The core mission of the DORA regulation is to bring together standards that strengthen operational resilience in the finance industry, particularly fintechs. These will apply to 20 different types of financial entities and third-party service providers.
DORA entered into force on the 16th of January 2023 and will apply to both EU and UK businesses from the 17th of January 2025. In this article, Hicomply explains how this will affect applicable businesses.
What is the purpose of DORA?
As the financial sector becomes more reliant on using digital systems to store and use information, it’s important to ensure that these systems are as resilient as possible.
Considering that fintechs use digital systems to conduct most of their day-to-day operations, often remotely, the risk of a data breach has also increased dramatically. The consequences, if this were to occur, should not be underestimated.
The DORA regulations allow for increased cyber resilience for financial institutions, significantly reducing the risk of a data breach or leak.
What are the DORA requirements?
The DORA technical requirements are split across five chapters:
- Chapter II: ICT risk framework
- Chapter III: ICT-Related Incident Management, Classification and Reporting
- Chapter IV: Digital Operational Resilience Testing
- Chapter V: Third-party Risk Management
- Chapter VI: Information Sharing Arrangements
These requirements will be enforced in proportion to the size of the affected business, meaning that larger entities will have to abide by more stringent standards than smaller organisations.
Chapter II: ICT risk framework
The articles involved in Chapter II include the following:
- DORA Article 4: Governance and organisation
- DORA Article 5: ICT risk management framework
- DORA Article 6: ICT systems, protocols and tools
- DORA Article 7: Identification
- DORA Article 8: Protection and Prevention
- DORA Article 9: Detection
- DORA Article 10: Response and recovery
- DORA Article 11: Backup policies and recovery methods
- DORA Article 12: Learning and evolving
- DORA Article 13: Communication
- DORA Article 14: Further harmonisation of ICT risk management tools, methods, processes and policies
DORA regulations require the senior management of a fintech organisation to take responsibility for ICT risk management and governance. This includes executive leaders and senior managers.
These leaders will need to develop relevant risk management strategies, act on all changes that need to be made, and remain proactive on any updates in the ICT landscape that could put them at risk.
This process would include creating a thorough ICT risk management framework, continuously reviewing and risk assessing it and documenting the process throughout.
Chapter III: ICT-Related Incident Management, Classification, and Reporting
The articles involved in Chapter III include the following:
- DORA Article 15: ICT-related incident management process
- DORA Article 16: Classification of ICT-related incidents
- DORA Article 17: Reporting of major ICT-related incidents
- DORA Article 18: Harmonisation of reporting content and templates
- DORA Article 19: Centralisation of reporting of major ICT-related incidents
- DORA Article 20: Supervisory feedback
Relevant organisations and fintechs will also need to create and establish robust systems that monitor, manage, document, and report any ICT-based incidents should they arise. These reports will need to be supplied to regulators and any affected entities such as clients, stakeholders, and partners.
Three different types of reports will need to be filed in these circumstances: an initial report that notifies authorities, a follow-up report detailing progress on the resolution of the incident, and a final report that assesses the cause of the incident.
Chapter IV: Digital Operational Resilience Testing
The articles involved in Chapter IV include the following:
- DORA Article 21: General requirements for the performance of digital operational resilience testing
- DORA Article 22: Testing of ICT tools and systems
- DORA Article 23: Digital Operational Resilience Act (DORA), Advanced testing of ICT tools, systems and processes based on threat led penetration testing
- DORA Article 24: Digital Operational Resilience Act (DORA), Requirements for testers
Entities must also regularly test their ICT systems to assess the strength of their security and identify any weaknesses. The results of these tests and planned actions to address uncovered vulnerabilities must be reported to the relevant authorities.
Basic annual tests, including vulnerability testing and scenario-based assessment, will need to be carried out. Entities deemed to have critical roles in the financial sector (and their ICT providers) will also need to take part in further testing, such as threat-led penetration testing (TLPT) every three years.
Chapter V: Managing ICT Third-Party Risks
The articles involved in Chapter V include the following:
Section I: Key principles for a sound management of ICT third party risk
- DORA Article 25: General principles
- DORA Article 26: Preliminary assessment of ICT concentration risk and further sub-outsourcing arrangements
- DORA Article 27: Key contractual provisions
Section II: Oversight framework of critical ICT third-party service providers
- DORA Article 28: Designation of critical ICT third-party service providers
- DORA Article 29: Structure of the Oversight Framework
- DORA Article 30: Tasks of the Lead Overseer
- DORA Article 31: Powers of the Lead Overseer
- DORA Article 32: Request for information
- DORA Article 33: General investigations
- DORA Article 34: On-site inspections
- DORA Article 35: Ongoing Oversight
- DORA Article 36: Harmonisation of conditions enabling the conduct of the Oversight
- DORA Article 37: Follow-up by competent authorities
- DORA Article 38: Oversight fees
- DORA Article 39: International cooperation
Financial organisations and fintechs will also provide a thorough map of their third-party ICT providers. The aim here is to ensure the most significant and critical functions haven’t been too heavily centred on either one provider or a small group of providers. These third-party ICT service providers will receive direct oversight from a relevant ESA assigned to them.
Chapter VI: Information Sharing Arrangements
The articles involved in Chapter VI include the following:
- DORA Article 40: Information-sharing arrangements on cyber threat information and intelligence
This is a recommendation, not a regulation, however DORA encourages all parties to enter threat intelligence sharing arrangements. All information shared in this process will still be protected under the relevant guidelines, including GDPR.
Who does DORA apply to?
DORA regulations apply to the financial sector and its third-party suppliers of ICT services based in the UK and EU. These include, but are not limited to:
- Banks,
- Central securities depositories,
- Investment firms,
- Credit and credit rating institutions,
- Payment and electronic money institutions,
- Account information service providers,
- Central counterparties,
- Crypto-asset service providers,
- Management companies.
- Data reporting service providers,
- Insurance and reinsurance institutions,
- Trading venues and trade repositories,
- Administrators of critical benchmarks,
- Institutions for occupational retirement provisions,
- Managers of alternative investment funds (AIFMs) and management companies,
- Securitisation repositories,
- Crowdfunding service providers.
DORA compliance as you work with Hicomply
We hope the information provided here on the DORA Regulation has been valuable to you and your fintech organisation. At Hicomply, our mission is to offer our customers a more streamlined process when seeking data compliance; this is why we offer a fully-fledged ISMS dashboard that keeps track of your documents and overall progress all in one place.
If you’re interested in learning more about how we can help your financial organisation, contact us today for a free demo.