The European Commission has published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector ("DORA"). It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations.
DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.
Once the Act is finalised and implemented towards the end of 2022, it will then be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities, such as the Malta Financial Services Authority (MFSA), will take the role of compliance oversight and enforce the regulation as necessary.
The essence of DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities.
Which entities are impacted by the regulation?
How can you start preparing for DORA?
Once DORA is passed into law, financial institutions have one year to reach a compliant status with the regulation’s requirements in a way that is proportionate to their size and business profile, as well as compliant with the relevant technical standards developed by the ESAs. Entities that are identified as being exposed to higher degrees of cyber risk will have an additional 36 months from the entry date to prepare and conduct advanced penetration tests such as a red team assessment.
While DORA will bring about new and more defined requirements than ever before, the expectations of mature ICT and security risk management practices within the financial sector has been a constant theme pushed down by both the relevant ESAs as well as the MFSA locally. Guidelines such as the MFSA “Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements” that was published in December 2020. Therefore, now is the perfect time to leverage such guidelines as a benchmarking tool to better prepare for what 2022 will bring about. By conducting comprehensive gap assessments and identifying areas that require further investment and maturity, your business will be in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing.
Get in touch to find out how we can help you.