On September 24, 2020, the European Commission published the Digital Operational Resilience Act (DORA), i.e. a draft Regulation on the operational resistance to digital threats of financial sector entities. This regulation is intended to preserve and promote robust ICT risk management standards in financial institutions in the EU, while supporting innovation. Who will the new provisions apply to, and to what extent?
As we read in the proposal, the regulation will cover:
a range of financial entities regulated at Union level, namely credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers
Notably, the overriding principle is the full responsibility of the management body for the management of the financial entity’s ICT risk.
Similar to the practice already in place among the Member States, the DORA regulation also indicates the minimum requirements that ICT providers should meet in order to mitigate the digital threat in the financial sector. A key proposal is the introduction of pan-European standardization for this type of providers.
The regulation "seeks to promote convergence on supervisory approaches to the ICTthird-party risk in the financial sector by subjecting critical ICT third-party service providers to a Union oversight framework"
To raise awareness on ICT risk, minimize its spread, support financial entities’ defensive capabilities and threat detection techniques, the regulation allows financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.
If the article was valuable to you, please share it with others, e.g. via Facebook or LinkedIn!
Main picture: Unsplash.com