Cyber security in the financial sector has become a significant concern in Europe with global technology and integrated digitalization. Threats related to information networks cross geographical borders, and EU’s goal is to enhance the resilience of its internal market.
As the threats and means of cyberattacks increase, EU wants to increase the cyber security of operators in critical industries (NIS2) as well as operators in the financial sector (DORA). With the increase in the complexity of digital services, their preparation and development are extremely challenging – especially when the number of threat actors and the range of attack methods has increased. EU wants to respond to these challenges with the new DORA regulation.
DORA Creates a Unified Regulatory Framework for the Financial Sector
The EU’s DORA regulation (Digital Operational Resilience Act, 2022/2554) on digital resilience in the financial sector entered into force in January 2023 and its application will start two years later, i.e. from 17 January 2025. The regulation brings new requirements to the financial sector by creating the regulatory framework for digital risk management and by harmonizing risk assessment and management requirements in the EU.
DORA is a unified regulatory framework that has a strong impact on the financial sector. It is worth noting that it targets not only the financial services industry and the banking sector, but also technology companies that provide services to financial entities. ICT service providers are defined broadly in the regulation – considering rapidly developing technologies and services offered. This means that any company that provides digital or data services of any kind to the financial industry are subject to DORA compliance. ICT service providers are classified in the regulation according to the criticality of the services they offer. Requirements are placed on critical ICT service providers, especially in relation to their contractual obligations and oversight framework. A critical ICT service provider can be, for example, a provider of cloud services or a company to which a significant part of the business or related ICT service has been outsourced.
DORA’s requirements for financial sector operators and their ICT service providers are:
ICT risk management (Articles 5-16)
- The goal is a high level of digital operational resilience
- Top management responsibility
- Risk management method and tools, asset list and their regular monitoring and control
- Mechanisms for detecting, reacting and recovering from abnormal activity
ICT-related incident management, classification and reporting (Articles 17-23)
- Notification and reporting obligation
- ICT incident and cyber threat management process and classification
Digital operational resilience testing (Articles 24-27)
- Regular and systematic testing program
- Significant financial entities: Advanced testing through threat-based penetration testing (red teaming) at least every three years, qualification requirements for testers
- Including service providers of critical or important functions
Managing of ICT third-party risks (Articles 28-44)
- Contract terms for service providers
- The Lead Overseers with powers to monitor, oversight framework and information request requirement
Information sharing arrangements (Article 45)
- Exchange of cyber threat information and intelligence among financial entities
From the ICT service provider’s point of view, the effects of the regulation can be divided into three areas: contractual arrangements, official supervision and compliant services.
The regulation thoroughly regulates the contractual relations of financial entities with ICT service providers in connection with e.g. to ensure the continuity of the ICT security level required for risk management, monitoring and contract provisions. Official supervision is especially related to critical third parties as ICT service providers and the oversight framework for ICT risk management practices applicable to them. At the heart of the DORA regulation is risk management, which covers the entire supply chain, and where the authorities can monitor the effectiveness of risk management in the ICT supply chain. In addition, ICT service providers should evaluate their management of deviations and their ability to tolerate disturbances and the risks associated with them, and practice related actions proactively. In practice, the regulation has direct effects on the management of the ICT service provider’s own infrastructure, especially in relation to information security, data location, incident management and personnel training.
What changes?
The financial sector’s digital resilience has already been guided before the DORA regulation, e.g. with the requirements related to the outsourcing of ICT services and cloud migration. However, DORA is more detailed and stricter in terms of its requirements, especially regarding the sanctions imposed for non-compliance: the amount of the periodic penalty payments is one percent of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year.
DORA also defines broad areas of responsibility for the highest administrative body of the financial entity in relation to e.g. for ICT risk management, data security, resilience strategy and audit management. In addition, compared to previous reference frameworks, DORA’s scope includes a significantly larger number of organizations. So it can be said that the biggest changes are the tightening of the requirements and the expansion to cover more companies, as well as the tightening of the sanctions.
How do DORA and NIS2 differ? Both DORA and NIS2 aim to enhance cyber security in the EU, but they serve different purposes. While the purpose of DORA is to protect the financial sector in the EU, the target area of NIS2 is wider, i.e. unifying the level of cyber security in the EU. Although DORA regulates the financial sector and it sets more specific obligations than the NIS2 directive, it would be good to get to know the requirements of both regulations. Preparing for cyber security threats and risks and reducing them have indeed been the background of EU regulations, and the new DORA regulation aims to unify and develop information security in the financial sector in the EU.