New IT solutions and increased digitization entail an increased risk of being exposed to IT-related attacks. Digital resilience is therefore more important than ever. Lina Sandmark, a lawyer at Kompass Advokat, specialized in regulatory issues in the financial sector and reviews the proposed DORA Regulation, which aims to increase IT security in the financial sector.
The DORA Regulation
Old IT systems are being replaced by new and more connected solutions. As companies become more digital, the risk of cyber attacks and other IT-related risks increases. In the light of this, the European Commission has seen a need to produce a new regulation. On September 24, 2020, the Commission presented a package on the digitization of the financial sector, where the DORA Regulation (the Digital Operational Resilience Act) was part of the suggested package. The regulation aims to ensure that players in the financial sector take the necessary protective measures to counter cyber attacks and other IT-related risks.
The DORA Regulation applies to many different organizations in the financial sector. Credit institutions, payment institutions, central securities depositories, trading venues, fund companies, insurance companies, insurance intermediaries and auditing firms are examples of some of the entities that fall under the regulation's collective named "financial entities".
Four areas of focus
The DORA Regulation contains requirements that aim to prevent information and communication-related (ICT) disruptions and threats, e.g. cyberattacks. The DORA regulation can be divided into four areas; governance and risk management, reporting, testing and a completely new supervisory framework for ICT suppliers in the financial sector.
Governance and risk management is about regulations that place demands on management's responsibilities, organization and control over ICT risks. There will be new requirements for documentation and development of an ICT risk framework which, among other things, includes policies, strategies and security tools.
The reporting requirements are partly about introducing new reporting requirements for the organizations covered by the regulation, and partly about harmonizing the already existing reporting requirements in the NIS Directive and the PSD Directive in such a way that the entities do not have to report in accordance with all the regulations. The reporting requirements are also about developing appropriate processes and classifying ICT incidents based on various factors such as number of affected and duration.
"Lina Sandmark, Kompass Advokat"
Some financial entities will be subject to requirements for testing ICT security. The requirement is about how and to what extent entities need to test their systems in order to identify and prevent shortcomings.
The provisions regarding the supervisory framework for ICT providers aim to enable monitoring of the ICT providers in the financial sector that are considered critical. The supervision includes, among other things, whether the ICT provider has sufficiently comprehensive and efficient processes and mechanisms to be able to manage the ICT risks to which the financial entity may be exposed.
The DORA regulation has not yet been adopted, as the European Parliament and Council are still negotiating. The regulation must also be subject to consultation. At this point, it is difficult to assess when the regulation will enter into force, it will probably take at least a year plus maybe another six months to a year before it is to be applied.
Many of the requirements in the Regulation overlap with the requirements set out in the ICT guidelines developed by EBA and EIOPA. When working and implementing these guidelines, it may therefore be a good idea to look at the proposed requirements in the DORA Regulation at the same time. The EBA Guidelines came into force on June 30, 2020, while the EIOPA Guidelines will take effect on July 1, 2021.
Even if the applicability of the DORA Regulation is relatively far ahead, it may be good for entities covered by the Regulation to get ready for what is to come. A first step is to map the requirements and carry out a gap analysis to examine what measures need to be taken to meet the suggested requirements. This will also help companies to increase their digital resilience in general, and thus already reduce their operational risk.