This article was automatically translated from the German original using AI. Read original
DORA – New EU-Wide Uniform Security Standards in IT
On January 17, 2023, the EU’s new DORA regulation came into force — and in this case, “DORA” does not refer to the heroine of the well-known children’s TV series, but stands for “Digital Operational Resilience Act.” The regulation aims to harmonize information and communication technology security across the entire EU financial sector, in order to better defend against ever-growing external threats. In the following lines, we will look at what the DORA regulation contains in detail, who it affects, and what the next steps should be for those concerned.
First things first: although the regulation already came into force in 2023, full implementation is not required until January 17, 2025. On top of that, the details of some components will only be published over the course of the following year, which at the time of writing still lies ahead. So we will focus on the structures and changes as they are currently known. There are five key building blocks:
ICT Risk Management
An appropriate risk management framework must be implemented. It must maintain robust systems and tools, and critical functions must be identified, classified, and documented according to defined requirements. This also includes the tests mentioned in the next section.
Testing
In the future, financial service providers will be required to carry out annual resilience tests on their own systems. The exact details of these tests have not yet been finalized. The same applies to the additional “Threat-Led Penetration Tests” that must be conducted every three years. The test results are then to be used to determine institution-specific preventive measures.
Reporting Obligations
The results of these tests must be documented and, under certain circumstances, reported. In addition, there will be an expanded and standardized reporting obligation for disruptions and incidents. This includes information such as how many people were affected and what data was involved. This information will then be stored centrally.
Information Sharing
The data collected in the previous section will be anonymized and made available. This way, threats can be identified early for everyone through active information exchange, and potential vulnerabilities can be addressed. Regulations for information sharing are also to be introduced for all entities subject to the DORA regulation.
ICT Third-Party Service Providers
This is probably one of the biggest changes. In the past, the bank itself was responsible for security matters. Now, third-party providers of critical ICT systems also fall under the supervision of banking regulators. This means regulators can inspect documents at the provider’s premises, conduct on-site audits, and issue directives. Additionally, financial institutions must keep records of the third-party providers they use and maintain an up-to-date register.
So we have clarified the “what.” The last point provides a good segue to the “who.” In the past, there were already many guidelines for banks, but not for all groups within this industry (e.g., insurers). Now, however, virtually all of them will fall under the full scope of the DORA regulation. To name a few beyond the traditional bank: insurers, reinsurers, electronic money institutions, credit rating agencies, investment firms, central securities depositories, data reporting service providers, and many more.
Due to this broad range of institutions falling under the DORA regulation, there will be vastly different levels of effort required to comply with the new standards. Some components of the new regulations are already found in existing frameworks (e.g., BAIT — Banking Supervisory Requirements for IT, or MaRisk — Minimum Requirements for Risk Management). Banks therefore already have a risk management framework that may only need to be adjusted. Testing and third-party provider reporting are likely the biggest changes and challenges. Insurers were previously excluded from many guidelines or were not as heavily affected. Significantly more work will be needed there, and internal structures may need to be substantially restructured.
As a consulting firm, we recommend that affected institutions address this topic early on. This way, an as-is analysis can be started early, and a gap analysis can be created as the details of each building block become known. The first interim milestone was January 17, 2024. On this date, the details on risk management and the classification of ICT-related cyber incidents were published.
Somewhat later, on July 14, 2024, the details on reporting obligations, specifics of the annual tests, and the specification of the oversight framework structure for ICT third-party service providers with the corresponding register will be published.
Thus, the DORA regulation is not simply a new piece of regulation for banks, but a broadly scoped framework that extends beyond traditional financial institutions and holds all companies, providers, and components of the industry accountable for ensuring higher security standards. How effective this will ultimately be is difficult to assess at this point. But with DORA, the EU is heading in the right direction — arming itself against ever-growing threats and handling IT matters with due diligence.
Authors
Related Posts
The Tale of the Tribe of Preventers and the Tribe of Makers
In the land of the Makers, nothing moves forward anymore. Little ropes bind the hands of those who only want to build, plant, and invent. A story about creeping stagnation, the power of the 'Preventers,' and the one question that decides everything: 'Are we still helping — or are we just tying new ropes?'
AI at the attempto Academy: Navigating the Future with the EU AI Act
The attempto Academy offers a comprehensive AI basic training covering the legal, practical, and ethical aspects of the EU AI Act. With hands-on workshops and mentoring programs, it prepares companies for the future of AI.