Home Solutions + Overview Client lifecycle management Digital onboarding KYC remediation Platform + Overview End-to-end Module overview Solution bundles Integrations Key Platform Capabilities Customers + Overview Financial services Non-financial services Insights + Overview Blogs & White papers Use cases Customer stories About us Request a demo
  1. Home /
  2. Digital Operations…

Digital Operations Resilience Act (DORA regulation) impact on financial institutions

What does the Digital Operations Resilience Act (DORA) mean for financial institutions looking to future-proof their IT environment? A look at the legislative framework and how it works in practice with third-party tools and partners.

Digital Operations Resilience Act DORA regulation

What is DORA?

In 2023, the Digital Operations Resilience Act (DORA regulation) came into effect, reshaping the regulatory landscape for cybersecurity in financial institutions across the EU. DORA blends existing national and European legislation on IT risk management with new regulations in an attempt to establish a clear framework for boosting cyber threat resilience in the financial sector and beyond. At the same time, DORA helps to standardise and harmonise overarching IT management requirements within financial institutions (FIs). Full DORA compliance will be expected from January 2025 onwards.

Apart from the five key points of DORA (outlined below), the directive also aims to improve cyber resilience and operational continuity by focusing on supply chain safety between financial institutions and their external partners, including compliance orchestrators like Harmoney.

The DORA regulation framework for financial institutions ties neatly into the broader European NIS2 legislation, geared towards improving cybersecurity across various sectors. As a pivotal industry in the European economic landscape, finance is spearheading the implementation of IT risk management and cyber resilience tools. Where sector-specific DORA guidelines for financial institutions are more detailed, they will take precedence over the more general NIS2 guidelines. In any case, comprehensive cyber and transparency requirements for both FIs and their entire business network will soon be in full effect.

5 key pillars of DORA regulation in finance

The foundation of the DORA legislation rests on five pillars that outline different operational resilience requirements for financial players:

1. IT incident management and reporting

FIs should inform the relevant authorities promptly about IT breaches, incidents and cyber threats. While there is already some existing legislation in place to cover this, DORA outlines standardised methods for incident size scaling and for sending the required information to the European Supervisory Authorities (ESAs) and national supervisors. In January 2024, they published a crucial first set of rules for incident management and classification, providing key criteria for classifying major incidents and significant cyber threats.

2. Digital operational resilience testing

FIs must establish a ‘comprehensive digital operational resilience testing programme as an integral part of their ICT risk management framework,’ according to the official text. The goal is to force financial players to develop risk-oriented resilience programs, tailored to the size of their organisation.

3. IT risk management

This DORA regulation component focuses on the necessity of implementing a well-structured system for risk management and detection. Financial players must take a proactive approach in creating an IT risk management framework and embedding it in their overall digital operational resilience strategy. A critical component is the assignment of a dedicated IT risk manager role and internal auditing.

4. Third-party risk management

DORA introduces a more streamlined approach for the financial sector to maintain third-party risks. All financial entities must maintain an up-to-date information register of their third-party IT providers and the contracts they have with them. Sufficient due diligence before entering into a professional relationship is also a requirement, along with data access and security clauses in contracts with providers.

5. Information and intelligence sharing

DORA encourages financial institutions to exchange information and intelligence amongst themselves about cyber threats to improve the digital operational resilience of all financial entities. The framework stipulates that this should take place within 'trusted communities of financial entities' and according to previously established information-sharing arrangements that protect sensitive information and uphold confidentiality.

DORA regulation compliance in practice: how we do it at Harmoney

Tying the key pillars above back to the current situation in the financial world, EU-based organisations are in the midst of adapting themselves to this new reality. At Harmoney, our core reason for existence is to make customer due diligence and lifecycle management easier for banks, insurers and other financial institutions. Below are examples of the DORA key pillars in practice for financial institutions in relation to our own modular Harmoney compliance platform.

1. IT incident management and reporting

Under the DORA regulation, management and reporting standards for IT incidents are strictly regulated. As a critical process outsourcing provider, our Harmoney compliance platform incorporates comprehensive incident management and reporting. This includes continuous incident monitoring, contingency measures, incident management, and both automated and manual reporting. As a result, all processes that FIs opt to digitise through the Harmoney platform are fully DORA-compliant.

2. Digital operational resilience testing

The Harmoney platform comes equipped with resilience safeguarding tools at both infrastructure and application levels. Risk monitoring and service desk reporting ensure compliant day-to-day management. Policies are reviewed quarterly, and annual risk assessments guarantee accurate threat analysis. Moreover, regular external auditing provides an additional layer of security. At the same time, verified Business Continuity & Disaster Recovery Planning (BCP/DRP) scenarios are in place.

3. IT risk management

Our Harmoney IT risk management framework takes the load off financial institutions by ensuring the risk management of the critical functions and processes that are routed through our platform. Acting as a third party towards FIs that rely on Harmoney, the platform is a stakeholder in their risk-related governance processes. All related compliance risks are fully taken care of, making financial institutions that rely on the platform fully DORA-compliant.

4. Third-party risk management

We built the Harmoney platform on a foundation of resilient and secure software technology, operating under our own Information Security Management System (ISMS). As part of this ISMS, we've implemented a robust Risk Management Framework that complies with the latest ISO/IEC 27001:2022 security standards (which were last updated in 2022). This updated standard was designed with current risk and cloud deployments in mind. It also puts emphasis on information security within supplier/partner relationships.

5. Information and intelligence sharing

Harmoney is a key player in the trust-based community of financial institutions and regulators. Both in the fields of compliance and cybersecurity, it is crucial to join forces and exchange best practices. This way, we can tackle the intertwined challenges of money laundering, terrorism financing and cyberattacks. With a particular focus on operational resilience, Harmoney is committed to ongoing information exchange with clients, to further improve our processes and services tailored to the financial industry.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details!