely on cloud service providers, especially the larger ones.
If a bank is subcontracting to a third party it is important for the banking supervisor to ask if they have everything in place to ensure that the third-party service provider is also resilient. When it comes to the Googles and Amazons of this world, they are becoming so important to resilience that they deserve dedicated supervision for the services they offer to the financial sector.
Why the two year wait to apply DORA?
Any new piece of EU legislation will commonly take two years to implement – the market needs time to prepare.
Dora is quite specific in what needs to be done. But to implement it, the supervisor also has to indicate how they expect the affected institutions to fulfil the criteria of DORA – they have to draft the regulatory technical standards.
DORA is a Level One piece of legislation. Level two legislation is the regulatory technical standards or the implementation standards, the expectations as drafted by the regulators, the European Banking Authority, European Securities Markets Authority and the European Pension Authority. These are currently being drafted. The two year period needed because once a piece of legislation is approved, the regulators have to become more specific, by drafting the regulatory technical standards.
The first set of these are expected to be published by the end of this year, the next set halfway through 2024.
The market knows exactly how they should prepare themselves, but it’s quite a tight schedule and the sector faces a huge task.
How will DORA sit compared to other regions?
DORA is about homogenisation across the EU, but it is possible that could cause complications internationally.
There is a risk of divergence between UK legislation and EU legislation, but DORA brings together a lot of requirements that are already out there in the markets in different ways. Many of these are simply what you should do as a financial entity to be cyber resilient.
Take what is currently in place in the UK, for example, which is enforced by the PRA, the Prudential Regulation Authority. There’s already a lot in place. And every financial entity in the UK who is also active in the European Union has to comply with European law, so DORA will mean they have to see where they have to tweak their systems and structures.
But it’s nothing new for UK financial institutions. It won’t require a radical policy overhaul, rather some amendments.
How will Dora impact cyber security controls?
The first section of DORA is all about ICT risk management. The legislation expects the executive board to take full responsibility for cyber strategy – and that means fully understanding what the risks are.
That also means identifying what your key assets are (money, databases, personal information, network infrastructure, for example). Once you have identified key assets, you must identify how best to protect them, your detection strategies and policies to find intruders and what your response and recovery strategies are.
DORA, following NIST standards, aims to enforce boards of supervised financial sector entities to follow a structured approach to implementing and enforcing cyber security services. They must complete proper risk assessments, and decide how they are going to accept or address the risks they face.
And DORA is designed to help financial sector companies avoid single points of failure – such as relying on a single service provider. It may feel like the sector is running to the big cloud service providers and that’s a concentration risk which the new legislation also intends to address.
While DORA might be a push rather than a shake-up of the sector, it may well trigger debate among larger players regarding whether they can do it all themselves, or whether they should outsource DORA sections and compliance to a party with much more knowledge about how to avoid cyber-attack and strengthen cyber resilience.
Certainly, smaller financial entities with fewer resources and staff will start thinking more about outsourcing of the back office. But it then creates a situation of reliance upon those third-party service providers for having all the security controls and everything else that’s required already in place.
Everybody feels the pressure to outsource for cost reduction reasons. But if you talk about the big banks, they have much greater resources, staff and the knowledge to do many things themselves.
And of course, we’re not talking only about banks. Small asset managers, for example, cannot just have their own full security operations centre (SOC). Many small organisations outsource the SOC function, and they have a service provider to keep an eye on systems from a security perspective.
Is DORA about compliance?
It’s not black and white. It’s always within the context of what you must do, and DORA is more about setting a clear path of classic supervision and ticking the boxes.
There will be many financial entities which do not have very good answers for the supervisors and therefore deemed as not compliant. And then they will have to show a remediation plan on how they intend to improve and address the non-compliant areas.
But as the cyber threat is evolving so fast and the landscape is changing so fast, you have to look forward. You have to anticipate what can be done in the future, and test yourself. You have to change your culture and move away a little bit from the dialogue of ‘Am I compliant?’ towards more learning and evolving. Yes, things will go wrong, but ask what you learn from those things. Yes, you may well be hacked. But ask what do you learn from it – and how can you work to prevent it in the future?
Rob Dartnall is CEO and director of intelligence for SecAlliance and Chair of the CREST UK Council