Strengthening Financial Market Infrastructure: Exploring the Digital Operational Resilience Act in the European Union

The European Union (EU) continuously strives to strengthen its financial market infrastructure and ensure its stability, especially in the face of digital transformation. The rapid growth of digital technologies and increasing reliance on digital services has exposed the financial sector to new risks and vulnerabilities.

To address these challenges, the European Commission has proposed a new regulatory framework, the Digital Operational Resilience Act (DORA), aimed at enhancing the operational resilience of the financial industry. The framework helps create a safe space for vendors in the financial industryand also secures the interests of customers dealing with them. The environment created through added security helps achieve better visibility for all stakeholders.

This article delves into the key aspects of DORA, its implications for the financial sector, and how organizations can prepare for its implementation. Let’s learn more about DORA and its deploymentin the financial sector.

DORA: An Overview

The Digital Operational Resilience Act (DORA) is a legislative proposal put forth by the European Commission in September 2020. It aims to create a comprehensive and harmonized framework for digital operational resilience within the EU’s financial sector. DORA encompasses a wide range of measures, including:

• Strengthening the existing ICT risk management requirements
• Implementing a robust incident reporting framework
• Establishing a digital operational resilience testing framework
• Streamlining and improving oversight of third-party service providers
• Enhancing supervisory cooperation and coordination

DORA applies to various financial entities, including credit institutions, investment firms, payment institutions, electronic money institutions, and insurance companies, among others. Its implementation is expected to bring about significant changes in the financial sector, requiring organizations to adapt and comply with the new requirements.

Legal Frameworks and Regulations for the Financial Sector

DORA isn’t the first of its kind and follows a framework that has been set by many other countries and regulations before. Other examples of legal frameworks and regulations relating to the financial sector include:

1. Basel III: This international regulatory framework sets minimum capital requirements, liquidity ratios, and leverage limits for banks. It aims to strengthen the resilience of the banking sector and prevent systemic risks.
2. Dodd-Frank Act (USA): Enacted in response to the global financial crisis, this act introduced significant reforms to the U.S. financial system. It established regulations for banks, derivatives, consumer protection and created the Consumer Financial Protection Bureau (CFPB).
3. Markets in Financial Instruments Directive (MiFID II) (EU): This directive governs the provision of investment services across the European Union. It aims to enhance investor protection, increase transparency, and improve the functioning of financial markets.
4. General Data Protection Regulation (GDPR) (EU): Although not specific to the financial sector, GDPR imposes strict data protection and privacy requirements on all organizations that processthe  personal data of individuals within the EU. Financial institutions must comply with these regulations when handling customer data.
5. AML and KYC: Regulations on anti-money laundering require customer identification, due diligence, and ongoing monitoring to prevent money laundering and other related offences.
6. Securities and Exchange Commission (SEC) regulations (USA): The SEC enforces regulations to protect investors, maintain fair and orderly markets, and facilitate capital formation. These regulations govern various aspects of the securities industry, including registration requirements, disclosures, and insider trading.
7. Financial Conduct Authority (FCA) regulations (UK): The FCA is the regulatory authority for financial services firms in the UK. It oversees the conduct and prudential standards, market integrity, and consumer protection.

Strengthened ICT Risk Management

DORA emphasizes the importance of robust and effective ICT risk management for financial entities. It sets out detailed requirements for organizations to identify, classify, mitigate, and manage ICT risks. These requirements cover various aspects, such as:

1. Governance and strategy: Organizations must establish a clear governance structure and define a comprehensive ICT risk management strategy.
2. Risk identification and assessment: Financial entities need to conduct regular risk assessments, identify vulnerabilities, and prioritize risks based on their potential impact.
3. Risk mitigation and management: Organizations are required to implement appropriate measures to mitigate and manage identified ICT risks, including policies, procedures, and controls.
4. Incident response and recovery: Financial entities must establish incident response plans and recovery efforts to ensure a timely and effective response to ICT incidents.
5. Continuous improvement: Organizations are expected to continuously monitor and review their ICT risk management framework, incorporating lessons learned from incidents and testing activities.

Incident Reporting Framework

DORA introduces a harmonized incident reporting framework for financial entities, requiring them to report significant ICT incidents to their competent authorities. The framework aims to facilitate a consistent approach to incident reporting across the EU, enabling better monitoring and analysis of ICT risks.

Financial entities are required to classify incidents based on predefined criteria, such as the impact on operations, services, customers, or data. They must report significant incidents within specific timeframes and provide detailed information on the nature, impact, and remediation measures taken.

Digital Operational Resilience Testing

To ensure that financial entities are adequately prepared to handle ICT risks, DORA mandates routione digital operational resilience testing. This includes conducting self-assessments, vulnerability assessments, and penetration tests to evaluate the effectiveness of their ICT risk management framework and identify potential weaknesses.

Furthermore, competent authorities may require financial entities to participate in coordinated testing activities, such as threat-led penetration tests or simulation exercises. These tests aim to assess the resilience of the financial sector as a whole and identify potential systemic risks.

Oversight of Third-Party Service Providers

DORA recognizes the growing reliance of financial entities on third-party service providers and the potential risks associated with outsourcing critical functions. To address this, the proposal introduces enhanced oversight measures for critical third-party service providers that includes:

1. Registration requirements: Critical third-party service providers must register with a designated authority, providing information on their services, governance, and risk management practices.
2. Supervisory powers: Competent authorities are granted supervisory powers over critical third-party service providers, which includesthe ability to request information, conduct on-site inspections, and impose sanctions for non-compliance.
3. Outsourcing guidelines: Financial entities must follow specific guidelines when outsourcing critical functions, ensuring they maintain control over their operations and manage the risks associated with outsourcing.

As DORA is still in the early stages of implementation, there are limited examples of its application in Europe. However, a survey conducted by Deloitte between November 2022 and January 2023 covered 20 entities across 20 European countries, providing an overview of the readiness of financial entities and their approach to tackle DORA.

The final version of DORA was published on 16 January 2023. A number of companies and major organizations in the financial sector have expressed their support towards DORA and have accepted the regulations during the implementation period of 24 months.

Supervisory Cooperation and Coordination

Finally, DORA aims to enhance supervisory cooperation and coordination among competent authorities, both at the national and EU level. This includes sharing information on ICT risks, incidents, and best practices, and conducting joint supervisory activities and coordinated testing exercises.

Preparing for DORA Implementation

As DORA is still a legislative proposal, its final form and implementation timeline are yet to be determined. However, financial entities should start preparing for the new requirements by:

• Reviewing their existing ICT risk management framework and identifying potential gaps or areas for improvement.
• Establishing a robust incident reporting process, including the classification, reporting, and documentation of ICT incidents.
• Developing a comprehensive digital operational resilience testing plan, incorporating self-assessments, vulnerability assessments, and penetration tests.
• Assessing their outsourcing arrangements and ensuring compliance with the proposed guidelines for critical third-party service providers.
• Engaging with competent authorities and industry peers to stay informed about the latest developments and best practices in digital operational resilience.

Conclusion

The implementation of DORA will bring about significant changes in the EU’s financial sector, requiring organizations to adapt and comply with the new requirements. By proactively preparing for these changes, financial entities can enhance their digital operational resilience and contribute to the overall stability of the financial market infrastructure.

Marc-Roger Gagné MAPP

@OttlegalRebels