Getting ready for DORA
For many years, the financial sector was viewed as conservative and making minimal use of modern technology. However, the last 20 years have brought changes and a real arms race has begun. Today, banks and financial institutions are successfully using cloud computing, big data, virtual assistants, blockchain and AI.
To take full advantage of new technologies and services, however, financial market players are becoming increasingly dependent on software, computing resources and IT networks and systems, either their own or those of external ICT (information and communications technology) service providers.
In simple terms, ‘ICT’ refers to all digital and data services provided on a continuous basis by ICT-enabled systems to one or more users, external or internal. Examples of ICT services are data hosting and cloud computing.
But there are dangers in this new ICT-enabled world. Last year, CERT Polska – the team set up to respond to online security incidents – handled 2,944 incidents targeting banks, 21 of which were serious, and 2,813 incidents targeting financial market infrastructure. These incidents can involve both phishing and malware, and show how desirable the information processed by the financial sector is to criminals. We can therefore assume that the number of attacks will steadily rise.
Who is the Digital Operational Resilience Act aimed at?
DORA, the EU regulation on the digital operational resilience of the financial sector, focuses mainly on players operating in this market such as:
- Credit institutions
- Insurance companies
- Payment institutions
- Investment firms
- Insurance intermediaries
DORA will also cover third-party ICT service providers and will apply to the requirements of contracts between financial market entities and these providers. Thus, entities providing services to the financial market and using resources or networks in information systems for this purpose will have to adapt their activities and amend the terms and conditions of their contracts accordingly.
Do we have much time to implement DORA?
Nine months have already passed since the adoption and promulgation of the DORA Regulation, while it is expected to enter into force in 15 months’ time on 17 January 2025, which is a tight deadline in this case.
A number of actions need to be taken by both financial market participants and external ICT service providers, including:
- Building or reviewing the quality of the governance framework related to ICT risks
- Developing and implementing policies, procedures, protocols and tools to ensure ICT security
- Adapting contractual terms and conditions
From today’s perspective, it is clear that financial market participants should start implementing DORA at their earliest opportunity. However, it is advisable to plan thoroughly beforehand and organise tasks in precise stages, as regulatory technical standards are still being developed to clarify many of these issues. So a lot of interesting and challenging work lies ahead.