Summary: DORA is a comprehensive legal framework that will be implemented in January 2025 to assess how well financial institutions can handle significant operational shifts or information and communications technology (ICT) emergencies. As an EU regulation, DORA applies directly to financial entities that are subject to it.
It also seeks to unify present rules governing digital operational resilience, promote the incorporation of ICT risks into larger risk management strategies, and encourage transparency openness about ICT third-party providers.
DORA also has an extraterritorial component, which means that businesses outside the EU that provide ICT services to EU financial entities must comply with its regulations. It addresses a variety of issues, including risk management, operational resilience, and regulatory compliance.
DORA key points from the latest communication:
Updated ICT risk management Guidelines: DORA will cover governance and organisational requirements (Section I of Chapter II of DORA) as well as responsibilities relating to the ICT risk management framework. This covers the essential risk management concepts and requirements for financial firms.
Enhanced ICT incident Monitoring: DORA responds to the emerging risks and weaknesses in ICT by improving the monitoring tools to evaluate the efficiency of the management, classification and reporting of ICT incidents. DORA aims to simplify and align the reporting of ICT incidents across the financial sector, as well as to increase the range of the financial entities involved. However, as mentioned by the CSSF in its communication some support PFS and specialised PFS are not covered by the regulation (Article 2 DORA)
Besides the reporting of major ICT-related incidents, DORA also encourages the voluntary reporting of significant cyber threats.
Moreover, Chapter III of DORA sets out the incident management processes that financial entities have to follow. This involves regular audits and assessments to check that they meet the regulatory requirements.
Digital operational resilience and penetration test factors: Chapter IV of DORA outlines the requirement to implement a digital operational resilience testing plan to assess ICT incident management readiness and identify vulnerabilities, faults, and gaps in digital operational resilience. In addition to the basic testing standards, DORA requires advanced testing based on threat-led penetration testing (TLPT) for some financial firms subject to the TLPT regime.
Risk management related to ICT third-party service providers and the Focus on Cybersecurity: Given the growing incidence of cyber risks, DORA has emphasised the importance of strong cybersecurity safeguards in the framework. In the first section of Chapter V, DORA lists key contractual provisions to consider when dealing with third-party service providers who provide ICT services, as well as principles-based guidelines for third-party risk management in the context of ICT risk management. Section II of Chapter V describes a supervisory structure for major third-party ICT service providers in Europe.
Financial institutions should invest in cybersecurity and follow good practices to lower threats effectively.
Collaborative Approach: DORA encourages collaboration between financial institutions, regulatory bodies, and industry stakeholders to foster a culture of transparency and cooperation. Regular dialogue and information sharing are vital for addressing emerging challenges and ensuring the effectiveness of DORA implementation. In fact, the DORA Regulation's Chapter VI contains rules on the voluntary sharing of information and intelligence on cyber risks amongst financial firms, with the goal of enhancing the digital operational resilience of financial entities.
Looking Ahead:Â
CSSF shows its commitment to support financial institutions in becoming more adaptive and ready for the changing financial environment with DORA insight framework. It also emphasizes that a robust and sustainable financial system relies on the continuous cooperation and active participation of all stakeholders.
You can find more details on CSSF's communication or go to our law firm's website for more guidance on legal and regulatory matters.
