Preparing for DORA – a new challenge for financial entities

}
22 December 2023

Preparations underway

The Digital Operational Resilience Act (DORA), establishes the European Union’s new regulatory framework for the management of digital risks in financial markets. You can get a PDF of the regulation from the EU commission website. It entered into force in January 2023 and must be applied by financial entities across the EU from 17 January 2025. Needless to say, with only a year left before the deadline to apply the regulation, time is tight for the financial entities preparing for DORA. More than 50 authorities, including national authorities, the European Central Bank and the European Union Agency for Cybersecurity (ENISA), work on the development of the policy products and regulatory technical standards mandated by the DORA. Moreover, businesses across the board are gearing up to support financial entities in implementing the provisions of the regulation.

Ambitious goals in a short timeline

DORA goes beyond the goal of achieving ICT risk management and information security. Instead, it aims to secure digital operational resilience over the entire financial ecosystem. Moreover, this regulation one comes with some hefty financial penalties. For example entities found to be in violation of the Act’s requirements may face fines of up to 2% of their total annual worldwide turnover. In the case of an individual, the maximum fine runs up to EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity’s cooperation with authorities. DORA’s requirements focus on ensuring the existence of strategies, frameworks, and governing processes to achieve digital operational resilience. This is opposed to the requirements of the European Insurance and Occupational Pensions Authority – EIOPA ICT guidelines, which focus on specifying security controls addressing governing processes in broader terms. From this perspective, DORA is not a replacement for the ICT guidelines, but rather a complement to them.

Key challenges

DORA is a cross-sectoral regulation applying to more than 20 different types of financial entities. Moreover, it also applies to more than 40 competent authorities. Financial institutions preparing for DORA face 5 key challenges:

  • establishing a comprehensive ICT risk management framework:
  • establishing digital operational resilience strategy;
  • creating governance processes for classification and reporting of major ICT-related incidents;
  • living up to increased requirements on digital operational resilience testing;
  • managing third parties in their ICT supply chain.

Solutions

How can CanaryBit’s Confidential Cloud help your organisation comply with DORA? Canary Bit’s solutions help solve legal and compliance challenges with state of the art cybersecurity technology. For example, the regulation text states in Article 9, paragraph 2 that financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. Confidential Cloud is a comprehensive end-to-end data protection toolset for cloud infrastructure security and protection of digital assets throughout their lifecycle. This includes protection of data at rest, in transit, and most novel – in use.

Conclusion

DORA should not be construed as an information security act. Rather, it is a complementary act focused on strategies, frameworks, and governing processes.

YOU MAY ALSO LIKE …

CanaryBit supports Mobility industry leaders

CanaryBit supports Mobility industry leaders

CanaryBit is one of the eight startups selected for batch 10 of the MobilityXlab programme. The programme aims to co-create solutions with seven mobility industry leaders: CEVT, Ericsson, Polestar, Veoneer, Volvo Cars, Volvo Group, and Zenseact. The competition was...

2022: still growing, still independent, still us!

2022: still growing, still independent, still us!

Still growing. In our 2021 end-of-the-year message, we highlighted that growth will be the theme of 2022. And so it was. Both founders started working 100% on CanaryBit in January. It was a challenging year in many respects, but our ideas and solutions were validated...