The Digital Operational Resilience Act (DORA): How Is The EU Planning To Bolster Its Financial Sector With This Reform?

The financial sector’s increasing reliance on digital technology has exposed it to new security challenges.

According to Statista, around 19% of all cyber-attacks worldwide in 2022 were in the finance sector, the second highest after the manufacturing industry. The use of digital systems for streamlining operations and making them more efficient has increased the risk of ICT (Information and Communications Technology) attacks like phishing, ransomware, malware, DDoS (Distributed Denial of Service) attacks, and more, all of which have serious consequences for the financial entity, and everyone associated with it.

“Despite the growing urgency and severity of the situation, there is not one comprehensive European framework to address the growing menace of ICT attacks on financial organisations. Until now, financial institutions in the EU managed their operational risks based on individual budgets. This often left them vulnerable to the more sophisticated ICT-related disruptions, says Nick Munro, Technology Director at Blue Cube Security. “But it is all about to change with the introduction of the (DORA) Digital Operational Resilience Act (Regulation (EU) 2022/2554).”

As per this new legislation, all the EU financial entities covered will need to follow rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents.

DORA will be applicable from 17 January 2025 and provide a specific set of criteria and instructions for financial organisations to manage ICT and cyber risks more efficiently. It is a part of Europe’s Fit for Digital Age Programme that aims to harmonise regulations for financial organisations and contribute to its successful digital transformation.

The five key focus areas of DORA will be

1) ICT Risk Management, 2) Reporting on ICT-related Incidents, 3) Digital Operational Resilience Testing, 4) Management of Third-Party Risk, and 5) Information and Intelligence Sharing.

“DORA is the answer to the evolving cyber threat landscape that can cause financial losses, data breaches, operational disruptions, and reputational damage in the financial services sector across Europe,” adds Nick Munro. “It is the right time for EU-based financial firms to start implementing all the requirements stated in the regulation to ensure complete compliance by the end of the 24-month implementation period. Once implemented, organisations can benefit from enhanced cybersecurity and risk management, regulatory harmonisation, better adaptability and flexibility towards new technologies, improved ICT-related incident detection and response, better customer data protection, and most importantly, improved operational consistency.”

The Digital Operational Resilience Act is a step in the right direction for bolstering the crucial financial services sector and making it more resilient to evolving cyber threats. Full compliance by all financial firms, big and small, will ensure regulation harmonisation across Europe.

What Does It Mean For Businesses In The UK?

ICT-related incidents are becoming increasingly common across the world. In the UK itself, almost 40% of businesses reported experiencing a cyber-attack in 2022. In the absence of a comprehensive regulation that covers all financial companies, both big and small, businesses will continue to suffer financial and reputational losses if they are attacked. A regulation like DORA which requires strict compliance and necessary investment in cybersecurity by all companies within a sector, can work wonders for businesses in the UK and help strengthen their defences against current and emerging cyber threats. The UK government has hinted that it will legislate for a UK equivalent of the EU’s Digital Operational Resilience Act (DORA) in the coming year. It plans to introduce new laws that enable resilient outsourcing to technology providers in the financial services sector – something similar to what is proposed in EU’s DORA. A UK-specific DORA can boost the security and operational resilience of financial firms in the UK.

Are you a financial organisation looking to implement DORA but need guidance or advice on where to start? Get in touch at Enquiries@BlueCubeSecurity.com.