The Digital Operational Resilience Act (DORA) is a revolutionary regulation introduced by the European Union (EU) that aims to bolster IT security and digital resilience in financial entities. But is it a panacea for all cybersecurity woes or a Pandora’s box of new challenges?
In an era where cyber threats are escalating and digital infrastructure is constantly under attack, the EU’s introduction of DORA in 2020 is a timely response to these growing concerns. By following the precedent set by the Bank of England, the EU has designed this groundbreaking regulation to ensure that the European banking sector remains resilient in the face of severe Information and Communication Technology (ICT) disruptions. DORA aims to address unexpected events by covering several key areas, including ICT risk management, ICT third-party risk management, digital operational resilience testing, and the reporting of major ICT-related incidents.
With the regulation set to apply in 2025, financial institutions have had ample time to prepare. However, the sweeping changes DORA brings pose significant challenges alongside its benefits. Financial entities, IT departments, and third-party vendors must navigate these changes to enhance their cybersecurity posture. The following sections of this article will delve into the identified areas for consideration and potential future improvements, helping stakeholders understand and prepare for the road ahead.
One-size-fits-all
DORA applies to 20 different types of financial entities and ICT third-party service providers (EU, 2023). While large financial institutions may have the resources and expertise to comply with the regulation, the one-size-fits-all approach could place smaller financial entities under significant cost pressure due to the complexity of implementation (Linna, 2024). This raises a critical question: How flexible are the policies and governance bodies in adapting to the unique needs and circumstances of each entity?
ICT Service Providers of Providers of Providers
The landscape of third-, fourth-, and N-party service providers must be assessed to understand their impact on the overall resilience profile of a financial entity (DORA Article 29; EU, 2022). Granularly mapping the value chain to the lowest levels requires significant investment in managing third-party relationships, reviewing contracts, conducting stress tests, and mitigating associated risks. Bazzi Consulting offers a critical perspective: Why not allow a certain degree of unpredictability in the system to maintain a space for innovation and creativity?
Fragmented regulatory bodies
One of the main objectives of DORA is to centralize regulations across multiple EU member states‘ regulatory bodies (Antounio, 2024). While this effort helps unite regulators under one umbrella, it addresses the consequences rather than the root issue: the regulatory bodies within the EU are not only fragmented but also divided along sectoral lines (Buttigieg et al., 2024). Bazzi Consulting raises a critical point: Why doesn’t the EU centralize the critical governance bodies and operate independently from sectoral lines?
Technological advancement
The rapid emergence of Artificial Intelligence (AI) technologies exemplifies how swiftly the technological landscape can change. Each innovative breakthrough introduces new cyber threats, necessitating robust cybersecurity measures. As technology evolves, it becomes crucial for regulatory bodies to stay ahead of potential threats. Regulators must consider the concerns of C-level executives, addressing a critical question: How will current cybersecurity measures keep pace with the rapidly evolving technology and cyber threat landscape?
The bottom line
The Digital Operational Resilience Act (DORA) marks a significant advancement in bolstering IT security and digital resilience among financial entities within the European Union. While aiming to establish a unified framework, DORA’s implementation poses several challenges. This article has highlighted a few of these challenges, aiming to raise awareness of what financial institutions can anticipate and how regulators can enhance their approach.
For expert guidance in navigating DORA’s requirements and ensuring your organization is well-prepared, contact Bazzi Consulting today. Our specialized services can help enhance your digital resilience, streamline compliance processes, and proactively address evolving cyber threats. Schedule a consultation by reaching out to us through the contact form and do not forget to follow us on LinkedIn.
References
Antounio, T. (2024). Understanding the Digital Operational Resilience Act (DORA): A Comprehensive Guide for Financial Institutions. [online] Spencer West. Available at: https://www.spencer-west.com/news/understanding-the-digital-operational-resilience-act-dora-a-comprehensive-guide-for-financial-institutions/ [Accessed 17 Jul. 2024].
Buttigieg, C.P., Zimmermann, B.B. The digital operational resilience act: challenges and some reflections on the adequacy of Europe’s architecture for financial supervision. ERA Forum (2024). https://doi.org/10.1007/s12027-024-00793-w
EU (2022), REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. [online] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554 [Accessed 17 Jul. 2024].
EU (2023). Digital Operational Resilience Act (DORA). [online] Available at: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en [Accessed 16 Jul. 2024].
Linna, L. (2024). Key challenges related to Dora: cost, ICT provider mapping, sub-outsourcing. [online] Available at: https://delano.lu/article/dorothee-ciolino-key-challenge [Accessed 16 Jul. 2024].
BAZZI CONSULTING 
Hinterlasse einen Kommentar