The Digital Operational Resilience Act, or DORA, is a regulation proposed by the European Commission to increase the financial sector's resilience with regard to digital risks. It aims to harmonise and standardise requirements for the finance and insurance sector regarding cybersecurity, privacy protection and operational resilience. These also include requirements for monitoring and managing IT security risks and recovery and business continuity planning.
The European Commission believes the new legislation is necessary because the ongoing digitalisation process is increasingly exposing financial institutions and insurers to cyberattacks. DORA came into force on 26 January this year. The regulation must now be transposed into national law by 17 January 2025.
Read our latest blog post here to discover what DORA contains and how financial institutions must now prepare for it.
The background to DORA and the goals of the regulation
Digitalisation and networking trends have also entered the financial and insurance sector. Particularly during the pandemic, online banking experienced an enormous upturn. As a result, the cyber risks to financial institutions have also increased dramatically. The geopolitical situation has also played a part in this. Experts anticipate that cyber risks in the financial sector will continue to increase in future. Particular caution is required for financial markets, which are classified as critical infrastructures. If the infrastructure is brought down or disrupted by a successful cyberattack, the trade will be interrupted, and the global economy will grind to a halt.
The DORA regulation will be implemented to counter these threats, harmonise the regulations, and bring existing standards into line by 17 January 2025.
The primary goals of the new regulation DORA are to increase financial companies' ability to withstand cyber risks and other IT disruptions and, secondly, to harmonise requirements throughout the EU. The regulation also aims to improve risk management, monitoring methods, reporting cyber incidents to the authorities, and transparency.
The key requirements that DORA specifies for financial institutions and insurers include the following:
- The introduction of a comprehensive risk management system for monitoring and evaluating digital availability and security.
- Penetration tests will become mandatory. This makes it possible to analyse whether companies are suitably equipped to withstand disruptions and cyberattacks.
- Companies must appoint an IT security officer to establish a clear requirement concerning the governance structure for IT security.
- IT incidents must be reported to the responsible supervisory bodies.
- Third parties, such as cloud providers or providers of PaaS, IaaS or other SaaS, which provide the company's IT services, must be closely monitored.
- The introduction of a binding IT emergency plan to enable swift reactions to IT disruptions and cyberattacks.
- The mandatory implementation of security evaluations when new IT systems or services are introduced.
These measures are designed to help improve the digital readiness and security of financial institutions and insurance companies in the EU and to build consumer and investor confidence in these companies.
What this means for financial and insurance companies
Companies in the financial and insurance sector must already comply with many of the requirements that will come into force due to the DORA regulation. For instance, many DORA elements are already contained in the guidelines issued by the European Banking Authority (EBA) and in the Supervisory Requirements for IT in Financial Institutions (BAIT) issued by the Federal Financial Supervisory Authority (BaFin) in Germany.
To comply with the new requirements, companies must first check the current status of their IT security measures as part of a gap analysis. They can then derive measures that must be fulfilled by the deadline for the inception of DORA to ensure compliance with regulatory and compliance requirements.
In the second step, risk management should be checked. Here, the IT and cyber maturity level and an IT security benchmark should be developed simultaneously. Likewise, conducting training scenarios and penetration tests to simulate a real cyberattack makes sense.
Another important step is to evaluate third parties and their potential risks. Doing so will ensure that the value chain is resilient.
Companies can also look at frameworks such as Threat Intelligence-based Ethical Teaming in Europe and Germany (TIBER-EU/TIBER-DE).
Hand in hand: the customer journey and DORA
The introduction of the new regulation and stricter security standards will not only ensure that banks and insurers are better protected against cyber incidents. Customer data and the customers themselves will also be more secure.
Nevertheless, it is important not to neglect a seamless customer journey when implementing new security standards and measures. For example, (SCA) biometrics can be used to ensure strong customer authentication so that customers can authenticate themselves quickly, easily and securely. What’s more, implementing a strong IAM platform ensures that only authorised persons can access critical and sensitive data.