The European Union proposes a new regulation named Digital Operational Resilience Act, "DORA". The new Regulation aims to enhance the financial sector's operational resilience in the challenging digital age.
The proposed regulation is expected to apply to a wide range of financial institutions (banks, electronic money institutions, payment service providers etc). Enhancing the digital strength of financial institutions with the DORA regulation is of utmost importance since they rely heavily on digital technologies but also consider the growing cyber threats they are currently facing.
Cyber attacks or technology failures can cause significant consequences to financial stability, client protection and the overall economy. DORA regulation, with the establishment of a comprehensive and harmonised framework for operational resilience, aims to address digital risks and safeguard financial institutions' operations.
The provisions of the proposed Regulation include the following key topics:
Governance and risk management
Financial institutions should establish and preserve a transparent and functional governance system to accomplish resilience in their operations. Therefore, among others, they must develop procedures for delegating duties, performing regular risk assessments, and applying incident management and business continuity policies.
ICT and security management
Financial institutions must recognise and control their ICT and security risks, including cyber threats, i.e., implementing appropriate measures for data protection, access controls, incident detection and response.
Outsourcing and third-party risk management
Financial institutions need to ensure that their relationships and contractual arrangements with third parties maintain their operational resilience. Therefore, financial institutions will need to perform due diligence on third-party providers, contractual agreements and arrangements that ensure the provision of adequate services, and monitor and test the robustness of outsourced services at all times.
Incident reporting and response
Financial institutions must notify their competent authorities when significant incidents occur and collaborate to investigate and resolve them. To ensure the detection, containment, and resolution of incidents, they will also need to establish effective incident response procedures and plans.
- Testing and scenario analysis
The operational resilience of financial institutions will need to be evaluated via regular testing and scenario analysis. Financial institutions need to test their incident response procedures and plans and conduct simulated exercises of different types of incidents that can generate diverse impacts on the institution.
The financial sector is projected to be heavily impacted by DORA since financial institutions will have to allocate additional resources and expertise to ensure compliance. However, it is also anticipated to increase consumer protection and strengthen the financial sector's resilience, both of which constitute important priorities in today's digital age.
To sum up, DORA is a proposed regulation that the European Union has put forth in its effort to improve the financial sector's operational resilience. In addition to the provisions of governance and risk management rules, ICT and security risk management, outsourcing and third-party risk management, incident reporting and response, testing and scenario analysis, it establishes a comprehensive and harmonised framework for operational resilience. While it is anticipated to influence the financial sector significantly, it is also expected to increase its resilience and improve consumer protection.