The Digital Operational Resilience Act (“DORA”) is part of the regulatory package adopted in 2020 by the European Union Commission to further enable and support the potential of digital finance in terms of innovation and competition, while mitigating the risks arising from it.
With the Network and Infrastructure Security (NIS2) Directive also recently approved by the EU parliament, DORA Regulation aims to consolidate and harmonize essential cybersecurity requirements with regards to digital and operational resilience in the financial sector.
DORA is a landmark piece of legislation for the financial industry and it is positioning the EU at the forefront of technology regulations.
With the Financial Sector concentrating more than 20% of the global cyberattacks, any destabilization of a financial entity has multiple and critical impacts for the whole economic ecosystem.
The growth and severity of cyber-attacks, the rising sophistication of hackers’ techniques, the danger of systemic consequences, and the gaps in the existing regulatory framework led to the conception of DORA. The goal is to uniformly regulate “operational resilience” in the financial sector in the EU.
Over the past decade, we acknowledge that, information and communication technology (ICT) has revolutionized the financial sector and gained a central role in its daily operations. However, digital transformation has not been supported by adequate awareness and management of the cyber risks the sector is increasingly exposed to. Also, cybersecurity provisions have so far remained scattered in different EU acts, not always consistent with each other and differentiated at the national level.
With DORA, the goal is thus to mandate the adoption of standardized cybersecurity requirements necessary to ensure that financial entities operating in the EU are better positioned to prevent, respond and recover from the impacts of ICT incidents, thereby continuing to deliver critical and important functions and minimizing disruption for customers and for the financial system.
Accordingly, this means establishing robust measures and controls on systems, tools and third parties, having the right continuity plans in place, and testing their effectiveness.