A New Regulation for the Financial Sector Called DORA Takes Effect Next Year! How Does it Affect Digital Infrastructure?
At the beginning of next year, a new regulation called DORA will come into effect in the European Union. This regulation aims to reduce the digital vulnerability of the financial sector. The goal is to improve companies' ability to withstand, adapt, and quickly recover from various ICT disruptions, such as technical failures and cyberattacks. However, this comes with a set of requirements affecting banks, cryptocurrency service providers, and insurers, among others—thousands of organisations operating across Europe. What will DORA regulate, and what should you start doing before the new year begins?
What is DORA?
“So far, ICT risks in the financial sector have been regulated differently in different EU member states, but now the basic requirements will be unified,” comments the Estonian Financial Supervision and Resolution Authority. DORA, the Digital Operational Resilience Act, will take effect on 17 January 2025. This regulation deals with the digital operational resilience of the financial sector. This means ensuring that businesses can maintain continuity and security even in crisis situations. According to the Estonian Financial Supervision and Resolution Authority, this applies to most of the financial sector. The changes will affect banks, payment institutions, electronic money institutions, investment firms, cryptocurrency service providers, trading platforms, insurers and intermediaries, fund managers, and crowdfunding service providers.
DORA was created to reduce the financial sector's vulnerability in the digital world. Technology is evolving rapidly, and the financial sector is becoming increasingly dependent on ICT systems. “The regulation aims to reduce the risk of disruptions to business processes and critical functions in the financial sector that can affect the information and financial assets of companies and customers alike. These disruptions can be caused by technical failures, operational errors, or cyberattacks. The regulation will also help increase the protection of financial services clients and investors,” the Estonian Financial Supervision and Resolution Authority explains.
What Will DORA Regulate?
As mentioned, DORA focuses heavily on the security and reliability of ICT systems and services. The financial sector is becoming increasingly technology-based and relies heavily on IT solutions. DORA requires financial institutions to adopt comprehensive measures to manage ICT risks and ensure digital operational resilience. This doesn't just involve technological solutions and infrastructure, but also improving organisational processes and training employees.
The regulation includes requirements for managing ICT risks, classifying ICT incidents and reporting them to supervisory authorities, testing digital operational resilience, managing third-party ICT risk, and sharing information among financial institutions.
What Should Be Considered Going Forward?
Regular Testing: Financial institutions must regularly test the security and physical reliability of their IT systems. This includes conducting attack simulations to ensure continuity and identify vulnerabilities before they become real problems.
Incident Procedures: Companies need to establish procedures for quickly classifying and reporting ICT incidents. For example, they must create guidelines for handling data breaches and ensure that relevant authorities are notified promptly.
Third-Party Assessments: Financial institutions must regularly assess and monitor the reliability and security of third-party ICT service providers. All contracts should contain clear, verifiable requirements for security and service continuity, and these should be reviewed regularly.
Resilience Plans: Companies must develop and implement digital operational resilience plans that include crisis management strategies and recovery procedures. These plans should be tested and updated to ensure readiness for potential emergencies.
Risk Management Integration: ICT risk assessment must be integrated into the daily activities of the company. This means continuous monitoring and regular audits. Companies need to create mechanisms for identifying, assessing, and effectively managing risks.
It is important to note that DORA follows the principle of proportionality. This means that there are exemptions for micro, small, and medium-sized enterprises, as well as other companies specified by directives. However, large multinational companies must review their IT footprint and its security and reliability.
Financial Institutions Must Also Review Service Providers
“It is important to understand that DORA applies not only to financial institutions but also to ICT service providers serving the financial sector. This sets higher quality expectations for providers, making it easier for financial institutions to audit and pass audits,” explains Martin Rungi, who deals with the needs of this sector daily at the largest data center in the Baltic States.
Physical security of equipment rooms is also a focus. “Comprehensive cyber security is only beneficial if there are no shortcomings in physical security. In some cases, unauthorised individuals have had free access to ICT equipment. If someone with bad intentions cuts the power, it can cause a significant disruption. Therefore, a data center service provider must convincingly explain and demonstrate how they protect clients' equipment,” Rungi explains.
Reliability is another focus. “When working through risk scenarios, it’s essential to ensure the resilience of the IT infrastructure. Simply put, if there is no power in business-critical devices, there is no bank. Therefore, financial institutions must demand audited confirmation from the data center that reliability is indeed guaranteed, or they must conduct extensive audits of equipment rooms themselves, which is extremely time-consuming and knowledge-intensive. This requires hiring a specialist with specific expertise,” adds Greenergy Data Centers' segment manager.
Certification of data centers is also important. “A proper certificate can significantly simplify the proof of compliance with DORA or other regulations because the auditor does not need to examine all the infrastructure in detail. Certification is already proof of compliance. This significantly reduces the client’s burden,” Rungi adds. According to him, financial institutions should clearly agree with their ICT infrastructure provider on how the latter will help them comply with DORA requirements and pass audits more smoothly.
What Else Should You Know?
It is important for companies in the financial sector to familiarise themselves with DORA requirements before the new year and to take action if needed.
In summary, financial institutions have a lot of work ahead to adapt their ICT systems and processes to the new requirements. However, ultimately, this will contribute to a safer and more stable financial sector, which will benefit the financial institutions themselves.
Comments: Andrus Tamm, Product Development and Technology Manager at SEB Estonia
What opportunities does DORA offer to make IT systems more secure and reliable?
DORA’s requirements are based on long-term experience. People working in cyber security, business continuity, and IT operations have been talking about similar requirements and corresponding action plans for a long time. DORA now provides clearer requirements and describes them in more detail. This gives those responsible for the system as a whole (regulators) the opportunity to conduct data analysis and make more systematic conclusions and recommendations when assessing cyber resilience. For example, we haven’t had uniform criteria for assessing incidents so far; each company assessed them based on their needs and experience.
DORA provides a good basis and framework for creating protective mechanisms in a company. It is certainly not free, but just as we don’t forget to insure our cars—and despite it being mandatory, we value the requirement highly when we encounter an incident and receive compensation—DORA is a requirement that provides the opportunity to create a resilient operating environment. It is a need that has quietly grown into a major part of our lives, our digital lives, and the digital services we use daily and need to protect diligently. A digital service is not just an asset; it is primarily a responsibility to ensure its operation.
DORA appropriately addresses major cyber security challenges, such as thorough vulnerability testing and the duty of care towards third parties and its documentation and control. Companies have been reluctant to check the diligence of their service providers. If the service provider is very large, the disproportionate size often results in insufficient control or even no control at all. In the case of DORA, our European central regulators have enough power to balance this situation.
How does careful planning of IT systems and the use of data centers built and certified to high standards make it easier to comply with DORA requirements?
SEB highly values the diligence of our partners and their willingness to share information about fulfilling their obligations. When building large systems, we must specialise and do what is within our capacity. SEB does not build its own data centers; we purchase this service from specialised companies. We do the same with many services or products that we can find on the market. Like any service outsourcing, this field requires critical knowledge on our part to assess whether our partners operate appropriately for us. Part of this is definitely compliance with laws and regulations.
We highly value our partners’ willingness to build their services and systems according to best practices and actions, proven by certifications. I am very pleased that Greenergy Data Centers has done excellent work in this area and holds certifications that help clarify the diligence measures used in service assessment.