As we mark the one-month anniversary of DORA coming into effect on January 17, 2025, it is crucial to explore its key aspects and implications for businesses. DORA represents a significant shift in the regulatory landscape, aiming to enhance the digital operational resilience of financial institutions within the European Union (EU) and harmonise the management of ICT risk.
Key Aspects of DORA
The essence of DORA is captured in five core pillars, each addressing different aspects of ICT and cybersecurity. These pillars are listed below and include:
ICT Risk Management: DORA mandates that financial entities develop comprehensive ICT risk management frameworks. These frameworks must clearly define roles and responsibilities, ensuring that institutions can effectively manage ICT risks. Regular testing and updates to these frameworks are essential to maintain resilience against evolving cyber threats. For example, leading European banks have implemented a new ICT risk management framework that includes regular penetration testing and vulnerability assessments to identify and mitigate potential threats.
Incident Management: The Act provides guidelines for incident reporting and management. Financial entities are required to establish robust incident response plans to quickly address and mitigate the impact of ICT-related disruptions. This includes regular testing of incident response procedures to ensure preparedness. For instance, financial services firms in Malta have conducted multiple Cyber Resilience Exercises (CREs) to test their incident response capabilities and improve their readiness for potential cyber incidents.
Business Continuity: DORA emphasizes the importance of business continuity planning. Financial institutions must develop and maintain business continuity plans that address potential ICT disruptions. These plans should include strategies for maintaining critical operations and services during and after an incident. For instance a comprehensive business continuity plan developed by an insurance company, which includes backup data centres and alternative communication channels to ensure uninterrupted service during ICT disruptions.
Third-Party Risk Management: The Act extends its scope to ICT third-party service providers, including cloud computing, software, and data analytics providers. Financial institutions must ensure that their third-party providers comply with DORA’s stringent standards. This involves conducting thorough due diligence and regular assessments of third-party risk management practices. For example, various financial institutions are known to have implemented a rigorous third-party risk management programme that includes regular audits and assessments of their cloud service providers to ensure compliance with DORA.
Implications for Businesses
The implementation of DORA has far-reaching implications for businesses in the financial sector. By harmonising operational resilience standards across the EU, DORA aims to create a more secure and resilient financial ecosystem. Businesses must invest in enhancing their ICT infrastructure, incident response capabilities, and third-party risk management processes to comply with the new regulations.
Moreover, DORA’s global reach means that any technology supplier serving EU financial institutions must adhere to its standards, regardless of their location. This ensures a uniform approach to digital operational resilience, reducing the risk of ICT-related disruptions and enhancing the overall stability of the financial sector. DORA introduces a new emphasis on information sharing between financial entities and supervisory authorities, promoting early warning systems and enhanced preparedness.
Traditionally, cybersecurity incidents were often kept secret to avoid reputational harm. DORA’s philosophy prioritises transparency while reducing administrative load. By encouraging information sharing, DORA enhances awareness and insight, speeding up the creation of innovative tools and defences against new and emerging threats. It requires firms to report to their competent financial supervisors, who can then pass relevant information to non-financial public authorities (such as national data protection authorities), thus managing compliance without increasing the overall reporting burden.
How ARQ Can Help
At ARQ Group, we understand the complexities of navigating regulatory changes. Our team of experts is here to help you comply with DORA’s requirements and enhance your digital operational resilience. We offer tailored solutions to strengthen your ICT risk management, incident response, business continuity, and third-party risk management practices. For more information, please speak to Kai Kleingunther – Senior Advisor – Risk and Compliance.
Manfred Galdes
Managing Partner
A lawyer by profession, Manfred Galdes is the managing partner at ARQ. He has spent over twenty years of experience practising in the area of regulatory and AML compliance, having held leading roles both in the private and public sector. A lawyer by profession, Manfred Galdes is the managing partner at ARQ. He has spent over twenty years of experience practising in the area of regulatory and AML compliance, having held leading roles both in the private and public sector.
