Rob Dartnall, CEO and director of intelligence for SecAlliance, describes the scope and remit of the upcoming Digital Operational Resilience Act (DORA) on the financial sector
DORA came into force in January 2023, and will apply from January 2025. But DORA is not completely new. It combines a lot of existing regulations, guidelines, and common practices. But all those cyber resilience guidelines and regulations were scattered among many different pieces of law, pieces of regulation and supervisory practices.
DORA brings the pieces together, reducing complexity and confusion. That’s a big step forward. It makes it much clearer exactly what is expected from the financial sector.
What does DORA cover?
DORA effectively covers everything of importance to cyber resilience in the whole financial sector.
All areas of financial sector supervision are covered by DORA, not just the banks. This is why it is key, not because the content is new. There are some new elements, as well as simplifying the landscape. And it certainly delivers a more unified approach towards digital operational resilience.
The purpose of DORA, simply put, is to improve the resilience of both individual entities and the sector as a whole, to bolster financial stability. It’s also about protecting deposits and in that respect, it’s a classic piece of supervision legislation.
DORA recognises the systemic and economic importance of individual financial entities – in that if a big bank, for example, was hit by a cyberattack, that could affect the functioning of a national economy.
It also addresses supervision of critical third-party service providers, such as the big cloud service providers like Amazon and Google. Today, more and more financial entities rely on cloud service providers, especially the larger ones. If a bank is subcontracting to a third party, it is important for the banking supervisor to ask if everything is in place to ensure the third-party service provider is also resilient. When it comes to the Googles and Amazons of this world, they are becoming so important to resilience that they deserve dedicated supervision for the services they offer to the financial sector.
Why the two year wait to apply DORA?
Any new piece of EU legislation will commonly take two years to implement – the market needs time to prepare.
Dora is quite specific in what needs to be done. But to implement it, the supervisor also has to indicate how they expect the affected institutions to fulfil the criteria of DORA – they have to draft the regulatory technical standards.
DORA is a Level One piece of legislation. Level Two legislation is the regulatory technical standards or the implementation standards, the expectations as drafted by the regulators, the European Banking Authority, European Securities Markets Authority and the European Pension Authority. These are currently being drafted. The two-year period is needed because once a piece of legislation is approved, the regulators have to become more specific, by drafting the regulatory technical standards.
The first set of these were published in January 2024, , the next set halfway through 2024.
The market knows exactly how they should prepare themselves, but it’s quite a tight schedule and the sector faces a huge task.
How will DORA sit compared to other regions?
DORA is about homogenisation across the EU, but it is possible that could cause complications internationally.
There is a risk of divergence between UK legislation and EU legislation, but DORA brings together a lot of requirements that are already out there in the markets in different ways. Many of these are simply what you should do as a financial entity to be cyber resilient.
Take what is currently in place in the UK, for example, which is enforced by the PRA, the Prudential Regulation Authority. There’s already a lot in place. And every financial entity in the UK which is also active in the European Union has to comply with European law, so DORA will mean they have to see where they have to tweak their systems and structures.
But it’s not radically new for UK financial institutions, and is likely to lead to some tweaks rather than a complete policy overhaul.
How will Dora impact cyber security controls?
The first thing DORA addresses is ICT risk management. It expects an organisation’s executive board to take full responsibility for cyber strategy – and that means fully understanding what the risks are.
This includes identifying key assets and how to protect them (money, databases, personal information, network infrastructure, for example). It encompasses detection strategies and response and recovery strategies.
DORA, following NIST standards, aims to enforce boards of supervised financial sector entities to follow a structured approach to implementing and enforcing cyber security services. This means completing proper risk assessments so they can decide how they are going to accept or address risks.
DORA is also designed to help financial sector companies avoid single points of failure – such as relying on a single service provider. DORA is a push rather than a shake-up of the sector, but it is likely to trigger debate among larger players about whether they can do it all themselves, or to outsource DORA compliance to an expert.
Certainly, smaller financial entities with fewer resources and staff will think more about outsourcing of the back office, for example, but that means relying on third party service providers to have all the security controls and everything else that’s required already in place.
It is common to look to outsourcing as a way to reduce costs. However, the big banks have much greater resources, staff and the knowledge to do a lot of things themselves.
Of course, DORA doesn’t just apply to banks. Small asset managers, for example, won’t have their own full security operations centre (SOC). Many small organisations will outsource the SOC function, so they have a service provider to keep an eye on those systems from a security perspective.
Is DORA about compliance?
It’s not black and white. DORA is more about setting a clear path of classic supervision and ticking the boxes.
There will be financial entities that do not have good answers for the supervisors, which will be deemed not compliant. They will have to show a remediation plan on how they intend to improve and address their non-compliant areas.
The cyber threat and the landscape is evolving so fast that organisations have to look forward. They have to anticipate what can be done in the future, and test themselves. The culture needs to move away from asking ‘Am I compliant?’, and more towards learning and evolving. Yes, things will go wrong, but we can ask what was learned when they went wrong, and what can be done to prevent it in the future.
