The EU’s Digital Operational Resilience Act (DORA) is set to take effect in January 2025. its aim
is to ensure that companies and institutions active in the EU financial sector are prepared to withstand operational disruption and cyberattacks.
DORA will have significant implications for financial services organisations as, under DORA’s mandate, financial organisation and any of their IT, cybersecurity or identity management providers must meet the stringent guidelines of DORA by January 17, 2025 in order to mitigate ICT risk across the financial landscape.
Many Kantara Initiative members and assurance program clients provide IT or cyber security within an EU financial organisation. Most will be gearing up to meet the requirements of DORA by the January deadline. Some, however, still find themselves struggling to set everything in line now that there is just a month to go – and much still to do.
In our regular communications with clients, we find that many still have questions about how DORA might impact organisations based outside the EU.
In short: while DORA primarily applies to organisations delivering services to customers within the EU, the framework’s security requirements also apply to third-party ICT service providers irrespective of where that service provider is located. This means that any third-party ICT service (including data analytics, payments, data centre services or cloud software) provided from outside the EU, may still fall into scope if it is used by an EU financial entity. Likewise, any US-based financial institution with subsidiaries or suppliers in the EU should also be aware of the implications.
What is DORA?
Put simply it is a regulatory initiative imposed by the EU to harmonise Information and Communication Technology (ICT) risk requirements in the financial services industry across Europe. Its objective is to ensure a more resilient and robust risk position for all financial services providers. The result is a detailed and comprehensive framework based on the pillars of:
- ICT risk management and governance,
- incident reporting,
- resilience testing,
- third-party risk and information sharing.
As a community of identity professionals, we fully support any regulation intended to enhance the digital operational resilience of financial entities so they can prevent and mitigate, respond and recover from cyber threats and all types of ICT related disruptions. In many ways DORA simply puts into law standards and guidelines that financial service providers should already follow as best practice.
Resilience is the key word. Many US based companies will be well aware of the Federal Reserve System’s “Interagency Paper on Sound Practices to Strengthen Operational Resilience” which was published in November 2020. Much of the DORA framework mirrors Operational Risk Management, Business Continuity and Third-Party Risk Management, as identified in the Interagency Paper. The management of secure and resilient information systems underpins operational resilience. Without these measures, financial institutions will remain vulnerable to the risk of disruption with far-reaching consequences on the financial industry.
DORA overlaps in several ways with other legislative frameworks, such as the Directive on the Resilience of Critical Entities (CER) and the Directive on Network and Information Security (NIS2). Some organisations may find they need to be compliant with both DORA and NIS2.
Who must comply with the Digital Operational Resilience Act (DORA)?
Organisations that employ more than 10 people and have a turnover and/or annual balance sheet total that exceeds EUR €2 million are required to be compliant with DORA. The Regulation will apply to the following entities:
- credit institutions
- payment institutions, including those exempted under Directive (EU) 2015/2366
- account information service providers
- electronic money institutions, including those exempted under Directive 2009/110/EC
- investment firms
- crypto-asset service providers as authorised under a regulation of the European Parliament and of the Council on Markets in Crypto-Assets and amending regulations: (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories
- ICT third-party service providers
Are there penalties for non-compliance?
There are significant penalties for non-compliance and The European Supervisory Authorities (ESAs) have the power to impose fines on firms that violate DORA’s requirements.
- Companies may be fined up to 2% of their total annual turnover globally OR up to 1% of the average daily turnover globally
- Individuals can face a fine of up to €1,000,000
- Third-party ICT service providers that have been designated to be critical by the ESAs could see fines of up to €500,000 for individuals and €5,000,000 for companies
Since reporting is a specific requirement of the legislation, a financial services company may also incur significant fines if it fails to report a major ICT-related incident or threat.
How can Kantara Initiative help?
It is part of our commitment to our members to keep abreast of the various standards, legislation and directives that may apply across our community. We are always keen to help members navigate the ever-changing landscape. If you are concerned how DORA may affect you, please contact us to discuss.
Next month we will be talking about how NIS2 affects the Essential Entities (EE) of Digital Infrastructure and the Important Entities of (IE) of Digital Providers.