EU Digital Operational Resilience Act (DORA)

Introduction

Today, the financial sector is undergoing a profound transformation driven by the rapid pace of digitalization. While this transformation offers numerous opportunities -such as enhanced efficiency in the delivery of financial services, reduced costs, and improved customer experience- it also brings with it a host of new risks, including cyberattacks, data breaches, and operational disruptions. In response to these challenges and with the aim of strengthening the digital resilience of the financial system, the European Union (EU) adopted the Digital Operational Resilience Act (DORA) on 14 December 2022, which will come into effect on 17 January 2025. DORA seeks to establish a more secure and stable financial ecosystem by standardizing cybersecurity and operational risk management practices across financial entities. However, this far-reaching regulation has elicited both positive and negative reactions within the industry. This article will provide a comprehensive analysis of the opportunities and challenges posed by DORA, exploring its legal implications and the ongoing debate it has sparked within the financial sector.

A. The Core Objectives and Scope of DORA

The primary objective of DORA is to enhance the digital operational resilience of financial institutions, ensuring they are better equipped to withstand cyberattacks, data breaches, and other disruptions related to information and communication technologies (ICT). To achieve this aim, the Regulation focuses on five key areas:

1. ICT Risk Management: Financial institutions are required to establish a comprehensive framework to identify, assess and manage ICT risks. This framework should encompass risk management strategies, policies and procedures, an inventory of ICT assets, risk assessment methodologies, and reporting mechanisms.

2. ICT-Related Incident Reporting: Financial institutions are obligated to report significant ICT incidents to the relevant authorities. These reports should include details such as the type, scope, impact of the incident, and the measures taken. DORA also regulates the notification timelines and procedures in detail.

3. Operational Resilience Testing: Financial institutions must regularly test the resilience of their ICT systems and processes. These tests aim to identify vulnerabilities, improve incident response capabilities, and ensure business continuity. DORA also governs the various types of tests (e.g., penetration tests, vulnerability scans) and their frequency.

4. Third-Party ICT Risk Monitoring: Financial institutions must manage their dependence on third-party providers for ICT services. This includes carefully reviewing contracts, establishing service level agreements, ensuring that third-party providers comply with security and resilience standards, and regularly monitoring their performance.

5. Information and Intelligence Sharing: Financial institutions should promote the sharing of information and intelligence regarding ICT threats and vulnerabilities. This helps raise awareness across the sector, respond to threats more quickly and effectively, and strengthen the overall resilience of the industry.

DORA’s scope is quite extensive, covering banks, investment firms, insurance companies, payment service providers, and other financial institutions. Additionally, third-party service providers that offer critical ICT services to these institutions are also included within DORA’s scope.

B. Opportunities Offered by DORA for The Financial Sector

DORA presents a range of significant opportunities for the financial sector:

1. Enhanced Cyber Security and Risk Management: DORA encourages financial institutions to improve their cybersecurity and operational risk management practices, making them more resilient to cyberattacks and other ICT disruptions. This provides a safer environment for both the institutions and their customers. The increasing frequency of cyberattacks and data breaches in recent years has painfully highlighted the vulnerabilities of financial institutions. DORA compels institutions to take the necessary steps to prevent the recurrence of such incidents and to safeguard the stability of the financial system.

2. Enhanced Trust and Reputation: Compliance with DORA can significantly enhance the credibility and reputation of financial institutions. When customers are assured that their personal and financial data is secure, they are more likely to place their trust in these institutions. This, in return, fosters greater customer loyalty and facilitates the acquisition of new customers. In today’s financial landscape, consumers place considerable emphasis on security and privacy when choosing service providers. Institutions that align with DORA’s standards are better positioned to meet these expectations and thereby expand their customer base.

3. Operational Efficiency and Cost Reduction: The ICT risk management and operational resilience testing mandated by DORA can contribute to improved operational efficiency and long-term cost savings for financial institutions. By preventing ICT disruptions or minimizing their impact, institutions can avoid revenue losses and reputational damage. Moreover, DORA’s emphasis on automation and standardization promotes streamlined processes, which in turn reduces operational costs and enhances overall performance.

4. Competitive Advantage: Financial institutions that comply with DORA may gain a significant competitive edge over their peers. Robust cybersecurity and operational resilience have become critical factors for both customers and investors. By adhering to DORA’s standards, financial institutions can showcase their strengths in these areas and distinguish themselves from competitors, positioning themselves as more reliable and future-ready actors in the financial ecosystem.

5. Encouragement of Innovation: DORA can foster innovation within the financial sector by encouraging institutions to adopt emerging technologies and advanced solutions. Technologies such as cloud computing, artificial intelligence, and machine learning can enhance the ability of financial institutions to manage ICT risks more effectively. At the same time, the regulatory framework and standards imposed by DORA ensure that these innovations are implemented in a secure and controlled manner, thus facilitating responsible technological advancement and sustained financial innovation.

C. Challenges Posed by DORA for the Financial Sector

While DORA presents numerous opportunities, it also introduces a range of challenges for the financial sector:

1. Compliance Costs: Achieving compliance with DORA can impose significant financial burdens on institutions, particularly for small and medium-sized enterprises (SMEs). Establishing the necessary ICT infrastructure and acquiring the required expertise may prove difficult for smaller actors, potentially leading to competitive disparities and increased consolidation within the sector. The investments required by DORA -such as staff training, consultancy services, and the adoption of new technologies- can result in substantial operational and capital expenditures.

2. Complexity and Interpretability: Certain provisions of DORA -especially those related to ICT third-party risk monitoring and operational resilience testing- can be complex and open to interpretation. This may complicate compliance efforts and lead to legal uncertainty. Institutions operating across multiple jurisdictions may also face challenges in aligning DORA requirements with local regulatory frameworks, further intensifying the interpretive burden and compliance risks.

3. Operational Burden: DORA introduces rigorous demands in ICT risk management, incident reporting and testing procedures, which can place considerable operational pressure on financial institutions. This burden is particularly acute for institutions with limited resources. The obligations surrounding regular reporting, audits, and resilience testing can significantly increase administrative workload and strain existing systems and personnel -posing a substantial challenge, especially for SMEs.

4. Competitive Effect: The investments required for DORA compliance may raise overall operational costs, which could be passed on to consumers through higher service prices. Additionally, DORA’s obligations may disproportionately affect smaller institutions, placing them at a competitive disadvantage. While larger financial institutions may find It easier to allocate the resources needed for compliance, smaller players may struggle, leading to a distortion in competitive balance and potentially accelerating sectoral consolidation.

D. Principles of ICT Third-Party Risk Management

According to DORA, financial institutions must address ICT third-party risk as an integral component of their overall ICT risk management framework. Throughout this process, institutions remain fully responsible for complying with obligations arising from contracts with third-party providers and for ensuring the proper fulfillment of those obligations. ICT third-party risk management must be implemented in accordance with the principle of proportionality. This means that risk management activities should be scaled in line with the nature, scale, complexity, and significance of the ICT dependencies, as well as the criticality of contractual arrangements and their potential impact on the continuity of financial services.

1. Third-Party Risk Strategy and Information Register

All financial institutions, excluding micro-enterprises, are required to establish a strategy for managing ICT third-party risk and to review this strategy regularly. This strategy must include policies governing the use of ICT services that support critical or important functions and must be implemented at both individual and group levels. The management body must periodically assess the risks associated with critical ICT services, taking into account the institution’s overall risk profile and the scale of its business operations. Additionally, financial institutions are obliged to maintain an up-to-date register of all contractual arrangements with ICT third-party service providers. This register must specifically document contracts supporting critical or important functions and be reported regularly to competent authorities. Furthermore, institutions must be prepared to submit the register or selected portions thereof to competent authorities upon request.

2. Pre-Contractual Assessment and Exit Strategies

Before entering into any contractual agreement for ICT services, financial institutions must carefully assess the scope, risks, and potential conflicts of interest associated with the agreement. They must ensure that providers meet appropriate information security standards and, for critical functions, prioritize providers employing the most advanced and robust cybersecurity measures. Contracts for ICT services must include termination clauses for specific circumstances -such as non-compliance with legal requirements, deterioration in service quality, or inability of competent authorities to conduct necessary audits. Financial institutions are also required to develop exist strategies for such scenarios, including transition plans that ensure the continuity of services without disruption or harm to clients, by transferring operations to an alternative provider or reintegrating them in house.

3. Audit and Inspection Rights

Financial institutions must secure access, audit, and inspection rights over their ICT third-party service providers. The frequency and scope of such audits and inspections should be determined using a risk-based approach and must comply with widely recognized audit standards. In cases involving complex ICT services, institutions must ensure that both internal and external auditors tasked with carrying out the audits possess the necessary knowledge and expertise to conduct them effectively.

DORA’s ICT third-party risk management framework is designed to enhance the digital operational resilience of financial institutions and to ensure they are adequately prepared for ICT disruptions. However, for this framework to be effectively implemented, institutions must invest in the necessary resources, reassess their internal processes, and strengthen their technical expertise. Overcoming the challenges introduced by DORA is of vital importance for enabling the financial sector to successfully complete its digital transformation and to continue delivering secure and interrupted services to its clients.

E. Responsibilities of the Management Body under the Digital Operational Resilience Act (DORA)

Article 5 of the Digital Operational Resilience Act (DORA) underscores the pivotal role that the management body of financial entities must assume in ICT risk management. It imposes a broad range of responsibilities on management bodies to ensure that institutions are capable of effectively managing their ICT-related risks.

These responsibilities encompass the design, approval, oversight, and implementation of the institution’s ICT risk management framework. The management body is tasked with defining the organization’s ICT risk tolerance, including setting its risk appetite and acceptable levels of exposure. Furthermore, it bears responsibility for the establishment, periodic review, and approval of ICT business continuity policies and plans, thereby ensuring preparedness in the face of potential disruptions.

DORA also highlights the obligation of the management body to approve and regularly review ICT internal audit plans and audit activities. This oversight is essential for assessing the effectiveness and adequacy of ICT risk management processes. Additionally, the management body is responsible for establishing reporting channels for ICT risks, ensuring that accurate and timely information on such risks reaches the management level without delay.

Article 5 of DORA further stipulates that members of the management body must possess adequate knowledge and skills related to ICT risks and their potential impact on the financial entity. This competence is vital for enabling the management body to properly assess risks and make informed decisions. Consequently, members are expected to undergo regular training and stay up to date with developments in ICT risk management.

Article 5 of DORA aims to integrate ICT risk management as an essential component of corporate governance by assigning comprehensive responsibilities to the management bodies of financial entities. This approach is expected to strengthen the digital operational resilience of these institutions and enhance their preparedness against ICT-related risks.

Conclusion

DORA is a directly binding EU regulation for financial institutions. This means it is immediately applicable across all EU member states without the need for national implementation. Financial institutions that fail to comply with DORA may face administrative fines and other sanctions.

Ongoing debates persist regarding the legal dimension and implications of DORA. Some legal scholars argue that certain provisions of the regulation may conflict with legislation in other areas, notably data protection and competition law. In particular, the requirements under DORA concerning the sharing of information and intelligence have raised concerns about the protection of personal data and the potential disclosure of trade secrets. Furthermore, there is ongoing discussion about whether some of the obligations imposed by DORA might be disproportionate, placing an excessive burden on small and medium-sized financial institutions.

DORA can be regarded as a significant step toward enhancing the digital operational resilience of the financial sector. However, the challenges and potential risks introduced by the regulation should not be overlooked. As financial institutions invest in ensuring compliance with DORA, they must simultaneously safeguard their capacity for innovation and avoid compromising their competitive edge.

Whether DORA will serve as a turning point for the financial sector or merely a hurdle to overcome will become clearer in the coming years as its implementation and impact unfold. What is already evident, however, is that DORA will play a  pivotal role in the digital transformation of the financial industry and will significantly shape its future. In this process, close cooperation and alignment among financial institutions, regulatory authorities, and other stakeholders will be of critical importance.