A new cybersecurity regulation is coming to the European financial services sector, and its authority will be felt worldwide.
The European Union's (EU) new Digital Operational Resilience Act (DORA) creates a single, unified framework for regulating risk management for financial institutions operating in Europe. It mandates a common approach to cybersecurity for information and communication technology (ICT) across all 30 countries in the European Economic Area.
DORA represents a continental response to the rise of ransomware attacks and other new cyber threats that have proliferated in the wake of the global pandemic. It highlights a global focus on enabling financial services organizations to maintain better business resiliency across the entire spectrum of the enterprise, including businesses designated as critical vendors in the organization's supply chain, regardless of whether those vendors are based in Europe or anywhere else in the world. So, what might this mean to businesses in the US and outside of Europe?
Setting a Global Standard
DORA will have a substantial impact on how any cloud provider or large financial organization does business in Europe and how financial institutions use software-as-a-service technology over its life cycle.
DORA directly affects any provider of financial services doing business in Europe, including insurance companies, brokerage firms, cryptocurrency asset providers, and related financial technology businesses. All are required to be compliant with DORA's provisions for business resilience and cybersecurity or face substantial financial and other penalties.
Just as the General Data Protection Regulation (GDPR) made it quite onerous and increasingly expensive to be out of compliance, DORA is expected to have a similar impact on how large financial operations do business. We're already starting to see some of this in DORA's predecessor — the European Banking Authority Guidelines on Outsourcing (EBAG), and similar rules emerging in Canada, Singapore, Australia, and the UK.
DORA significantly tightens EU regulations with rules specifically targeting supply chain management, contractual conditions, ICT vendors, and enterprise cybersecurity assessment and readiness. DORA limits an organization's freedom to make business decisions and accumulate risk. Yet the new rules are designed to ensure greater business resilience and mirror a similar set of advisory recommendations, the Cyber Security Framework (CSF), published by the National Institute of Standards and Technology.
A critical difference is that while CSF guidelines are purely advisory, DORA mandates compliance and requires organizations to demonstrate that certain conditions are met. DORA creates an enforcement and supervision mechanism that affects both the financial institution and its most critical supply chain components, including third-party service providers.
In addition, organizations will need to provide demonstrable evidence of threat penetration testing, cybersecurity capabilities, disaster readiness, and data measurement. One particularly thorny area is the extent of DORA's regulatory reach into an organization's supply chain vendors and subcontractors. DORA's proposed language refers only to "critical" supply chain vendors.
Whereas the financial regulators will determine and designate critical providers, this categorization will depend on the function a provider performs rather than its size. It is expected that several large-scale cloud infrastructure service providers will be included. Although small to midsize businesses (SMBs) are excluded from the scope of DORA, market realities suggest that financial institutions are likely to demand of SMBs the same level of compliance because doing business with them otherwise could be seen as a resilience risk.
Best Practices and DORA Preparation
DORA is expected to be adopted by the European Union sometime this year; enterprises should plan for 12–24 months to come into compliance. To help you prepare, here are some best practices from enterprises already on the road to DORA compliance.
Identify the Gaps
A key requirement is understanding what the impact of DORA will be in terms of the gaps the enterprise currently has versus the requirements the regulation is creating.
Require Executive Engagement
DORA is so transformational that without executive buy-in, organizations will be severely challenged to find the necessary support or funding to mandate compliance. Executive buy-in can happen in different ways depending on DORA's impact on the organization. Understanding of the gaps and education of key stakeholders is key.
If it’s a financial institution, then executive buy-in can be driven by the fact that compliance with DORA is an aspect of regulatory compliance that is likely to be heavily enforced by national and EU regulators. If it’s an ICT provider, then executive buy-in can be driven by realizing that DORA is a customer requirement and a compliance requirement that is likely to be enforced by customer pressure and regulatory oversight, especially if the provider is designated as critical.
Understand Where Your Institution Is Exposed
The requirements for DORA vary widely. DORA will impact the ICT supply chain of the financial services industry because it will impose contractual and other requirements. In addition, if an ICT supplier is designated to be critical, then it will be directly subject to DORA and some of its oversight requirements.
Complete EBAG Compliance
DORA essentially builds upon the European Banking Authority Guidelines (EBAG) that are preceding it. DORA converts and particularizes many of EBAG's guidelines into legal obligations.
The effort to come into compliance with DORA will need to be companywide. The usage of ICT and its risks cut across the different parts of finance institutions' business. Enterprises must map out their ICT risk, their suppliers', and the different business processes that carry ICT risk. They will need to draw up a strategy, develop a governance framework, and take advantage of the sunrise period to come into compliance with DORA and improve their own business resiliency.
In a world turned upside down by new and unique threats ranging from ransomware to the pandemic, coming up to speed with the new rules in Europe may also result in being a big competitive advantage for your enterprise and prepare you for similar requirements in other parts of the world.