EU's DORA Framework: Digital Operational Resilience Act
Tuesday, October 10, 2023
Europe's Digital Shield: The ESAs and the DORA Framework for Financial Sector Resilience
Europe is taking a decisive step toward enhancing its financial sector's digital defenses. The three European Supervisory Authorities (ESAs) — the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — have unveiled the first set of final draft technical standards under the Digital Operational Resilience Act (DORA). This groundbreaking initiative is designed to bolster the digital operational resilience of the EU's financial sector by strengthening the management of Information and Communication Technology (ICT) risks and enhancing incident reporting protocols.
Building a Resilient ICT Framework
The newly published technical standards focus on a comprehensive ICT risk management framework. These standards detail tools, methods, processes, and policies, aiming to create harmony in risk management techniques across different financial sectors. For smaller entities, a simplified ICT risk management framework is set out, taking into account their scale, risk profile, size, and complexity.
Read more about cybersecurity in article: Enhancing Cyber Resilience in European Financial Infrastructures: Key Insights from the ECB's Executive Board Member Piero Cipollone
Setting Criteria for ICT Incident Classification
Another critical component of these standards is the specific criteria for the classification of major ICT-related incidents. Establishing a unified and straightforward process for classifying and reporting such incidents is crucial in maintaining a resilient financial sector. The standards also tackle the governance of ICT third-party service providers (TPPs). Financial entities must maintain rigorous risk management and internal control frameworks in their engagements with TPPs. The goal is to ensure that financial entities retain control over their operational risks, information security, and business continuity throughout all stages of their contractual relationships.
Creating a Register of Information
An Implementing Technical Standard (ITS) crucially establishes the templates for a register of information. This register, maintained and updated by financial entities, will play a vital role in the ICT third-party risk management framework, aiding supervisory authorities in overseeing compliance with DORA. These final draft technical standards were developed following a thorough public consultation process, which took place from June to September 2023. After receiving over 420 responses, the ESAs have refined the standards, ensuring they are streamlined, proportionate, and considerate of sector-specific concerns.
What’s next for DORA?
Having been submitted to the European Commission, the final draft technical standards are now under review. The Commission's adoption of these standards in the coming months will mark a significant advancement in Europe's journey toward a digitally resilient financial ecosystem.
The DORA framework represents a critical evolution in Europe's financial services industry, setting a benchmark for digital operational resilience that other regions may soon follow. As these standards come into effect, financial entities across Europe must prepare to align with a new era of digital operational security and resilience.
