Cyber and digital operational resilience / DORA
Cyber and digital operational resilience / DORA
Context
Digitalisation and new technologies are deeply transforming financial value chains with an increasing role played by third-parties such as providers of cloud services and data centres, leading to higher efficiency and resilience. This also increases the exposure of the financial sector to information and communication technology (ICT) risks such as cyber-attacks and system failures and also to third-party dependency risks.
The DORA (Digital Operational Resilience Act) regulation, which aims to implement uniform requirements relating to digital operational resilience across the EU financial sector, entered into force in January 2023 and will apply to firms in scope from January 2025, once the Level 2 Regulatory Technical Standards (RTS) have been established. DORA addresses the main core components of the digital operational resilience of financial entities including conduct of ICT risk management, testing rules for ICT systems, incident reporting and also introduces a specific oversight framework for ICT third-party providers deemed critical for the stability and integrity of the EU financial system (CTPPs).
A joint committee set up by the ESAs is taking the implementation work forward in an integrated way, with the objective of developing Level 2 legislation for DORA in a cross-sectoral and proportionate way and submitting the related legal instruments to the Commission by June 2024.
The reviewed Network and Information Systems Directive (NIS2), which aims to strengthen and harmonize cybersecurity laws across the EU, was adopted at the same time as DORA and has a similar implementation timeline. NIS2 sets out cybersecurity risk management, reporting and information sharing obligations.
The enhancement of cyber and operational resilience is also a priority at the global level. Recommendations were published by the FSB in April 2023 aiming to promote convergence among cyber incident reporting frameworks and encourage better practices, followed by a consultative document released in June on the toolkit needed to enhance the ability of financial institutions and authorities to manage third-party and outsourcing risk in a context of growing digitalisation. This will complete previous work on ICT outsourcing by financial entities to third-party service providers (FSB, IOSCO), the cyber-resilience of financial market infrastructures (CPMI-IOSCO) and the operational resilience of third-party providers (BCBS).
Eurofi documents
Extracted from the main Eurofi publications (Regulatory Updates, Views Magazines and Conference Summaries)
Panel discussion summaries
Cyber and digital operational resilience - Santiago de Compostela Financial Forum - September 2023
Digital operational and cyber-resilience - Stockholm High Level Seminar - April 2023
Cyber and digital operational resilience policy proposals - Paris High Level Seminar - February 2022
Digital operational and cyber-resilience - Ljubljana Financial Forum - September 2021
Eurofi Views Magazine chapters
Cyber and digital operational resilience - February 2024 new
Gerry Cross - Central Bank of Ireland | François-Louis Michaud - European Banking Authority (EBA) | Denis Beau - Banque de France | Anneli Tuominen - European Central Bank (ECB) | Fernando Restoy - Financial Stability Institute (FSI) | Paolo Carcano - PricewaterhouseCoopers Business Services S.r.l. | Charlotte Hogg - Visa Europe
Cyber and digital operational resilience - September 2023
Gerry Cross - Central Bank of Ireland | François-Louis Michaud - European Banking Authority (EBA) | Denis Beau - Banque de France | Giuseppe Siani - Banca d’Italia | Matthew Martindale - KPMG LLP
Digital operational and cyber-resilience - April 2023
Margarita Delgado - Banco de España | Gerry Cross - Central Bank of Ireland | Samu Kurri - Finnish Financial Supervisory Authority (FIN-FSA) | François-Louis Michaud - European Banking Authority (EBA) | Jason Harrell - The Depository Trust & Clearing Corporation (DTCC)
Digital operational and cyber-resilience - September 2022
Steven Maijoor - De Nederlandsche Bank | Emmanuel Rocher - Autorité de Contrôle Prudentiel et de Résolution | Petra Hielkema - European Insurance and Occupational Pensions Authority | Ksenia Duxfield-Karyakina - Google Cloud | Stephen Hester - Nordea Group
Cyber and digital operational resilience policy proposals - February 2022
Dominique Laboureix - Autorité de Contrôle Prudentiel et de Résolution | José Manuel Campa - European Banking Authority | Margarita Delgado - Banco de España | Jens Obermöller - Federal Financial Supervisory Authority, Germany | Jason Harrell - The Depository Trust & Clearing Corporation | Scott Mullins - AWS Worldwide Financial Services | Laurence Molinier - Deloitte
Digital operational and cyber-resilience - September 2021
Joachim Wuermeling - Deutsche Bundesbank | Billy Kelleher - European Parliament | Ana Teresa Moutinho - European Insurance and Occupational Pensions Authority | Christopher P. Buttigieg - Malta Financial Services Authority | Jason Harrell - The Depository Trust & Clearing Corporation | Lorelien Hoet - Microsoft