What to expect from Europe’s DORA (Digital Operational Resilience Act)

By Julian Robles Häusser, AVP, Underwriter, Cyber

We all know how much the business world has changed over the past few years. With globalization and digital transformation accelerating, the way companies make money has shifted, too. Increasingly, it’s no longer about physical goods—it’s about data, software, algorithms, and other intangible assets. These live and breathe in IT systems, which makes protecting them absolutely critical. This is especially true for financial institutions like insurers and banks, which handle vast amounts of sensitive information every day. If those systems fail or get compromised, the consequences can be severe. That’s why Europe introduced DORA—the Digital Operational Resilience Act. It’s designed to ensure firms build stronger, more resilient digital infrastructure and put the right safeguards in place to protect vital (but often invisible) assets. 

What is DORA?

DORA is an EEA-wide regulatory framework which came into force in January this year. The aim is to strengthen the resilience of financial institutions as relates to their information and communications technology (ICT) and harmonize standards across the EEA. As with Solvency II—regulation for insurance companies in the EEA around capital requirements—the principle of proportionality is applicable, defining corporate responsibility in relation to a company’s size, risk profile etc. Generally speaking, DORA aims to cover larger corporations, as some companies, depending on revenue size, are not affected.

There are five main areas covered by DORA’s nine chapters, each dealing with different aspects of digital operational resilience:

1. ICT risk management

Financial institutions are required to establish a control framework and an internal governance process to effectively manage ICT risks. A good comparison, often tackled in a CSA (cyber security assessment)—a questionnaire tool to describe a company’s cyber security maturity—is the existence of an ISMS (Information Security Management System). It covers certain roles & responsibilities, procedures and protocols. A Business Impact Analysis (BIA) should be conducted, and the risks involved evaluated in terms of acceptability, avoidance, minimization, or transfer. The latter could involve obtaining cyber insurance.

2. ICT-related incident management, classification and reporting

This addresses the necessity of a suitable incident-management process and the responsibility of reporting (major) ICT incidents. Categorization of incidents is contingent upon various factors, including the magnitude and severity of the incident in question. To achieve a comprehensive understanding of the subject matter, companies should use EEA-harmonized reports and templates.

3. Digital operational resilience testing

One way of improving ICT resilience is to assess current capabilities and identify vulnerabilities. Financial institutions are advised to establish, maintain, and check a comprehensive digital operational resilience testing program as part of their overall ICT risk-management framework. Depending on risk profile, proportional testing should also be conducted. To avoid conflicts of interest, DORA recommends these tests be conducted by independent third parties. Common formats include vulnerability scans and penetration tests.

4. Managing of ICT third-party risk

Most ICT-related services are provided by IT providers. These must be subject to appropriate due diligence in advance and during the term of the contract. DORA requires the contract also contain a series of provisions and address various topics to ensure proper management. A complete list of all providers must be created and maintained. Financial institutions should also have exit plans and redundancy options for each provider in place to ensure operations can continue quickly in the event of provider failure.

5. Information-sharing arrangements

This regulation suggests that, to enhance the digital operational resilience of financial institutions, they need to exchange cyber-threat information with one another. Indicators of compromise, techniques, procedures, and configurations of certain tools could be included.

Penalties, benefits and what to expect

DORA addresses a subset of significant subjects, as well, including the growing prevalence of connectivity and dependencies in ICT systems, plus management of intangible assets, particularly within financial institutions. Acknowledging such trends is important, however, DORA’s primary focus is enforcement of the framework, reporting obligations, and repercussions of noncompliance. Failure to comply with DORA can lead to penalties that are determined by the relevant supervisory body of each EEA country. Compared to other EEA-wide regulations, such as the GDPR, DORA penalties can be related to revenue—the highest possible allowed is 4% of annual worldwide revenue.

 I believe the biggest beneficial outcome of the DORA framework may be the snapshot it can provide of a company’s risk profile. After all, the first step in any robust risk management is to analyze the existing situation in detail, assess the current risk landscape, and make decisions on how to proceed from there. As financial institutions usually handle financial products and therefore deal with substantial amounts of capital, protection of their customers is key. While Solvency II only barely addresses the topic of ICT risk, DORA tackles operational risk in much greater depth and gives clear guidance on how to improve resilience.

Greater investment into your company’s IT infrastructure is the most logical first step, reducing risk and, by extension in most cases, enhancing the accessibility of cyber insurance coverage. As we have seen in the past, the EU Cybersecurity Act, the CSA, has the potential to address new specific regulatory topics. This is evident in the adaptation of certain questionnaires to relevant parts of GDPR, for example. At Mosaic, I have already come across questionnaire wording related to whether a data subject has consented to the processing of their data or not. I’m convinced the DORA framework similarly will be integrated gradually into the underwriting process.

DORA’s first deadline for data reporting on critical ICT third-party service providers had to be submitted to supervisory bodies by the financial institutions by the end of April this year. This constituted a pivotal milestone for its implementation. From personal observations and conversations with affected companies, the launch was far from smooth. In Germany, for instance, the online portal of our supervisory body (BaFin) was crippled by heavy user traffic, eliciting error messages during submissions.

Enforcement by regulatory and supervisory bodies in each EEA country will ultimately determine how strictly DORA’s rules can be enforced, along individual penalties for non-compliance. Some insurance companies maintain the principles of proportionality were not adequately implemented in the context of Solvency II. So, the onus will be on each supervisory body that localizes DORA to ensure the framework’s overall efficacy.

I believe the objective and extent of the DORA regulation may be appropriate, and wins for stronger cybersecurity in companies, and Europe’s financial services industry as a whole, should result. However, practical implementation of the framework will have to happen first, and time will tell the story of its true impact on financial institutions.

Julian Robles Häusser is an underwriter on Mosaic’s European cyber team based in Cologne, Germany