The Digital Operational Resilience Act ( More), establishes the European Union’s new regulatory framework for the management of digital risks in financial markets. You can get a PDF of the regulation from the EU commission website. It entered into force in January 2023 and must be applied by financial entities across the EU from 17 January 2025. Needless to say, with only a year left before the deadline to apply the regulation, time is tight for the financial entities preparing for DORA. More than 50 authorities, including national authorities, the European Central Bank and the European Union Agency for Cybersecurity (ENISA), work on the development of the policy products and regulatory technical standards mandated by the DORA. Moreover, businesses across the board are gearing up to support financial entities in implementing the provisions of the regulation.
Ambitious goals in a short timeline
DORA goes beyond the goal of achieving ICT risk management and information security. Instead, it aims to secure digital operational resilience over the entire financial ecosystem. Moreover, this regulation one comes with some hefty financial penalties. For example entities found to be in violation of the Act’s requirements may face fines of up to 2% of their total annual worldwide turnover. In the case of an individual, the maximum fine runs up to EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity’s cooperation with authorities. DORA’s requirements focus on ensuring the existence of strategies, frameworks, and governing processes to achieve digital operational resilience. This is opposed to the requirements of the European Insurance and Occupational Pensions Authority – EIOPA ICT guidelines, which focus on specifying security controls addressing governing processes in broader terms. From this perspective, DORA is not a replacement for the ICT guidelines, but rather a complement to them.
DORA is a cross-sectoral regulation applying to more than 20 different types of financial entities. Moreover, it also applies to more than 40 competent authorities. Financial institutions preparing for DORA face 5 key challenges:
- establishing a comprehensive ICT risk management framework:
- establishing digital operational resilience strategy;
- creating governance processes for classification and reporting of major ICT-related incidents;
- living up to increased requirements on digital operational resilience testing;
- managing third parties in their ICT supply chain.
How can CanaryBit’s Confidential Cloud help your organisation comply with DORA? Canary Bit’s solutions help solve legal and compliance challenges with state of the art cybersecurity technology. For example, the regulation text states in Article 9, paragraph 2 that financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. Confidential Cloud is a comprehensive end-to-end data protection toolset for cloud infrastructure security and protection of digital assets throughout their lifecycle. This includes protection of data at rest, in transit, and most novel – in use.
DORA should not be construed as an information security act. Rather, it is a complementary act focused on strategies, frameworks, and governing processes.