- DORA is a European Union regulation (does not require implementation by Member States).
- DORA is one element of the digital finance package created by the European Commission: its main objective is to create regulations that will enhance security in the EU’s digital financial sector.
- The new rules will constitute a kind of ‘code’ for the broader area of ICT (Information and Communication Technologies) and its use by financial institutions.
- DORA will affect both financial entities and third-party ICT service providers, who will from now on be subject to direct supervision by competent European and national authorities. In the consumer finance realm, IT providers may also include retail and e-commerce entities in sales finance.
KEY DORA INFORMATION
expand
Harmonisation of risk management
- Obligation to have a specific ICT risk management policy in place as required by the regulation;
- Entity should designate appropriate roles and responsibilities for cyber risk management, perform regular audits;
- Obligation to prepare specific strategies, in particular: business continuity policies, internal and external audit plans, cyber resilience strategies;
ICT incident management
- Requirement to create ICT risk scenarios and a list of risks and update them regularly;
- Obligation to put in place an incident action and communication plan and an ICT emergency recovery plan;
Digital resilience testing
- Development of a digital resilience testing programme;
- Mandatory testing of all key ICT systems and tools on a regular basis, at least annually, for vulnerability, performance and security, among others;
Regulating relationships with ICT service providers
- ICT risk management in relationships with external service providers: obligation to introduce and regularly update policies on such collaborations and their associated risks so as to ensure the highest level of digital security;
- Specific requirements for contracts for the transfer of a key or important function;
- Rules for sharing and exchanging information on ICT risks between financial institutions and service providers;
Supervisory cooperation
- Introduce regulations setting out principles for cooperation between European supervisors and financial institutions’ authorities;
- Emphasis on information sharing on common cyber risks and sharing of practices;
- Definition of supervisory, investigative and sanctioning powers.
