ICT-related incidents now fall under a new law that places strict requirements around management of ICT-related disruptions.
The EU’s new Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and sets new standards and requirements relating to protection, detection, containment, recovery and repair of ICT-related incidents.
Before DORA, organisations managed the main categories of operational risk relating to the allocation of capital but they did not manage all components of operational resilience.
Now they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.
The new regulation acknowledges that ICT-related incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is ‘adequate’ capital for the traditional risk categories.
In order to achieve a high common level of digital operational resilience, the regulation lays down uniform requirements concerning the security of network and information systems supporting business processes including: ICT risk management; reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities; reporting of major operational or security payment-related incidents to the competent authorities; digital operational resilience testing; information and intelligence sharing in relation to cyber threats and vulnerabilities and measures for the sound management of ICT third-party risk.
The full name of the new law is ‘Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011’.
The Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.
DORA also includes a proposal for regulation on markets in crypto assets and distributed ledger technology (DLT) market infrastructure.
Digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. These need to be well understood and managed, especially in times of stress.
Policymakers and supervisors have therefore increasingly focused on risks stemming from reliance on ICT. They have notably tried to enhance firms’ resilience through the setting of standards and through the coordination of regulatory or supervisory work. This work has been carried out at both international and European level, and both across industries as well as for a number of specific sectors.
DORA applies to critical third partieswhich provide ICT-related services. It creates a regulatory framework on digital operational resilience, whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.