What is the Digital Operational Resilience Act? Your complete guide
January 2024: the European Supervisory Authorities have now published their first set of technical standards for the Digital Operational Resilience Act. And while businesses under this regulation have until November to demonstrate their full compliance, the cyberattacks continue to grow.
For example, an IT provider for the Danish Central Bank was hacked in January 2023, causing ripple effects that included the bank’s website going offline. Restricting customers from being able to access their money at this bank and seven other local financial institutions, this was deemed a critical incident.
The Digital Operational Resilience Act has been introduced because financial institutions just cannot afford for their customers funds to become inaccessible. Not only a severe consequence of the cyberattack itself, inaccessibility could also lead to significant market events, changing the state of the international economy.
In this piece, you’ll deep dive into the Act, and learn how third parties like Global Relay can provide automatic compliance, strengthening your business against cyber risks.
The what, when and why of the EU act
While the operational resilience act was brought in by the EU, interestingly, it also applies to the UK due to the timing of Brexit.
What is digital operational resilience?
Digital operational resilience – the concept of carrying on with daily tasks and continuing to offer normal products and services, even while under stress situations, such as cyber attacks. For financial services firms in particular, this means ensuring that customers have normal access to their funds and aren’t prevented from taking out cash or making transfers, for example. Even in a crisis situation, these types of services are essential.
The Digital Operational Resilience Act is a five-pronged regulatory framework to protect financial services firms, and their customers, against cyberattacks.
It was created and overseen by the Joint EU Supervisory Authorities (the European Banking Authority EBA, the European Securities and Markets Authority ESMA, and the European Insurance and Occupational Pensions Authority EIOPA).
This Act provides specific technical guidance to firms, aiming to boost security and increase overall barriers and response to cyber risks across the industry. It also aims to guide firms in their controls, tests, due diligence and responses to digital risks.
When was DORA introduced?
The Digital Operational Resilience Act was officially passed in November 2022. Before then, regulatory boards floated the idea, asked for industry-wide feedback, and took onboard implementation concerns.
But each financial entity will have a relatively short window to now implement the changes they need – with a 24-month deadline.
When will DORA come into force?
The Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union on January 16, 2023, and came into force on the same day. However, firms will have until the January 17, 2025 to comply with the Act.
Why was the DORA EU Act introduced?
Before the European Union act was announced, much of the financial services risk management framework focused on finances themselves, including:
- Credit risk, such as minimum reserve requirements
- Foreign exchange risks
- Fraud risk, such as money laundering
The incoming regulation is needed to address digital risks (cyber risks in particular), similar to the new US ‘Rule 10’. Plus, it will enable firms to continue providing their services as threats evolve. Therefore, the purpose of the Digital Operational Resilience Act is to provide a technical standards framework and encourage industry-wide collaboration.
European Investment Bank (EIB) falls victim to cyberattack
In June 2023, hackers breached the systems of the European Investment Bank, rendering their primary banking site inaccessible. Without proper operational resilience strategies, the bank’s customers could not reach their funds or accounts – categorizing the incident as serious.
This EU Act exists to ensure that financial services firms are well-supported to detect, prevent and respond to cyber attacks, and remain in operation even while that response occurs. This way, customers are less likely to feel the effects of such attacks, with little to no impact on their access to finances.
An honorary mention for NIS2
The operational resilience act forms as part of a wider regulation, the second iteration of the Network and Information Systems Directive (NIS2). While NIS2 focuses on the overall cyber health of the EU, DORA compliance only applies to the financial and investment market.
Member states will be legally obliged to comply with NIS2 from the same timeline, November 2024.
Five pillars of the Digital Operations Resilience Act
- ICT risk management
- Incident reporting framework
- Third party risk management
- Stress testing
- Intelligence sharing
ICT risk management
ICT risk management sits at the heart of this regulation, representing the first pillar. This section focuses on how companies can implement internal and external controls and governance strategies to better detect and prevent cyber risks from materializing.
Moreover, firms are required to implement a specific risk tolerance strategy, based on factors like ICT provider operations (pillar three) and stress test results (pillar four). The risk tolerance strategy should detail the boundaries of operations, and when risks turn into events.
For example, a financial firm might complete data validation checks on a potential new supplier. If the company information doesn’t match, this could trigger a spam warning on any email from the vendor.
Incident reporting framework
An incident reporting framework refers to the action steps mentioned above: as soon as a cyber event is detected, how do employees and systems respond?
The framework in the regulation offers specific technical standards for reporting cyber incidents, including the classification of risk events. The recently published standards classify incidents based on:
- Client or customer impact
- Scale and type of data loss
- Reputational impact
- Duration and service downtime
- Geographical spread
- Economic impact
Third party risk management
As highly-regulated companies, financial services firms undergo their own regulatory compliance checks. But until now, many of their suppliers have not been compliant to the same regulations.
This has caused fraudsters and cyberattackers to turn towards a verified service provider in order to create a side door into financial firms. For example, cyberattackers use social engineering to manipulate third parties via emails, encouraging an employee to click on a malicious link. Once inside the system, the same hacker can attempt to use the trust between this third party and their financial client to gain further access.
At Global Relay, we’ve established reliable and secure communication systems for every stage of the compliance journey. And as leaders in the data surveillance and archiving space, we’re already working in the most compliant and secure manner, without compromising on client efficiency.
Stress testing
Plans are well meaning, but how good are employees at actually following those systems and response steps if a cyber threat is realized?
Cyber stress testing, as the fourth pillar of the Digital Operational Resilience Act, involves creating cyberattack scenarios and testing the firm’s response. They should help to assess both the firm’s security and resilience, guaranteeing business continuity in providing their financial service.
In any scenario, testers will look to satisfy the following criteria:
- How quickly does the firm spot the attack?
- Is the detection by chance, or thanks to a systematic strength?
- Does the firm have guidance to respond to the threat properly?
- Was the guidance followed?
- Were normal operations able to continue despite the attack?
- What actions were taken to plug systematic vulnerabilities after the threat was contained?
- Were incident reporting standards followed?
Under the current regulation, larger companies will be required to use external cyber security testers, as well as perform their own stress scenarios. Moreover, stress tests will be required to be performed at least once every three years under the EU directives.
Intelligence sharing
The fifth and final pillar of the Digital Operations Resilience Act promotes industry-wide information sharing.
The purpose of this is simple: when one company experiences a cyberattack, it’s likely that the fraudsters will target others. But by sharing information about the threat and how the attack was carried out, firms can implement better detection, prevention and response strategies. This aims to increase cyber resilience across all EU member state companies.
The Act makes a big statement in proving that the customer experience (and sensitive customer information) is far more important than competition. For compliant financial institutions who agree, it’s time to walk the walk.
Who does DORA impact?
The scope of the Digital Operational Resilience Act impacts two groups. The first being those directly involved in the financial sector, including banks, credit unions and payment systems providers.
The second group that must comply are the third party critical third party providers (commonly known as TPPs). However, it’s important to note that the responsibility for third party compliance lies with the financial provider, in a type of oversight framework.
In particular, financial providers must satisfy the following cyber risk requirements:
- Pre-contract due diligence
- Access, audit and inspection
- Annual reporting (and extra incident reporting)
- Maintenance of register of information
- Third party risk strategy
As financial institutions know too well, it can take up to a year to onboard a new vendor, especially if they are working with sensitive information, such as customer financial data. But, working with confident and proven suppliers makes all the difference.