DORA Regulation: Digital operational resilience in the financial sector
The Digital Operational Resilience Act (DORA) is a European-level Regulation that came into effect on January 16, 2023, and will be applicable from January 17, 2025.
DORA aims to enhance the cybersecurity of financial entities such as banks, insurance companies, and investment firms, ensuring that the financial sector in Europe can remain resilient against severe operational disruptions.
Among its objectives, DORA seeks to harmonize rules related to operational resilience for the financial sector, applying to 20 different types of financial entities and information and communication technology (ICT) service providers.
The need for this Regulation arises from the innovation in the financial sector, as it increasingly relies on technology and tech companies to provide financial services. This vulnerability to cyber-attacks or incidents highlights the importance of digital operational resilience in the financial sector.
What is DORA, Digital Operational Resilience Act?
DORA addresses this by establishing a robust regulatory framework for managing risks related to information and communication technology (ICT) in financial entities.
Its main objectives are:
- ICT Risk Management: Financial institutions must identify, assess, and manage computer and cybersecurity risks.
- Business Continuity: Develop comprehensive business continuity plans to ensure service provision during operational disruptions.
- Supervision and Oversight: Supervisory authorities will evaluate the operational resilience of financial entities.
Following this, and analyzing Article 1 of this Regulation, we can extract that in order to achieve a high common level of digital operational resilience, uniform requirements regarding the security of network and information systems supporting the business processes of financial entities must be met. These requirements include:
(a) For financial entities:
- Management of ICT risk.
- Notification of significant incidents and cyber threats to competent authorities.
- Notification of significant incidents related to operational or security payments.
- Conducting digital operational resilience tests.
- Exchange of information on cyber threats and vulnerabilities.
- Implementation of measures to properly manage third-party ICT-related risks.
(b) Requirements in contractual agreements between third-party ICT service providers and financial entities.
(c) Establishment and implementation of the Oversight Framework for critical third-party ICT service providers when providing services to financial entities.
(d) Rules for cooperation among competent authorities, as well as rules for supervision and enforcement in relation to all aspects covered by the regulation.
DORA and GDPR
As we know, the General Data Protection Regulation (GDPR) is a cross-cutting regulation that affects virtually all sectors. In this case, we will analyze whether DORA also emphasizes compliance with requirements regarding the protection of personal data.
DORA also emphasizes the protection of personal data. While the text highlights the importance of fostering the exchange of information and intelligence on cyber threats among financial entities, it also emphasizes the need to collectively utilize knowledge and practical experience to improve assessment, monitoring, defense, and response to cyber threats.
It is urged that security mechanisms be applied during participation in information exchange agreements to ensure compliance with EU regulations on competition and data protection, based on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Furthermore, it is important to note that among the requirements established for financial entities, there is also an obligation to include in agreements with ICT and third-party providers contractual clauses that guarantee accessibility, availability, integrity, security, and protection of personal data.
If you are a financial entity or another type of entity that may fall within the scope of DORA, do not hesitate to send us your doubts and concerns. At Letslaw, we are experts in Fintech and regulated sectors and our team of data protection lawyers.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
