Digital functions are increasingly important in the financial sector’s activities: digitization of processes, automation of tasks, use of cloud features, artificial intelligence, etc. This has the knock-on effect that financial players are ever-more exposed to cyber threats (phishing, ransomware, intrusions, data theft, etc.).
According to the 12th Annual Bank Risk Management Survey conducted by EY and IIF (the Institute of International Finance), entitled “Seeking Stability Within Volatility: how interdependent risks put CROs (Chief Risk Officers) at the heart of the banking business,” cybersecurity is considered the biggest cause for concern in the year ahead, followed by credit-related risks and environmental risks.
The challenge of harmonizing the measures taken by each Member State
For companies in the financial sector, resilience has become one of the main levers that guarantees business continuity under all circumstances. This is the context in which the DORA European Directive was created. Its objective is to strengthen the digital operational resilience of the financial sector. The European Regulation stemming from the Directive was published in the Official Journal of the EU in mid-December 2022, before entering into force on 16 January 2023. From 17 January 2025, it will be applicable to the 27 EU Member States.
The main aim of creating this Directive and Regulation is to mitigate the lack of EU-level harmonisation of digital resilience strategies with application to financial companies. The Proposal for a Regulation, published in September 2020 on the European Commission website, states that, “The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies).”
“Action at Member State level, however, only has a limited effect given the cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs – especially for cross-border financial entities – or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardizes the protection of consumers and investors,” adds the European Commission.
Five pillars to strengthen resilience
In concrete terms, the DORA Directive emphasizes five pillars of action to boost the resilience of financial actors:
- Manage the risks associated with information and communication technologies (ICT): the DORA Directive highlights the need to implement a system to deal with ICT risks. The DORA text stresses the fact that “the financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy.” The DORA Directive clearly emphasizes that the management body of a financial entity is ultimately responsible for managing the ICT risks, and underlines that this approach should be an essential principle in the entity’s strategy.
- Notify the relevant authorities about major ICT-related incidents and significant cyber threats: harmonizing notifications about ICT-related incidents is a central part of the DORA Directive, which describes in detail the methods for sending key information to the ESAs (European Supervisory Authorities) such as the EBA, EIOPA and ESMA. Notifications include all the data that the relevant authorities need in order to determine the scale of the major ICT-related incident and evaluate any cross-border effects. Financial entities can also notify the relevant ESA(s) voluntarily about significant cyber threats, in situations where they believe that the threat pertains to the financial system, service users or clients.
- Test digital operational resilience: for the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities shall establish and maintain “a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework.” In practical terms, financial sector actors must bring in independent companies to conduct resilience tests at least once a year, to test the most critical parts of their information system.
- Share information and intelligence on cyber threats and cyber vulnerabilities: the DORA European Regulation includes mechanisms enabling financial companies to exchange information about cyber threats. “Information sharing contributes to increased awareness on cyber threats. This, in turn, enhances financial entities’ capacity to prevent threats from materializing into real incidents, and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently,” as stated in the European text.
- Apply measures to guarantee healthy management of risks linked to third-party providers of ICT services: managing the risks associated with third-party ICT service providers is a prominent theme in the text of the DORA Directive. In particular, financial entities that use third-party providers of ICT services are required to maintain an up-to-date information register of all contracts drawn up with them. Financial companies are also required to conduct diligence processes before beginning a professional relationship, and to put minimum standard clauses in contracts, especially regarding the description of services, data security, access, data recovery and return in the event of insolvency, and also the right of access, inspection and/or audit by the financial entity or an appointed third party.
Thanks to all these measures, the DORA Directive is intended to unlock and strengthen the potential offered by digital finance for innovation and competitiveness, while minimizing the ensuing risks. It aligns with the European Commission’s priorities on adapting Europe to the digital age, and building a future-ready protected economy that serves EU citizens.