Digital Operations Resilience Act (DORA regulation) impact on financial institutions

What does the Digital Operations Resilience Act (DORA) mean for financial institutions looking to future-proof their IT environment? A look at the legislative framework and how it works in practice with third-party tools and partners.

Csdr finance

What is DORA?

In 2023, the Digital Operations Resilience Act (DORA regulation) came into effect, reshaping the regulatory landscape for cybersecurity in financial institutions across the EU. DORA blends existing national and European legislation on IT risk management with new regulations in an attempt to establish a clear framework for boosting cyber threat resilience in the financial sector and beyond. At the same time, DORA helps to standardise and harmonise overarching IT management requirements within financial institutions (FIs). Full DORA compliance will be expected from January 2025 onwards.

Apart from the five key points of DORA (outlined below), the directive also aims to improve cyber resilience and operational continuity by focusing on supply chain safety between financial institutions and their external partners, including compliance orchestrators like Harmoney.

The DORA regulation framework for financial institutions ties neatly into the broader European NIS2 legislation, geared towards improving cybersecurity across various sectors. As a pivotal industry in the European economic landscape, finance is spearheading the implementation of IT risk management and cyber resilience tools. Where sector-specific DORA guidelines for financial institutions are more detailed, they will take precedence over the more general NIS2 guidelines. In any case, comprehensive cyber and transparency requirements for both FIs and their entire business network will soon be in full effect.

5 key pillars of DORA regulation in finance

The foundation of the DORA legislation rests on five pillars that outline different operational resilience requirements for financial players:

1. IT incident management and reporting

FIs should inform the relevant authorities promptly about IT breaches, incidents and cyber threats. While there is already some existing legislation in place to cover this, DORA outlines standardised methods for incident size scaling and for sending the required information to the European Supervisory Authorities (ESAs) and national supervisors.

2. Digital operational resilience testing

FIs must establish a ‘comprehensive digital operational resilience testing programme as an integral part of their ICT risk management framework,’ according to the official text. The goal is to force financial players to develop risk-oriented resilience programs, tailored to the size of their organisation.

3. IT risk management

This DORA regulation component focuses on the necessity of implementing a well-structured system for risk management and detection. Financial players must take a proactive approach in creating an IT risk management framework and embedding it in their overall digital operational resilience strategy. A critical component is the assignment of a dedicated IT risk manager role and internal auditing.

4. Third-party risk management

DORA introduces a more streamlined approach for the financial sector to maintain third-party risks. All financial entities must maintain an up-to-date information register of their third-party IT providers and the contracts they have with them. Sufficient due diligence before entering into a professional relationship is also a requirement, along with data access and security clauses in contracts with providers.

5. Information and intelligence sharing

DORA encourages financial institutions to exchange information and intelligence amongst themselves about cyber threats to improve the digital operational resilience of all financial entities. The framework stipulates that this should take place within 'trusted communities of financial entities' and according to previously established information-sharing arrangements that protect sensitive information and uphold confidentiality.

DORA regulation compliance in practice: how we do it at Harmoney

Tying the key pillars above back to the current situation in the financial world, EU-based organisations are in the midst of adapting themselves to this new reality. At Harmoney, our core reason for existence is to make customer due diligence and lifecycle management easier for banks, brokers and other financial institutions. Below are examples of three DORA key pillars in practice for financial institutions in relation to our own modular Harmoney compliance platform.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details!