From 17 January 2025 the new EU Regulation 2022/2554, known as DORA, therefore “Digital Operational Resilience Act” became operational. This is a law that aims to improve digital security in the European financial sector.
The regulation officially came into force on 16 January 2023, but the entities had 24 months to adapt to the new rules. In fact, severe penalties have been introduced for non-compliance.
Who is involved
The new regulation involves different categories of financial operators, including banks, investment companies, insurance companies, cryptocurrency service providers, crowdfunding platforms and third-party ICT service providers (ie information and communication technologies).
What is involved
Their main duties are related to ICT risk management, for example, through the implementation and development of emergency plans and periodic tests, which will be carried out regularly to assess resilience to critical situations. In addition, internal governance and control measures are required, such as the appointment of an ICT officer within the organisation or the creation of a governance committee to monitor ICT activities. It is important to have a clear and well-documented risk management framework, including the strategies, policies and ways in which they will be implemented to respond efficiently and quickly to all risk situations.
A second requirement is to monitor third party ICT providers through careful management of contracts with a detailed record of the services offered and due diligence to ensure the reliability of partners. This means adopting a thorough supplier assessment process, analysing in detail the operational, financial, legal and technological risks associated with them. This is also relevant to regulatory compliance, and therefore the classification and documentation of all functions, roles and responsibilities within companies dealing with ICT.
In addition, the immediate reporting of ICT incidents to competent authorities is required. In addition, as mentioned above, it is mandatory to comply with certain criteria which are able to classify the different types of risks and standardise communication processes in Europe, so that major ICT-related incidents can be communicated to customers, Counterparties and the public.
Finally, financial entities will have to conduct threat-based penetration tests (TLPT), which are simulations of cyber attacks, in order to assess the security of systems and measure the effectiveness of countermeasures. These tests should be carried out at least every three years, depending on the risk profile of financial entities, and will be carried out exclusively by those responsible for carrying out the certified tests, have the necessary skills and suitability and are covered by professional liability insurance.
Since the great financial crisis of 2008, several reforms have been implemented that have strengthened the financial stability of the sector. However, the increasing reliance on third parties by financial institutions, while beneficial in some respects, could increase operational risk and the likelihood of mismanagement.
In conclusion, the DORA Regulation represents a fundamental step towards strengthening the digital resilience of the European financial sector. Its provisions aim to ensure that financial institutions are adequately prepared to manage the risks associated with information and communication technologies, Reducing vulnerabilities and improving protection against cyber attacks and service disruptions. Although the adoption of these measures entails challenges and investments for the entities involved, the creation of a clear and coherent regulatory framework contributes to protecting the entire European financial system, Increasing user confidence and ensuring greater operational stability. Sanctions for non-compliance underline the importance of complying with new standards, while the proactive approach in managing ICT risks and cooperation with third party providers are essential to ensure long-term protection against emerging digital risks.
Sources: https://european-union.europa.eu/index_en , https://www2.deloitte.com/cz/cs.html , https://www.lospecialegiornale.it/
