Digital Operations Resilience Act (DORA regulation) impact on financial institutions

What does the Digital Operations Resilience Act (DORA) mean for financial institutions looking to future-proof their IT environment? A look at the legislative framework and how it works in practice with third-party tools and partners.

Introducing kube launch event

What is DORA?

In 2023, the Digital Operations Resilience Act (DORA regulation) came into effect, reshaping the regulatory landscape for cybersecurity in financial institutions across the EU. DORA blends existing national and European legislation on IT risk management with new regulations in an attempt to establish a clear framework for boosting cyber threat resilience in the financial sector and beyond. At the same time, DORA helps to standardise and harmonise overarching IT management requirements within financial institutions (FIs). Full DORA compliance will be expected from January 2025 onwards.

Apart from the five key points of DORA (outlined below), the directive also aims to improve cyber resilience and operational continuity by focusing on supply chain safety between financial institutions and their external partners, including compliance orchestrators like Harmoney.

The DORA regulation framework for financial institutions ties neatly into the broader European NIS2 legislation, geared towards improving cybersecurity across various sectors. As a pivotal industry in the European economic landscape, finance is spearheading the implementation of IT risk management and cyber resilience tools. Where sector-specific DORA guidelines for financial institutions are more detailed, they will take precedence over the more general NIS2 guidelines. In any case, comprehensive cyber and transparency requirements for both FIs and their entire business network will soon be in full effect.

5 key pillars of DORA regulation in finance

The foundation of the DORA legislation rests on five pillars that outline different operational resilience requirements for financial players:

Easy KUBE access through Harmoney

At Harmoney, we’re proud to be the first partner to integrate with KUBE. The three common KYC challenges in the financial sector that KUBE’s verified data hub tackles are exactly the same ones we address with Harmoney:

  • Data collection delays and input errors
  • Verification delays
  • Compliance burden

Financial institutions that prefer not to develop their own tools and processes for data collection, verification and uploading can always rely on Harmoney for seamless integration with the KUBE database. Our efficient data identification and validation flows make it easy to verify and validate data, in turn accelerating the KYC process for banks. This minimises processing hiccups and allows compliance teams to focus on their high-risk cases that truly matter and require specialists intervention and assessment.

1. IT incident management and reporting

FIs should inform the relevant authorities promptly about IT breaches, incidents and cyber threats. While there is already some existing legislation in place to cover this, DORA outlines standardised methods for incident size scaling and for sending the required information to the European Supervisory Authorities (ESAs) and national supervisors.

2. Digital operational resilience testing

FIs must establish a ‘comprehensive digital operational resilience testing programme as an integral part of their ICT risk management framework,’ according to the official text. The goal is to force financial players to develop risk-oriented resilience programs, tailored to the size of their organisation.

3. IT risk management

This DORA regulation component focuses on the necessity of implementing a well-structured system for risk management and detection. Financial players must take a proactive approach in creating an IT risk management framework and embedding it in their overall digital operational resilience strategy. A critical component is the assignment of a dedicated IT risk manager role and internal auditing.

4. Third-party risk management

DORA introduces a more streamlined approach for the financial sector to maintain third-party risks. All financial entities must maintain an up-to-date information register of their third-party IT providers and the contracts they have with them. Sufficient due diligence before entering into a professional relationship is also a requirement, along with data access and security clauses in contracts with providers.

5. Information and intelligence sharing

DORA encourages financial institutions to exchange information and intelligence amongst themselves about cyber threats to improve the digital operational resilience of all financial entities. The framework stipulates that this should take place within 'trusted communities of financial entities' and according to previously established information-sharing arrangements that protect sensitive information and uphold confidentiality.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details!