On 28 November 2022, the EU Council adopted the digital operational resilience for the financial sector (DORA).
On December 14, 2022, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and Directive (EU) 2022/2556 as regards digital operational resilience for the financial sector were both published in the Official Journal of the EU.
DORA imposes obligations on both financial entities and ICT third-party service providers, including designated 'critical' ICT service providers (read our previous article here and here). It consolidates and upgrades firm's capacity to withstand Information Communication Technologies (ICT)-related disruptions and threats through, among others:
A sound ICT-risk management framework
The use and ongoing maintenance of appropriate and reliable ICT systems, protocols and tools
The identification, classification and adequate documentation of all ICT supported business functions, roles and responsibilities, as well as the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk
Protection and prevention through the continuous monitoring and control of the security and functioning of ICT systems and tools; the design and implementation of ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.
Implementation of mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure
Implementation of a comprehensive ICT business continuity policy for timely response and recovery actions
Development and documentation of backup policies and procedures, restoration and recovery procedures and methods to ensure the restoration of ICT systems and data with minimum downtime, limited disruption and loss
Learning and evolving including capabilities and staff to gather information on vulnerabilities and cyber threats as well as ICT-related incidents. Post ICT-related incident reviews should also be put in place after the occurrence of a major ICT-related incident to help analyse the cause of the incident and identify the required improvement for the ICT operations.
Implementation of an ICT-related incident management process to detect, manage and notify ICT-related incidents
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Requirements for the performance of digital operational resilience testing (e.g. testing of ICT tools and systems…)
Management of ICT third-party risk
‘Financial entity’ is defined to include a broad range of entities such as investment firms, management companies, payment institutions, banks, insurance companies and investment firms and crypto asset service providers.
DORA will apply from 17 January 2025.