DORA: building a resilient operational framework for the EU financial services sector

by Maria Luisa Renzi - Data Protection Consultant
| minute read

The financial industry, maybe more than any other industry today, is facing an increasing number and severity of cyberattacks. At the same time, unfortunately, it lacks an adequate legislative framework to successfully counter that worrying trend in the EU. Enter therefore the DORA regulation: a new legal instrument to help consolidate and harmonize the operative and cybersecurity resilience of our Union’s financial sector.

The widespread use of new technologies in every aspect of our lives is undeniable, and the financial sector is no exception to that rule. Over the last ten years, in fact, information and communication technologies have gained a central role in any daily operation. On the other hand, it is also undeniable that this digital transformation has not always been accompanied by adequate awareness and management of the cyber risks to which the sector is becoming increasingly exposed.

Digital Operational Resilience Act

To remedy this risky situation, the European Parliament adopted a new regulation last November. DORA, short for Digital Operational Resilience Act, represents a new set of rules with the ambitious aim of establishing and harmonising at European level the main cybersecurity requirements applicable to the financial sector. Within the scope of the new regulation, this includes traditional financial institutions such as banks, investment firms, and insurance companies. However, it also encompasses other entities such as crypto-asset service companies and critical ICT service providers (e.g. cloud service providers), which may be defined as 'new players' in the market.

The story of the adoption of DORA started a couple of years ago already - in September 2020, to be precise - with the proposal of the new regulation. That proposal formed part of a broader regulatory programme, better known as “digital operational resilience for the financial sector” or “digital finance package”. It includes several regulatory interventions, such as for the cryptocurrency market or for blockchain technologies.

What remains open to discovery is whether in the long run the “digital finance package” in general, and the DORA regulation in particular, will be able to allow some sort of balance between the widespread and increasing use of new forms of technology in the financial sector with the need to ensure security and stability of the financial system to achieve better protection of consumers’ rights.

More than a simple set of requirements

The DORA regulation stipulates that, in case of non-compliance, competent Authorities of the Member States shall have the power to establish appropriate administrative penalties and remedial measures on third-party ICT service providers and financial entities. The main compliance requirements can be displayed as follows:

However, regarding DORA as a simple set of legal requirements with which the targeted companies have to comply in order to avoid fines, would be a short-sighted and reductive interpretation. Ultimately, the DORA regulation has the aim to establish a comprehensive framework of operative rules and cybersecurity standards necessary to guarantee that financial entities operating in Europe are placed in a position to prevent, resist and readily react to cyber threats they may be subject to. To that end, the new regulation provides a ready-to-use collection of technical and organisational cybersecurity measures aimed at enabling and supporting the innovative potential of digital finance while mitigating the risks arising from technological innovation upon the customers.

The ideal scenario

With DORA, the EU regulators have obviously taken the high road to achieve the much-needed digital operational resilience of financial entities. They will provide a two years grace period from the entry into force of the new regulation for its implementation. Financial institutions will have to build internally the best possible infrastructure to comply with the requirements listed above and meet the EU regulators’ expectations.

The best possible approach to this new regulation, in my view, would be to allow companies not only to ensure compliance inside their organisations, but also to get them to benefit from the implementation of a compliant framework. For that will ultimately lead to a sustainable cycle which will contribute to a long-lasting and healthy development of economic life in the various countries and to the protection of European citizens.

Do not hesitate to contact me, if you have questions or wish to discuss this new EU legislation in more detail.