DORA Act Explained
Proposed by the EU, DORA aims to improve the financial services sector’s cybersecurity and operational resiliency while further fortifying existing legislation, including the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
Originally, DORA was part of a set of initiatives launched by the European Commission to digitize the banking sector by advancing innovation and competitiveness within the European Financial Sector.
The trio of European Supervisory Authorities (ESAs) – European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) – were responsible for establishing technical standards to be followed by the financial services institutions.
The Act also brought Banking, insurance, and asset management companies under its purview to ensure complete compliance.
Specific Objectives of DORA
DORA is the EU’s shield to protect the financial sector across member-states against Information and Communications Technology (ICT) incidents. It works by imposing rigorous and prescriptive rules that apply to crucial ICT third-parties offering financial institutions services such as cloud platforms, data analytics, and audit services.
In a nutshell, DORA's mission is to inject into the financial sector the capability to endure, react to, and emerge from the negative impact of ICT incidents without affecting critical tasks or inconveniencing consumers. DORA's success depends on strict adherence to robust measures and protocols on systems, tools, and third parties. Equally, it requires appropriate operational continuity plans, continuously verifying efficacy.
DORA's overarching objective – to increase operational resilience of digital systems – includes new requirements, and streamlining and updating existing regulations. The goals of note include:
- Strengthening the financial sector's resilience to ICT-related incidents through the launch of targeted and prescriptive necessities that are uniform across all EU member-states. Indeed, the UK regulators are already issuing their versions of this regulation.
- Bringing ICT third-parties providing services to financial institutions within the new regulations.
- Ensuring organizations can withstand, respond to and overcome the impact of ICT incidents, guaranteeing the delivery of critical functions and mitigating disruption for purchasers and the system at large.
- Providing realizable solutions by establishing robust measures and controls on systems, tools, and third parties, executing operational continuity plans, and testing their effectiveness on a never-ending basis.
To achieve its objectives, DORA uses precise criteria, templates, and directions that inform and educate enterprises on ways to manage ICT and cyber risks. It also underscores the importance of EU regulators to remain active on the topic, with a substantial focus on standardized formats to fulfill conditions for reporting, communication, and assessments. At its core lies one consistent superordinate approach across all the relevant sectors.
By straddling the core aspects and domains of ICT and cyber security, DORA provides a comprehensive digital resiliency framework for the relevant entities. An outline of the critical elements, which establishes a group of necessities for the ICT risk management framework, is given below:
- Routinely track ICT risks across sources to ensure remediation through appropriate protection and hindrance measures.
- Establish and maintain robust ICT systems and technologies to reduce risk.
- Deploy dedicated and comprehensive business continuity policies and disaster and recovery plans to ensure prompt recovery following an ICT-related incident.
- Establish mechanisms to document, learn and evolve with each external event.
- Establish mechanisms and processes geared toward prompt detection of abnormal activities.