The Digital Operational Resilience Act, known as DORA, impacts the financial sector as well as Big (and Small) Tech supporting banks and other financial entities. Yet some of the details are coming out at the last minute, with some still unresolved, and companies are scrambling to fully understand – and importantly to comply with - the many layers of compliance requirements across multiple legal and technical instruments. The mandated compliance go live deadline is on 17 January 2025, but few will be fully compliant.
According to the ECB “[w]ith the use of information technology having become a large part of daily life, and even more so during the coronavirus (COVID-19) pandemic, the potential downsides of an increasing dependence on technology have become even more apparent. Protecting critical services like hospitals, electricity supply and access to the financial system from attacks and outages is crucial.” “Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms.” DORA will “make sure the financial sector in Europe is able to stay resilient through a severe operational disruption.”
The cost of the above threats continues to increase. We already see very significant data fines arising under data laws such as personal data rules. Meta (previously Facebook) has been fined 1.2 billion for one set of data breaches concerning data transfers. TikTok has been fined 345 million and 14.5 million for data breaches regarding child data. There have been a number of data fines in the billions across the globe.
Many firms have been fined as a consequence of ineffective security measures leading to them being hacked – demonstration a lack of appropriate and technical security measures and overall digital operational resilience. Already, even before the official go live of DORA, firms have been receiving significant fined and penalties as a result of matters which cross over with digital operational resilience.
Increased digitalisation – and interconnections – also “amplify ICT risk”, making society as a whole (and the financial sector in particular) more vulnerable to cyber threats and or ICT disruptions and attacks from errant third parties.
The range of cyber threats are increasing. They include, for example, attacks such as bad actor hacking attacks, business email attacks, Phishing, Spear Phishing, Ransomware, viruses, Trojans, Distributed Denial of Service (DDOS), web application attacks, mobile attack, and more.
It can also be wider than direct attacks. There are increasing numbers of indirect attacks, where the bad actors seek to get in via a trusted third-party service provider that the financial company uses. This is supply chain and service provider compromise.
Other risk issues include management risk and system risk, such as failing to patch known vulnerabilities.
The number of attacks are increasing. The level of sophistication and complexity of the attacks are also increasing.
Central banks, whether the European Central Bank (ECB), or the Bank of England (BOE), or the Fed in the U.S., are tasked with protecting the financial stability of the entire financial system. As part of this they need to ensure that financial firms are financially resilient and stable. Part of the rules around financial stability stem from the last great recession.
But today, financial stability is not the only threat to financial entities and the wider financial system. IT, ICT, and cyber threats must also be reckoned with. An example of an IT vulnerability change, apparently due to lack of texting prior to deployment, which had widespread adverse affects across a range of industries was the SolarWinds incident. Financial entities often rely on third party suppliers or even outsource some of their core activities. Firms can be adversely affected when one of these third parties is exposed to a cyber attack. Bank of America, for example, had to warn its customers after one of its suppliers (IMS) was hacked by bad actors. Financial entities of service providers such as AddComm and Cabot have also encountered problems when these suppliers were involved in cyber attacks. Christine Lagarde (President of the European Central Bank (ECB)) has stated that “cyberattacks could trigger a serious financial crisis.” Piero Cipollone ( ECB Executive Board) states that “cyber risks have become one of the main issues for global security. They have been identified as a systematic risk to the stability of the European financial system.” Unfortunately, it is not limited to just the European financial system.
Now, financial firms must also ensure that they are digitally operational resilient and prepared for these internal and external tech threats.
DORA “promotes a common set of rules and standards to mitigate Information and Communications Technology (ICT) risks for financial entities. One of the objectives of DORA is to prevent increased fragmentation of rules applicable to ICT risk management.”
DORA deals with five key areas, namely:
DORA “addresses today’s most important challenges for managing ICT risks at financial institutions and critical ICT third-party service providers. Only if these risks are properly managed can digitalisation truly deliver on the many opportunities it offers for the banking and financial industry: Better analysis and better data management can make banks more resilient. For instance, early warning systems for loan defaults based on automatically evaluated economic news could improve risk management.”
DORA is an EU regulation. Being a aw it is labelled a Level 1 requirement. Unfortunately for industry there is an expansive range of even more detailed legal and technical requirements at Level 2 below the Level 1 rules.
DORA sets out a broad array of new obligations for financial entities, and also outsource companies, and technology companies supporting the financial sector. Some of these new rules mean new or enhanced:
The Level 2 rules are separated into:
The range of these added Level 2 rules has added to the already complicated nature of the technical and regulatory compliance efforts required of firms. An additional difficulty is that the Level 2 ruled have come out over different time periods. The ones that are developed by the ESAs generally need to be reviewed, amended and implemented by the Commission. While the ESAs had a specific (split) timetable, the Commission has not had to specify when it would finalise the Level 2 rules at its end. Overall, the rules have come out at different time periods, thus adding added difficulties for firms. Indeed, even as the end of 2024 approached, not all Level 2 rules were fully clear – even though the go-live date was January 2025.
The RTS are:
There is also the following ITS:
There are two Guidelines as follows:
There are two Commission Delegated Regulations which are independent of the ESAs,. as follows:
In summary, apart from the breath of requires rules to comply with, the effort needed to interpret and apply these rules, and the late issue of some of the official materials, financial entities and suppliers have significant work cut out for them to ramp up to a level approaching compliance, and expand the maturity of such compliance over the coming years.
