DORA – Operational resilience for the entire financial sector
- News
Harmonised and intensified rules for the entire financial sector
DORA, the Digital Operational Resilience Act, is a new regulatory framework for the entire financial sector aimed at harmonising existing national and EU legislation in the field of IT and cybersecurity. The regulation will come into effect for all member states in January 2025, at which point all financial actors, except for so-called micro-enterprises, must comply with DORA.
The harmonising nature of DORA likely comes as a relief to many, as it aims to lighten the administrative burden that currently entails multiple reporting obligations for certain financial actors. DORA is, in fact, lex specialis in relation to the NIS 2 Directive. This means that when DORA and NIS 2 cover the same subject, organisations subject to both will need to refer to the provisions in DORA rather than those in NIS 2. It is important to note that DORA does not override existing requirements and guidelines concerning suppliers as laid out in current EU legislation such as CRD, MiFID II and Solvency II. Instead, it clarifies and complements the existing requirements to provide clarity regarding supplier relationships.
Regarding the relation to PSD2, the requirement for incident reporting will cease. Instead, payment service providers are expected to report all operational or security-related incidents related to payments under DORA, regardless of whether these incidents are ICT-related or not. It is noteworthy that DORA does not exempt financial entities from all obligations to report incidents, such as the requirement to report personal data breaches under GDPR.
How can you prepare for DORA?
Following the adoption and publication of DORA at the end of 2022, ESA, the three joint supervisory authorities of the EU in the financial sector, has actively begun developing regulatory technical standards, known as Regulatory Technical Standards (RTS). These standards aim to deepen understanding and provide details on specific areas of DORA, as well as establish the use of certain standards or formats. A concrete example is the classification of incidents according to DORA Art. 18, which is clearly specified in one of the RTS planned for release in the first batch in January 2024. These standards are currently out for consultation and have been available in preliminary form since June, while the second batch is expected to be published in November/December.
You can find the consultation here.
The requirements that DORA places on financial actors are gradually becoming clearer, creating good conditions for identifying what gaps exist today. We recommend that our clients begin their gap analysis now to assess whether organisational changes are required to meet DORA's requirements.
A notable difference from previous guidelines from ESA is that ICT risks must be a management issue under DORA. This may require the presence of individuals with strong IT skills in management. The responsibilities of management remain the same regardless of the size of the company, although DORA, like other regulations, includes a principle of proportionality that entails milder requirements for smaller actors. However, it is stated, for example, in the draft RTS for Art. 15 that under this principle, financial actors can tailor their ICT risk management framework according to size, risk profile and the complexity of their services. More clarifications of this kind are expected in November/December.
Identifying clear roles and responsibilities may seem like a worn-out mantra but we still recommend financial actors to begin identifying responsibilities for various areas in DORA. This is necessary to assess the extent of any potential change process. Who within the organisation is responsible for managing ICT risks (Art. 5) and which functions within the company need to be involved and how? Following this, an analysis should be conducted on the existing and desired framework for ICT risk management (Art. 6). Only then the gaps between DORA and existing processes can be crystalized. Financial actors have about 14 months to fill these gaps and it is essential to consider that the RTS must be integrated into both existing and new processes.
We see that larger actors in the Swedish market generally have fewer gaps, as many of DORA's requirements have already been found in previous guidelines from ESA. For many smaller actors, it may sometimes involve entirely new processes that need to be implemented, while for larger actors, it primarily concerns adjustments to organisation and processes.
Omeo is already working on DORA adjustments for a number of clients and has extensive experience in pragmatically driving this type of regulatory project together with our clients.