Securing Digital Futures: A Guide to DORA Compliance for Financial Entities

Introduction:

In a dynamic digital transformation era, the convergence of regulatory frameworks is reshaping the landscape for financial entities. This exploration unveils the intricate interplay between the Digital Operational Resilience of the Financial Sector (DORA) and the Network and Information Systems Directive (NIS2) compliance. As businesses navigate this complex terrain, understanding the essential obligations, management responsibilities, and interaction with the Security of Network and Information Systems Directive (NIS2) becomes imperative.

I. DORA: Defining Digital Operational Resilience

On November 10, 2022, the European Parliament endorsed the DORA Act, setting the stage for a paradigm shift in operational resilience for financial entities. This section provides an in-depth understanding of DORA’s fundamental obligations and how it influences ICT risk management capability, reporting, testing, and information sharing.

A. Key Obligations under DORA:

ICT Risk Management: DORA introduces principles for internal controls and governance structures, requiring robust ICT risk management frameworks.

Reporting of ICT-Related Incidents: DORA mandates a consistent incident reporting mechanism for significant incidents, emphasising timely communication to competent authorities and service users.

Testing: Financial entities must adopt a comprehensive digital operational resilience testing program, including advanced testing every three years through threat-led penetration tests.

Information Sharing: Provisions in DORA facilitate the sharing cyber threat information and intelligence among financial entities to bolster digital operational resilience.

Localisation: Restrictions on third-country Critical ICT Third-Party Providers, allowing their services only if they establish a subsidiary in the EU within 12 months.

B. Management Responsibility:

Role of the Management Body: The management body of a financial entity assumes ultimate responsibility for ICT risks, steering the entity’s ICT risk framework and overall digital resilience strategy.

Roles and Responsibilities: Clear roles and responsibilities for ICT-related functions are essential, with dedicated roles for monitoring arrangements with ICT third-party providers.

Knowledge and Skills: Management body members must possess and maintain sufficient knowledge and skills to understand and assess ICT risks.

II. Interplay with NIS2:

DORA’s interaction with the Security of Network and Information Systems Directive (NIS2) is explored, emphasising how financial entities will navigate both regulatory frameworks to ensure compliance.

A. NIS2 Overview:

Scope Expansion: NIS2 extends the scope of its predecessor, encompassing new sectors like “digital providers” and introducing uniform size criteria.

Risk Management and Reporting Obligations: NIS2 outlines cybersecurity risk management and reporting obligations, overlapping with DORA in certain areas.

Complementary Legislation: NIS2 acknowledges DORA as a lex specialist, ensuring that any overlap will be addressed and providing clarity for financial entities.

III. Preparing for Compliance:

This section guides financial entities on proactive steps to prepare for DORA compliance, offering insights on impact assessment, critical ICT third-party providers, subsidiarisation requirements, and essential preparatory measures.

A. Impact Assessment:

Risk-Based Approach: Financial entities should adopt a risk-based approach to assess the impact of DORA on their business, conducting comprehensive gap analyses against existing ICT-risk management processes.

B. Critical ICT Third-Party Providers:

Comprehensive Rules and Procedures: Critical ICT Third-Party Providers must establish complete rules, procedures, mechanisms, and arrangements to manage ICT risks.

Benchmarking and Contract Review: Providers should benchmark existing systems against guidelines, ensuring contracts allow flexibility for compliance with regulatory rules.

C. Subsidiarisation Requirements:

Early Engagement: EU subsidiarisation requirements necessitate early engagement between third-country Critical ICT Third-Party Providers and the financial entities they serve.

Identifying Alternative Providers: Financial entities may consider identifying alternative providers if third-country providers do not establish an EU subsidiary within 12 months.

Conclusion:

A proactive and comprehensive approach is paramount as financial entities embark on the journey toward DORA and NIS2 compliance. Adapting to evolving regulatory landscapes ensures adherence and positions entities for success in an era where digital operational resilience is synonymous with trust and competitiveness.