On September 24, 2020, the European Commission published the Digital Operational Resilience Act (DORA), i.e. a draft Regulation on the operational resistance to digital threats of financial sector entities. This regulation is intended to preserve and promote robust ICT risk management standards in financial institutions in the EU, while supporting innovation. Who will the new provisions apply to, and to what extent?
The context of the regulation is wide and it relates to the overall digital strategy for the financial sector of the European Union. Its goal is, among others, to develop the competitiveness of the financial sector, introduce better products to the market, and bring financial support for the European economy, including the green transformation.
The COVID-19 pandemic has accelerated the digitization process of many sectors. The European Commission, aware of the need for digital transformation and the challenges that must be faced by, i.a., financial institutions that are particularly vulnerable to digital disruptions and attacks, proposed a package of regulations containing – in addition to the DORA proposal – also proposals for a regulation on crypto asset markets, a pilot system for market infrastructures based on distributed ledger technology (DLT), proposal for a directive to clarify or amend certain related EU financial services rules. These regulations are all aimed at minimizing digital threats to financial institutions and providing them with full digital operational resilience.
According to the EC, threats related to ICT (information and communications technology) constitute a challenge to the operational resilience, efficiency and stability of the EU financial system, and the preventive measures introduced after the 2008 crisis were not accompanied by the development of uniform regulations to counter digital threats. In the period 2019-2020, the Commission carried out public and expert consultations in the Member States, which helped develop the framework for conduct in the field of ICT – in relation to financial services.
The policy option adopted by the Commission would, among other things:
- provide companies in the SME sector with clarity about the regulations, which will reduce the costs of complying with them,
- reduce the number and average cost of incidents, for the benefit of society through greater confidence in the financial services sector;
- encourage the wider use of the latest generation of ICT infrastructures and services which are expected to become more environmentally sustainable.
Importantly, the scale of the obligations arising from the regulation would be proportional to the size and risk associated with the activities of a given entity. The authors of the application point out that large companies are already pursuing a cybersecurity policy based on international standards. The new standards proposed by the European Commission under DORA should not differ from those currently used, which is aimed at reducing the costs of adapting to EU regulations.
Which entities would be covered by the regulation?
As we read in the proposal, the regulation will cover:
a range of financial entities regulated at Union level, namely credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers
The obligations of such entities, which are not micro-enterprises, are to include, i.a.:
- Establishing complex management rules,
- Establishment of special management positions
- Carrying out detailed assessments following significant changes to network infrastructures and information systems,
- Conducting a regular risk analysis with regard to older versions of ICT systems,
- Extending the scope of business continuity testing and response and recovery plans
Notably, the overriding principle is the full responsibility of the management body for the management of the financial entity’s ICT risk.
Third-party cloud solutions and DORA
Similar to the practice already in place among the Member States, the DORA regulation also indicates the minimum requirements that ICT providers should meet in order to mitigate the digital threat in the financial sector. A key proposal is the introduction of pan-European standardization for this type of providers.
The regulation “seeks to promote convergence on supervisory approaches to the ICTthird-party risk in the financial sector by subjecting critical ICT third-party service providers to a Union oversight framework”
– the release reads.
The plans of the European Commission go even further: the idea is to create an international information exchange system.
“To raise awareness on ICT risk, minimize its spread, support financial entities’ defensive capabilities and threat detection techniques, the regulation allows financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.”
The effect of these activities is therefore to constitute a tight and transparent regulatory environment for the European financial sector with regard to ICT threats.
Technology companies operating in the European Union are already preparing for the changes that may be required by legislation in the long run. As an external ICT provider that meets the recommendations regarding information processing in public and hybrid clouds by regulated entities, FORDATA is closely monitoring new regulatory proposals at the European level. We are waiting for the final version of the Regulation, and when the new regulations enter into force, we will be ready to continue supporting financial institutions in times of technological transformation.
Did you like the article?
How many heads, so many ideas. That's why each of us contributes to making the content on our blog attractive and valuable for you. Discover a source of knowledge and inspiration for your business with Fordata.
Do you want to exchange knowledge or ask a question?
Write to me : #FORDATAteam page opens in new window
01 . Energy industry 2023: Virtual Data Room in M&A transactions
The situation in the energy industry in Poland and Central and Eastern Europe is rapidly changing. What do investments in renewable energy look like?
02 . Venture Capital and Private Equity - the differences between the funds
PE/VC – what are the differences between Private Equity and Venture Capital funds? We point at the main characteristics of both.
03 . Fundraising - how to obtain financing with the VDR tool?
Acquiring financing is a process that requires proper planning based on the current economic conditions, especially in times of crisis…
04 . Who is obliged by DORA and how?
DORA regulation is another step of the EU into operational resilience of financialentities. Who does in concern?
05 . Secure sharing of company documents. A guide for entrepreneurs.
The growing expectations of users regarding the ease and availability of online solutions are one of the main drivers of the digital revolution.
06 . FORDATA system reports - all news in a nutshell
The new version 5.0 of the FORDATA system has been well-received by our users. Working in VDR has become even faster…
07 . How to improve document workflow - 5 rules
Desks full of binders and busy employees with cardboard folders in their hands – these are classic pictures, especially known from…
08 . Company audit - how does it work?
It can be inevitable and often it causes irrational fear. In fact, it is a great opportunity to help your business grow. An audit in a company is always a serious undertaking.
09 . Audit during the pandemic - how has it changed?
The epidemic has had a significant impact on the economy and the functioning of companies, therefore its effects…
10 . FMCG industry - how do companies adapt to the market?
The FMCG industry is trying to make up for the losses lockdowns caused in numerous European countries, while selling of consumer goods…
11 . The scale of restructuring is different in each industry. What about Automotive?
Coronavirus will have long-term effects on the economy. The results of the annual balance sheet may result in some companies not starting restructuring until next year.
12 . Business continuity plan - why your company should have it
The pandemic has made companies aware that although it is impossible to predict all the black scenarios, having a solid business…
13 . Restructuring and the pandemic - accelerated digitalization
Market closure due to the COVID-19 pandemic has intensified the restructuring efforts of many companies. The phenomenon…
14 . What documents can you load to data room?
Virtual Data Room is a great alternative to applications like Dropbox and Google Drive, especially when it comes to security…
15 . Are your email attachments safe?
The modern office cannot function without email. According to the Radicati group, a statistical employee receives 121 messages per…
16 . How to black out text in a PDF document correctly?
Document redaction has many faces – it may turn out that overwriting of the text in our document, which at first glance looks…
17 . Safe cloud and the user - a marriage of convenience
According to a report on cloud computing prepared by McAfee, up to 87% of the companies surveyed believe that…
18 . Virtual Data Room as a green solution
Entrepreneurs increasingly use ecological solutions and try to implement them almost in all areas of the company’s operation…
19 . 5 startup tips from FORDATA
Learn 5 startup ideas that may help your project set off – from first-hand startupers! Read our tips that can help your project get off to a good start.
20 . Top 4 Advantages of VDR over FTP server
Even today, FTP server is a popular method of transferring files. With its help, we can quickly share virtually any type of…
21 . Fake software aggregators – how to identify them?
Fake software aggregators and Virtual Data Room industry. See how developers try to deceive their customers with fake software comparison websites.
22 . Cloud Data Storage And File Security
The internet has become a common thing in companies’ lives. The enormity of dedicated services, fast transfers and increasing mobility…
23 . How FORDATA Data Room Works?
Are you interested in how the VDR project works in FORDATA? What is our secret of delivering excellent customer service? We have previously…
24 . FORDATA Competitive Advantage – Customer Support
Have we already mentioned that we are available 24/7/365? At FORDATA we are extremely flexible…
25 . Due Diligence stages - selling your business step by step
Every good investment decision is based on sound knowledge about a given company and transaction process. This applies…
26 . Due Diligence - what exactly does it include?
What does Due Diligence investigation consist of? Who performs it? What are its types? Find the answers to these and other questions on FORDATA blog!
27 . Due Diligence audit using Virtual Data Room - security in your company
The process of sharing confidential information can be greatly improved by using Virtual Data Room. Preparing for an audit?
28 . Safe alternative to Dropbox in Due Diligence
Why should I pay for VDR when I can use Dropbox?’ – our clients ask this question sometimes. Yet the answer is not that straight…
29 . Virtual Data Room: Everything you need to know
What is a virtual data room? What benefits can we achieve by using the system in merger and acquisition transactions?
30 . FORDATA - Outstanding Customer Service!
FORDATA Team is flexible and understands your needs. Exceptional customer support distinguishes us among competitors.
31 . GPG standard - a word on encrypting confidential data
Some users want it 101% safe. If the files we share via cloud services really need that extra layer of protection, encrypting them with a GPG standard might be a good idea.
32 . VDR in due diligence process
M&As are a permanent element of the economic world. Their goal is to achieve strategic and financial benefits by expanding markets, diversifying products and production processes.