Proportionality is vital for a regulation of this nature
May 6, 2024
DORA represents a significant milestone in the EU’s efforts to strengthen the cybersecurity and operational resilience of financial entities.
The EU’s Digital Operational Resilience Act (DORA), which will become applicable on January 17, 2025, represents a significant milestone in the EU’s efforts to strengthen the cybersecurity and operational resilience of financial entities. “Although DORA stands to enhance cybersecurity for financial entities, primary concerns include the lack of ICT knowledge, expertise and culture of certain financial entities, as well as the potential compliance burden imposed on smaller firms with limited resources,” explains Dr Beppe Sammut, Senior Associate at Ganado Advocates.
With ICT incidents on the rise and with cyberattacks becoming increasingly sophisticated and frequent, DORA’s comprehensive framework will seek to mitigate associated risks for financial entities, including banks, payment service providers, investment firms, insurance undertakings and insurance intermediaries, clearing houses and ICT service providers.
At the heart of DORA lies the principle of digital operational resilience, which encompasses the ability of financial entities to withstand and recover from disruptions caused by ICT incidents, IT failures, cyber threats and attacks or other digital operational challenges.
Under DORA, financial entities will be required to adopt a proactive approach to identify, prevent, detect, assess, and mitigate risks to their operational resilience, thereby minimizing the likelihood and impact of disruptions through respond-and-recovery procedures, as well as by learning and evolving from previous ICT incidents and properly communicating with all stakeholders as and when such ICT incidents occur.
One of the key provisions of DORA is the establishment of clear and harmonized cybersecurity standards across the EU financial sector. This entails defining minimum requirements for digital resilience and cybersecurity measures, incident reporting, and information-sharing practices.
Moreover, DORA places a strong emphasis on the governance and supervision of digital operational resilience within financial entities with the appointment of designated individuals responsible for the ICT risk management, crisis management and communication functions to ensure accountability.
Additionally, financial entities will be required to formulate numerous policies and procedures (including an ICT risk management framework, digital operational resilience strategy and ICT business continuity policy and plans), to conduct regular assessments and testing of their operational resilience capabilities and to report any deficiencies to the applicable authority.
In line with the EU’s broader strategy for digital resilience, DORA also seeks to strengthen the resilience of critical ICT systems and services that support financial operations such as cloud computing services, as well as the adoption of encryption and other cybersecurity measures to protect sensitive data.
While DORA represents a significant step in enhancing the cybersecurity posture of financial entities, there are several challenges and considerations, namely the lack of ICT knowledge, expertise and culture of certain financial entities, as well as the potential compliance burden imposed on smaller firms with limited resources.
Furthermore, the rapid pace of technological innovation poses an ongoing challenge for regulatory frameworks such as DORA, seeing how cyber threats evolve continuously, requiring financial entities to adapt their cybersecurity measures accordingly. Therefore, DORA should be viewed as a dynamic and adaptive framework that can evolve in response to emerging threats and technologies.
The principle of proportionality
DORA is a cross-sectoral EU Regulation that applies to a significant number of financial entities, ranging from large and complex financial entities to smaller ‘simplistic’ ones. In addition, not all financial entities are equally reliant to the same degree on ICT and tech companies.
Therefore, while DORA embraces a principle of proportionality, which is vital for regulation of this nature, financial entities (and regulators) are expected to implement these provisions taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations.
Therefore, it will be crucial for financial entities (with the assistance of their advisors) to ensure that they proportionately implement DORA, on a reasonable and justified basis while adopting a risk-based approach which is properly documented to withstand any challenges from regulators.
On the other hand, financial entities must also ensure they do not go beyond what is proportionate and necessary by implementing superfluous and onerous procedures which incur avoidable costs.
Achieving the objectives of DORA will require close collaboration between regulators, financial entities and their advisors, and other stakeholders, a bold plan and strategy by financial entities to ensure compliance with DORA by early 2025, as well as ongoing efforts to adapt to evolving cyber threats and technological developments.
MFSA’s expectations
Considering the imminent application of DORA in January 2025, the MFSA has, as of last September, communicated its ‘minimum’ expectations as to financial entities’ progress in relation to DORA – these include the financial entity having carried out a gap analysis between its relevant strategies, policies, procedures, plans, systems and tools and the requirements under DORA, as well as having formally adopted a transition plan towards compliance with DORA.
Six months down the line, financial entities should by now have completed their gap analysis and transition plan and should be finalising the ‘filling-in’ of any gaps and moving towards concluding the adoption of its transition plan to ensure full compliance with DORA by January 2025.
This article was first published on the 'Corporate Times' on 07/04/2024.