DORA: A New Era for Cyber Security

Laura Quaroni, Head of Privacy & Security, Banca IFIS

Laura Quaroni, Head of Privacy & Security, Banca IFIS

On 16 January 2023, the DORA Regulation came into force; the Digital Operational Resilience Act (DORA regulation) aims to consolidate and harmonize the main cybersecurity requirements at the European level with reference to digital operational resilience in the financial sector, addressing banks, insurance companies, cryptocurrency service companies, financial institutions and their critical suppliers.

The regulation affects a wide range of corporate subjects and will be binding starting from 17 January 2025 (24 months after its publication in the Official Journal of the European Union). By that date, banks, insurance companies and cryptocurrency operators will have to adapt their cyber security safeguards.

The DORA Regulation is in force; it is advisable to plan and start an adaptation process.

All actors falling within the scope of the DORA Regulation must prepare to implement the regulation, developing or updating their own incident reporting procedures in line with the new regulatory requirements.

The regulation presents various ‘pillars’ that companies will have to consider, and in particular in the area of governance and internal organization, ICT risk management, incident management, and ICT supplier management.

Financial entities will have to adopt internal cybersecurity governance and a control system such as to guarantee effective and prudent management of all ICT risks in order to achieve a high level of digital operational resilience. They will also need to have a structured, comprehensive and well-documented cyber risk management framework in place.

Numerous provisions have been introduced regarding the management of incidents related to ICT services. In particular, regarding the reporting of related incidents, financial entities will have to establish and implement a management process to monitor and record ICT related incidents, classify them and report them to the competent authorities.

In order to mitigate the risks deriving from the dependence of financial entities on third-party service providers, specific supervisory powers are envisaged to be conferred on the financial supervisory authorities.

“Financial entities will have to adopt internal cybersecurity governance and a control system such to guarantee effective and prudent management of all ICT risks in order to achieve a high level of digital operational resilience”

Therefore, in addition to providing a Europe-wide surveillance framework for third-party providers of critical ICT services, key contractual aspects will be harmonized to ensure that financial firms monitor third-party cyber risks. Furthermore, to ensure adequate monitoring of technology service providers that perform a critical function for the functioning of the financial sector, a ‘lead’ supervisory authority will be defined for each critical third-party ICT service provider. Therefore, the DORA Regulation is particularly onerous even for the suppliers of critical services to these companies.

It is true that the latest report of the World Economic Forum (Global Security Outlook 2023) warns companies against third-party risk in the geopolitical context since the latest known incidents have heavily involved the supply chain.

In full awareness of the opportunities that the DORA Regulation offers, Banca IFIS has launched a regulatory impact analysis, envisaging a multidisciplinary team that involves resources from various internal functions, technical and organizational, legal and control functions. This path aims to accelerate the evolution of models and tools in order to ensure compliance with applicable regulations in force (Supervisory Regulations, DORA, etc.), to the definition of a sustainable path towards compliance, based on adaptation logic progressive, to the prioritization of interventions, also on the basis of initiatives in progress in the cyber security field.

Financial

Risk Management

Supply Chain

Legal