Digital Operations Resilience Act (DORA regulation) impact on financial institutions

What does the Digital Operations Resilience Act (DORA) mean for financial institutions looking to future-proof their IT environment? A look at the legislative framework and how it works in practice with third-party tools and partners.

Data sharing in financial services

What is DORA?

In 2023, the Digital Operations Resilience Act (DORA regulation) came into effect, reshaping the regulatory landscape for cybersecurity in financial institutions across the EU. DORA blends existing national and European legislation on IT risk management with new regulations in an attempt to establish a clear framework for boosting cyber threat resilience in the financial sector and beyond. At the same time, DORA helps to standardise and harmonise overarching IT management requirements within financial institutions (FIs). Full DORA compliance will be expected from January 2025 onwards.

Apart from the five key points of DORA (outlined below), the directive also aims to improve cyber resilience and operational continuity by focusing on supply chain safety between financial institutions and their external partners, including compliance orchestrators like Harmoney.

The DORA regulation framework for financial institutions ties neatly into the broader European NIS2 legislation, geared towards improving cybersecurity across various sectors. As a pivotal industry in the European economic landscape, finance is spearheading the implementation of IT risk management and cyber resilience tools. Where sector-specific DORA guidelines for financial institutions are more detailed, they will take precedence over the more general NIS2 guidelines. In any case, comprehensive cyber and transparency requirements for both FIs and their entire business network will soon be in full effect.

5 key pillars of DORA regulation in finance

The foundation of the DORA legislation rests on five pillars that outline different operational resilience requirements for financial players:

1. IT incident management and reporting

FIs should inform the relevant authorities promptly about IT breaches, incidents and cyber threats. While there is already some existing legislation in place to cover this, DORA outlines standardised methods for incident size scaling and for sending the required information to the European Supervisory Authorities (ESAs) and national supervisors.

2. Digital operational resilience testing

FIs must establish a ‘comprehensive digital operational resilience testing programme as an integral part of their ICT risk management framework,’ according to the official text. The goal is to force financial players to develop risk-oriented resilience programs, tailored to the size of their organisation.

3. IT risk management

This DORA regulation component focuses on the necessity of implementing a well-structured system for risk management and detection. Financial players must take a proactive approach in creating an IT risk management framework and embedding it in their overall digital operational resilience strategy. A critical component is the assignment of a dedicated IT risk manager role and internal auditing.

4. Third-party risk management

DORA introduces a more streamlined approach for the financial sector to maintain third-party risks. All financial entities must maintain an up-to-date information register of their third-party IT providers and the contracts they have with them. Sufficient due diligence before entering into a professional relationship is also a requirement, along with data access and security clauses in contracts with providers.

5. Information and intelligence sharing

DORA encourages financial institutions to exchange information and intelligence amongst themselves about cyber threats to improve the digital operational resilience of all financial entities. The framework stipulates that this should take place within 'trusted communities of financial entities' and according to previously established information-sharing arrangements that protect sensitive information and uphold confidentiality.

DORA regulation compliance in practice: how we do it at Harmoney

Tying the key pillars above back to the current situation in the financial world, EU-based organisations are in the midst of adapting themselves to this new reality. At Harmoney, our core reason for existence is to make customer due diligence and lifecycle management easier for banks, brokers and other financial institutions. Below are examples of three DORA key pillars in practice for financial institutions in relation to our own modular Harmoney compliance platform.

Open communication and data sharing with Harmoney

How do we tap into the need for data sharing at Harmoney? A few key benefits of our compliance orchestration platform:

1. IT incident management and reporting

Under the DORA regulation, management and reporting standards for IT incidents are strictly regulated. As a critical process outsourcing provider, our Harmoney compliance platform incorporates comprehensive incident management and reporting. This includes continuous incident monitoring, contingency measures and both automated and manual reporting. Any processes that FIs choose to outsource to Harmoney are fully DORA-compliant, ensuring full regulatory coverage.

2. Digital operational resilience testing

The Harmoney platform comes equipped with resilience safeguarding tools at both infrastructure and application levels. Risk monitoring and service desk reporting ensure compliant day-to-day management. Policies are updated quarterly, and annual risk assessments guarantee accurate threat analysis. Moreover, regular external auditing provides an additional layer of security. At the same time, verified Business Continuity & Disaster Recovery Planning (BCP/DRP) scenarios are in place.

3. IT risk management

Our Harmoney IT risk management framework takes the load off financial institutions by handling risk management for all critical internal processes that are handled through our platform. All related compliance risks are fully covered and managed, making the banks and brokers that rely on us fully DORA compliant in this aspect.

4. Third-party risk management

We built the Harmoney platform on a foundation of resilient and secure software technology, as recognised by the ISO/IEC 27001:2022 security standard certification (which defines the secure and transparent processing and storage of all data). This keeps the customers of our compliance platform safe in the knowledge that their risk vector through us as a third-party platform is minimised, and that their IT risks are fully covered from our side.

5. Information and intelligence sharing

When it comes to exchanging important data amongst financial institutions, Harmoney incorporates electronic data trails and logs. This not only helps our clients to prove that they have executed appropriate due diligence, but it also makes it easier to share log files and other relevant information in a standardised format with other banks, brokers and regulatory authorities when necessary.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details!