top of page
  • Bartłomiej Dmitruk

DORA - new requirements to strengthen the cybersecurity of financial institutions

Given the ever-increasing risk of cyber attacks, the European Union has decided to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. In May/June 2022, the Council Presidency and the European Parliament reached an interim agreement on the Digital Operational Resilience Act (DORA), which will enable the financial sector in Europe to maintain resilient operations in the event of a major operational disruption.




Scope of DORA regulations


DORA sets out uniform requirements for the security of the networks and information systems of companies and organisations operating in the financial sector, as well as of critical third parties that provide information and communications technology (ICT)-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework for digital operational resilience, under which all companies must make sure that they are able to withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are uniform for all EU Member States. The main objective is to prevent and mitigate cyber threats.


Almost all financial entities will be subject to the new rules. DORA covers a wide range of financial institutions, including but not limited to credit institutions, payment institutions, e-money institutions, investment firms, cryptocurrency providers, central securities depositories, alternative investment fund managers, management companies, crowdfunding providers and third-party ICT providers. Many companies that were previously not subject to specific ICT regulation are within the proposed scope of DORA. Under the interim agreement, auditors will not be subject to DORA, but will be part of a future review of the regulation, where a possible revision of the rules may be considered.


Under the interim agreement, the new DORA provisions will provide a very robust framework that will enhance the IT security of the financial sector. The efforts required of financial entities will be defined in proportion to the potential risks.


Critical third-country ICT service providers to financial entities in the EU will have to set up a subsidiary in the EU to enable proper implementation of supervision.


Regarding the supervisory framework, the co-legislators agreed on the choice of an additional common supervisory network to strengthen coordination between European supervisors on this cross-sectoral topic.


Under the provisional agreement, penetration tests will be carried out on a functional basis and it will be possible to include authorities from several Member States in the testing procedures. The use of internal auditors will only be possible in a few strictly limited circumstances, subject to protective conditions.


As regards the interaction of DORA with the Network and Information Security (NIS) Directive, under the interim agreement, financial entities will be given full clarity on the various digital operational resilience provisions they have to comply with, in particular for financial entities with several authorisations and operating in different markets in the EU. The NIS Directive continues to apply. DORA builds on the NIS Directive and resolves potential overlaps by excluding lex specialis.


The provisional agreement is subject to approval by the Council and the European Parliament before proceeding to formal adoption.


Once the DORA proposal is formally adopted, it will be enacted by each EU Member State. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards that all financial services institutions, from banking to insurance to asset management, will have to comply with. The relevant national competent authorities will act as compliance supervisors and enforce the regulation where necessary.


Background


The Commission presented the DORA proposal on 24 September 2020. It is part of a larger digital finance package that aims to develop a European approach to foster technological development and ensure financial stability and consumer protection. In addition to the DORA proposal, the package includes a digital finance strategy, a proposal on cryptocurrency markets (MiCA) and a proposal on Distributed Ledger Technology (DLT).


The package fills a gap in existing EU legislation by ensuring that the current legal framework is not a barrier to the use of new digital financial instruments, while also ensuring that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms operating in the EU. The package therefore aims to encourage innovation and the deployment of new financial technologies while ensuring an adequate level of consumer and investor protection.


The Council adopted the negotiating mandate for DORA on 24 November 2021. The dialogue between the co-legislators started on 25 January 2022 and ended in May/June 2022 with an interim agreement reached.


The text of the proposed DORA legislation can be found in the link below:


Impact on Virtual Data Room services provided to the financial sector in EU


Virtual Data Room services, are cloud services that will be subject to DORA regulations, provided to the wider financial sector within the European Union. Providers of the VDR service will have to comply with DORA requirements, both formal (the provider is based in the EU) and technical, directly related to cyber security.


SECUDO's Virtual Data Room meets the requirements of the Polish Financial Supervision Authority's recommendation on the use of cloud solutions. It can therefore be used in projects carried out by supervised institutions in the financial market.


About us


DealDone is a specialised company offering high quality information and data security products. We offer digitisation services and software in the field of modern technologies for the circulation of confidential information, classified information, sensitive data and the digitisation, security, encryption and sharing ofdata and documents inside and outside the organisation.


DealDone has developed and marketed the Virtual Data Room SECUDO.SECUDO is a platform for the secure data sharing and processing ofconfidential information, offered in a Software-as-a-Service model for businesscustomers.


Comments


bottom of page