What is the EU’s Digital Operational Resilience Act? DORA, explained

Financial services firms and their digital technology suppliers are under intense pressure to comply with tough new EU rules requiring them to increase their cyber resilience.

Early next year, financial services firms and their technology suppliers will have to ensure they comply with a new European Union law known as DORA, or the Digital Operational Resilience Act.

CNBC runs through what you need to know about DORA, including what it is, why it matters and what banks are doing to ensure they’re prepared.

DORA requires banks, insurance companies and investments to strengthen their IT security. EU regulations also aim to ensure that the financial services sector is resilient in the event of a serious business disruption.

Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a company’s website to go offline.

The regulation also aims to help companies avoid major disruptions, such as last month’s historic IT crisis caused by cyber companies CrowdStrike when a simple software update from the company forced Microsoft’s Windows operating system to crash

Multiple banks, payment companies and investment companies – from JPMorgan Chase And SantanderUnpleasant Visa And Charles Schwab – were unable to provide service due to the malfunction. It took these companies several hours to restore service to consumers.

In the future, such an event would fall under the type of service disruption that would be scrutinized under the new EU rules.

Mike Sleightholme, president of fintech company Broadridge International, notes that a standout factor about DORA is that it not only focuses on what banks are doing to ensure resilience, but also scrutinizes companies’ technology suppliers.

Under DORA, banks will be required to implement rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing related to cyber threats and vulnerabilities, and measures to manage third-party risks.

Companies will be required to carry out assessments of the “concentration risk” associated with the outsourcing of critical or important operational functions to external companies.

These IT providers often provide “critical digital services to customers,” says Joe Vaccaro, general manager of Cisco-managed Internet quality assurance company ThousandEyes.

“These third-party vendors must now be part of the testing and reporting process, which means financial services firms must adopt solutions that help them expose and map these sometimes hidden dependencies with providers,” he told CNBC.

Banks will also need to “expand their ability to guarantee the delivery and performance of digital experiences, not just across the infrastructure they own, but also across the infrastructure they don’t,” Vaccaro added.

DORA entered into force on January 16, 2023, but the rules will not be enforced by EU member states until January 17, 2025.

The EU has prioritized these reforms because of the way the financial sector is becoming increasingly dependent on technology and technology companies to provide essential services. This has made banks and other financial services providers more vulnerable to cyber attacks and other incidents.

“There’s a lot of focus now on third-party risk management,” Sleightholme told CNBC. “Banks use external service providers for important parts of their technological infrastructure.”

“Improved recovery time targets are an important part of this. “It’s really about security around technology, with a particular emphasis on restoring cybersecurity after cyber events,” he added.

Many digital policy reforms in the EU in recent years have tended to focus on the obligations of companies themselves to ensure that their systems and frameworks are robust enough to protect against harmful events such as data loss to hackers or unauthorized individuals and entities.

For example, the EU’s General Data Protection Regulation (GDPR) requires companies to ensure that the way they process personally identifiable information is done with consent, and that adequate protections are provided to minimize the chance of such data being exposed to a breach or leak. .

DORA will focus more on banks’ digital supply chains – which represents a new, potentially less comfortable legal dynamic for financial companies.

For financial companies that fail to comply with the new rules, EU authorities will have the power to impose fines of up to 2% of their annual global revenues.

Individual managers can also be held responsible for violations. Sanctions against individuals within financial entities can amount to 1 million euros ($1.1 million).

For IT providers, regulators can impose fines of up to 1% of the average daily global turnover in the previous financial year. Companies can also be fined every day for up to six months until they comply with the rules.

External IT companies deemed ‘critical’ by EU regulators could face fines of up to €5 million – or, in the case of an individual manager, a maximum of €500,000.

That’s slightly less strict than a law like the GDPR, under which companies can face fines of up to 10 million euros ($10.9 million), or 4% of their annual global turnover – whichever is higher.

Carl Leonard, EMEA cybersecurity strategist at security software company Proofpoint, emphasizes that criminal sanctions may vary from Member State to Member State, depending on how each EU country applies the rules in its respective markets.

DORA also calls for a “principle of proportionality” when it comes to sanctions in response to violations of the legislation, Leonard added.

This means that any response to legal shortcomings must balance the time, effort and money that companies spend on improving their internal processes and security technologies with the extent to which the service they offer is critical and what data they collect. trying to protect.

Stephen McDermid, chief security officer EMEA at cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to become compliant with DORA and “identify any gaps.”

“This is the intention of DORA to align many existing governance programs under a single supervisory authority and harmonize them across the EU,” he added.

Fredrik Forslund, vice president and general manager of International at data sanitization company Blancco, warned that while banks and technology providers have made progress toward DORA compliance, there is still “work to be done.”

On a scale of one to 10 — where one represents non-compliance and 10 represents full compliance — Forslund said, “We’re at six and we’re trying to get to seven.”

“We know we have to be at 10 in January,” he said, adding that “not everyone is going to be there in January.”