arrow_upward

DORA (Digital Operational Resilience Act)

DORA: New regulation of digital operational resilience in the financial services sector

The Council of the European Union formally adopted the Digital Operational Resilience Act (DORA) to ensure that digital infrastructure, including systems and networks that underpin critical services in the financial sector, is secure and resilient to potential threats. Financial institutions have a relatively short time to comply with regulatory requirements. Their deadline starts on 16 January 2023, when the Digital Operational Resilience Act (DORA) came into force, and will last for two years.

dora

Objectives of the DORA Directive

DORA aims to improve the cybersecurity and operational resilience of all regulated European financial institutions and key third parties that provide ICT-related services to these institutions. While cyber attacks cannot be avoided, financial stability in Europe can still be achieved if organisations mitigate the impact of cyber threats on information and communication technologies (ICT).
dora

Who is responsible for compliance?

Responsibility for compliance with the requirements imposed by DORA rests with management. It will be responsible for reviewing, approving, implementing and updating the risk management framework. Management should therefore have a full understanding of ICT usage, services and risk profile. Companies should weigh up reassessing how the current system of reporting by ICT teams to senior management works in practice. Financial institutions covered by DORA will be required to designate a senior manager who will be responsible for digital operational resilience and incident reporting to the relevant authorities.

Harmonogram of the DORA directive



What does this mean for the entity and how can BDO help?

To comply with DORA, banks will need to have robust risk management systems and processes in place.

  • We will conduct a GAP analysis of compliance with regulatory requirements
  • We will assist in aligning business strategy with cyber risk management and maintaining a comprehensive and effective risk management framework

The aim of DORA is to harmonise incident classification and reporting processes. Early detection of incidents and rapid response are essential.

What can BDO help with?

  • We will suggest how to adapt to the new EU rules in terms of reporting and align internal processes in this regard to optimise resource allocation.

What can BDO help with?

  • We can perform vulnerability scanning and penetration testing. If required, we will implement robust business continuity and disaster recovery testing.
  • We will design and develop an appropriate solution, help with process integration and tool support to share information about these threats.

Banks should assess whether their response and recovery strategies and plans adequately address the enhanced risk management rules

What can BDO help with?

  • BDO's cybersecurity services are based on leading practices and driven by global regulatory requirements.
  • As a result, we can provide our clients with a holistic solution to manage complexities within third-party ecosystems.

It calls for the sharing of threat and intelligence information.


Impact of the Directive

Although the end of 2024 seems a long way off, compliance can be challenging and lengthy for these organisations. Compliance will be ensured by the entity's competent authority. EU Member States will have the right to impose penalties for breaches.

Compliance with the Directive

Although the DORA Regulation allows for a transition period until 17 January 2025, we recommend that organisations affected by the Regulation begin preparations immediately. We recommend that a phased approach is adopted, whereby covered entities develop a DORA compliance programme with the aim of achieving compliance by the end of the transition period. Failure to achieve compliance may lead to severe penalties from January 2025.


Which entities are affected by DORA?

The Regulation applies to a number of EU regulated financial institutions, including credit institutions, payment institutions, securities dealers, insurance companies and others. It will also apply to ICT service providers.

This category includes e.g. cloud service providers, software, data centres. On the other hand, some operators of payment and credit card systems are exempted. In particular, micro-businesses (up to 10 persons with an annual turnover of less than €2 million) are granted significant relief from certain obligations. For example, they are not obliged to establish, maintain and review a so-called comprehensive programme of operational resilience testing of digital systems.

EU Member States will have the right to impose sanctions for breaches of obligations.

This means that the lead authority can impose significant penalties for non-compliance. These significant penalties will take the form of a fine of 1% of the average daily worldwide turnover of the organisation in the previous financial year. This penalty will be applied by the lead inspector on a daily basis until compliance is achieved and for a maximum of six months.




Financial entities

ICT Third-party Service Providers*

  • Credit institutions
  • Providers of cloud computing services
  • Payment institutions
  • Software
  • Account information service providers
  • Data Analytics services
  • Electronic money institutions
  • Providers of data centre services
  • Investment firms
  • Undertakings that are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Financial entities providing ICT services to other financial entities
  • Central securities depositories
  • Participants in the payment services ecosystem, providing payment-processing activities or operating payment infrastructure
  • Central counterparties
* the entities listed are examples of ICT Third Party Service Providers
  • Trading venues
 
  • Trade repositories
 
  • Managers of alternative investment funds
 
  • Management companies
 
  • Data reporting service providers
 
  • Insurance and reinsurance undertakings
 
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
 
  • Institutions for occupational retirement provision
 
  • Credit rating agencies
 
  • Administrators of critical benchmarks
 
  • Crowdfunding service providers
 
  • Securitisation repositories
 

 


This Regulation shall not apply to:

  • alternative investment fund managers as referred to in Article 3(2) of Directive 2011/61/EU;
  • insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC;
  • institutions for occupational retirement provision which operate pension schemes which together have no more than 15 members;
  • natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU;
  • insurance intermediaries, reinsurance intermediaries and supplementary insurance intermediaries which are micro, small or medium-sized enterprises;
  • post office giro institutions as referred to in Article 2(5)(3) of Directive 2013/36/EU.



Compliance with the DORA Directive: our solution

At BDO, we offer both information and cyber security services. We can help you secure your information and assets to minimize potential threats. We comply with other legislative requirements, in particular ISO standards and the Cybersecurity Act (CSA).

  • We provide expert advice on DORA compliance, including risk assessment and gap analysis, incident management, business continuity plans, cyber security, continuous support and monitoring.
  • We can also help you implement and provide services to ensure the security and resilience of your IT infrastructure against potential threats, including penetration testing, vulnerability assessment and incident response planning, and building a system to manage incidents.
  • We will train your staff to understand the purpose of DORA regulation and the principles of the measures in place. We will explain how they can play their part in helping to meet the requirements.

A practical approach to DORA compliance:

  • Conduct regular threat and vulnerability assessments
  • Develop and implement incident management and business continuity plans to ensure that your organization can respond effectively to major types of incidents
  • Establish a robust governance and oversight system to ensure that all DORA requirements are met and that the organization's digital infrastructure is secure and resilient to potential cyber risks.
  • Regularly test and review incident management and business continuity plans.

Main contact persons