Press releases

The Digital Operational Resilience Act (DORA) seeks to establish a framework for promoting stability and security in the financial sector's cyberspace

The financial industry is facing increasing threats from cybercriminals, who, if successful, can compromise large amounts of sensitive financial and personal information. The potential impacts of such attacks can be significant. The European Commission is preparing a single legal framework to harmonize the fight against cyber-attacks.

The objectives of DORA

Although organizations in the financial sector (banks, insurance companies, brokerage firms) operate in a highly integrated and interdependent system, the legal framework for managing IT risks is not uniform across EU Member States and in many cases difficult to reconcile. The Commission therefore wants to regulate the rules for managing and responding to IT risks and threats at Community level. Hence, the Digital Operational Resilience (DRR) has been developed to measure the resilience of organizations to threats from cyberspace.

DORA aims to increase transparency in regulation and decrease the compliance-related administrative and financial burden on financial institutions. However, DORA also introduces new informatics security requirements. Financial institutions will be required to regularly test their digital operational resilience using software solutions and will be responsible for monitoring the risk management of third parties that provide them with technology solutions or services.

How DORA works

The final regulations are expected to be adopted in 2022, followed by a planned twelve-month transition period to allow stakeholders to prepare for the application of the rules.

DORA would consist of two separate parts. The first would focus on financial institutions, while the second would focus on companies providing third-party technology services to financial institutions. It would take into account the size, activities and business profile of a financial institution and determine accordingly the IT risk management requirements to be met

- said Zoltán Szöllősi, Director of Deloitte's
IT Risk Advisory Group.

The legislation will create a joint EU-level supervisory committee of member state supervisors, which will have the power to appoint a national authority. Third-party providers of technology services to financial institutions will have to provide the national authority with access to the information needed to carry out a compliance assessment. 

Fintech companies and DORA

As the number and importance of fintech companies grows at an accelerating pace, the exposure of financial institutions to threats to the companies that provide services to them is increasing, i.e., financial institutions are increasingly exposed to cyber-attacks via some form of external service provider.

DORA will significantly change the expectations of legislators towards fintech companies. Given their rapid growth, the DORA proportionality principle will be important, requiring regular review of compliance expectations

Zoltán Szöllősi added.

In the European fintech market, regulatory compliance will be a key issue following the implementation of DORA, as financial firms will also be responsible for the compliance of the fintech firms that provide services to them.

Did you find this useful?