The Digital Operational Resilience Act

DORA will have a large business impact on critical infrastructure and public authorities monitoring their compliance. The EU is setting up €2 billion to support new cybersecurity initiatives aimed at strengthening cyber resilience.

How is the threat landscape evolving

The growing digitization, outsourcing of services and the resulting blurring of the corporate perimeter put a continuous stress on the whole financial sector. Despite significant investment in ICT security technology, the average cost to financial institutions resulting from operational incidents keeps on increasing. ICT security breaches affecting a market participant in the financial sector are prone to spread within the financial system, given the high level of interconnectedness across financial institutions, financial markets and financial market infrastructures, and particularly the interdependencies of their IT systems. Financial institutions must face this new reality and are forced to deal with new threats, as exemplified by the figures below:

  • Cyber incidents are the number 1 risk in the financial sector*;
  • 13% of all cyber attacks are performed on the financial sector**;
  • Cloud incidents target the financial sector the most***.

To increase the financial sector’s operational resilience, the European Commission – within the framework of the Digital Finance Package – has proposed the Digital Operational Resilience Act (DORA), expected to come into force in 2024. It will enhance and streamline the financial entities’ conduct of ICT risk management, harmonize ICT incident classification and reporting, set EU-wide standards for digital operational resilience testing and introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers, by bringing ‘critical ICT third party providers', including cloud service providers, within the regulatory perimeter.

* Allianz Risk Barometer 2021
** Kroll Threat Landscape Report, Q3 2021
*** McAfee ATR Threats Report 2021

Your Focus

The current landscape requires the activation of a set of ICT risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards. The following organisational changes would need to be implemented to meet DORA’s objectives:

About Deloitte Cyber Services

Deloitte supports a large number of stakeholders in the private and the public sector to enhance their cybersecurity posture as well as to achieve compliance with relevant requirements in view of DORA, with the following services:

Support from the EU on Policy Implementation

Our Cyber Services, aimed at supporting entities to comply with DORA, are eligible for (co-)funding by the EU under the Digital Europe Programme (DIGITAL). The budget for the Cybersecurity actions covered by this Work Programme is EUR 269 million distributed as follows:

  • A budget of EUR 177 million for actions related to the “cyber-shield” announced in the EU Cybersecurity Strategy, including Security Operation Centres (SOC);
  • A budget of EUR 83 million for actions supporting the Implementation of relevant cybersecurity EU Legislation;
  • A budget of EUR 9 million for programme support actions, including evaluations and reviews.

In addition, actions supporting the deployment of the Secure Quantum Communication nfrastructures (QCI) are included in the Digital Europe Work Programme for 2021-2022, with an indicative budget of EUR 170 million.

Our experts on DORA can advise you on how to apply for  EU funding to develop actions aimed at strengthening cyber capabilities in the EU financial sector.

Did you find this useful?