On 27 December 2022 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector [1] (the “Regulation” or “DORA”) and Amending Directive (EU) 2022/2556[2] (the “Amending Directive”) were published on the Official Journal of the EU and will enter into force on 16 January 2023. The Regulation will apply from 17 January 2025. Member States are required to adopt the measures necessary to comply with the Amending Directive also by 17 January 2025.

DORA represents the EU’s response to the ever-increasing number of cyberattacks against financial institutions. It’s designed to strengthen the security of EU financial firms (the umbrella term “financial entities” is used), such as banks, insurance companies, payment and e-money institutions, investment firms, and more by imposing resilience requirements and regulating the supply chain. It is designed to ensure the services they provide are not disrupted by cyberattacks, outages or other risks to the integrity and continuity of those services.

DORA harmonises and consolidates key elements of existing digital resilience frameworks and standards within the EU[3] but it also introduces new requirements. Financial entities tend to outsource much of their IT and deal with complex architectures. It is also for this reason that DORA applies also to third party service providers of ICT services and impacts the contracts financial entities agree with those providers. The sharpened focus on third-party risk management is evident throughout DORA. The new regulation also brings into scope providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services as well as financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.

Broadly, DORA consists of requirements in five main areas:

  • ICT risk management.
  • ICT incident reporting.
  • Digital operational resilience testing.
  • ICT third-party risk management.
  • Information intelligence and sharing.

It is pertinent to note that DORA embraces the principle of proportionality and, thus, follows the approach found in many other regulations and in a sense, puts the onus back on the individual financial entity, to assess and justify the standard and extent of requirements that it needs to prepare for and eventually implement.

Critical to an efficient implementation of DORA will also be the awaited raft of Regulatory/Implementing Technical Standards and Guidelines which will supplement DORA. In Annex 1 to the MFSA Circular on the publication of DORA issued on the 4 January 2023,[4] the MFSA sets out in different delivery deadlines for the planned work in this regard until the applicability date of January 2025.

Compliance with DORA is undoubtedly no easy task and can be a “game changer”.  The various entities to whom DORA applies have a tight two-year preparatory term which should be used to undertake a gap analysis of their ICT risk management framework, including reviews of the internal governance structure and ICT risk and incident management and reporting mechanisms already in place. Entities should also reassess and renegotiate where necessary their agreements with third party ICT service providers to make them compliant with DORA. Entities are also to be prepared for increased supervisory engagement in this area: when the DORA enters into force considering that the Regulation provides supervisors with wider far-ranging mandates and powers. The real consideration for financial institutions is ultimately how they approach it – a compliance or “tick the box” exercise or a potential strategic opportunity.

[1] Which amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

[2] Which amends Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector

[3] To-date it does not appear that any existing laws or regulations or guidelines will be repealed, instead these would exist alongside DORA

[4] https://www.mfsa.mt/publications/circulars/supervisory-ict-risk-and-cybersecurity-circulars/

'Credit & Financial Institutions' Related News Articles

01
The classification of cryptoassets under the new Markets in Crypto-Assets Regulation
Ganado Advocates

by Ganado Advocates

24th February 2023

Welcome to “Enterprise Innovation” ¦ 23 February 2023 at Salini Resort Hotel
Griffiths + Associates Ltd

by Griffiths + Associates Ltd

20th February 2023

Bank of Valletta organises business breakfast on the Climate Challenges and Opportunities for Real Estate
Bank of Valletta

by Bank of Valletta

31st January 2023

BOV participates in Ġemma and MBA’s pilot project to promote financial literacy courses for elderly
Bank of Valletta

by Bank of Valletta

27th December 2022

High calibre international speakers for FinanceMalta’s 15th Annual Conference
FinanceMalta

by FinanceMalta

28th October 2022

H.E. Sheikh Feisal Bin Qassim Al Thani celebrates BNF Bank’s success in latest visit to Malta
BNF Bank plc

by BNF Bank plc

6th October 2022

The Changes to the Structure and Competencies of the European Supervisory Authorities (ESAS)
CSB Group

by CSB Group

31st August 2022

INSIGHT Interview: Alan Cuschieri, Founder of Moneybase
FinanceMalta

by FinanceMalta

5th August 2022

Member Spotlight: Fyorin
FinanceMalta

by FinanceMalta

5th August 2022

PrimeGlobal Named Association of the Year 2022 at IAB Awards ¦ Winning in Business with Advisory Culture.
Griffiths + Associates Ltd

by Griffiths + Associates Ltd

25th July 2022

BNF Bank launches a Credit Card Campaign with chance to win once-in-a-lifetime World Cup experience
BNF Bank plc

by BNF Bank plc

14th July 2022

BOV Asset Management launches the sixth reading of the Investor Sentiment Index for Malta.
Bank of Valletta

by Bank of Valletta

3rd June 2022

Infocredit Group shortlisted as ‘Credit Information Provider of the Year ‘at Credit Awards 2022!
Infocredit Group Limited

by Infocredit Group Limited

19th May 2022

14th International Taxation Conference l organized by the Malta Academy for Taxation Studies & the Malta Institute of Management l 3rd May 2022
Griffiths + Associates Ltd

by Griffiths + Associates Ltd

3rd May 2022

Infocredit Group sponsors the Webinar “AML, Sanctions and Embargoes: Understanding the risks and learn how to mitigate them”, organized by FEBIS
Infocredit Group Limited

by Infocredit Group Limited

28th April 2022

Free Webinar from Infocredit Group: “Transforming Consumer Creditworthiness and Affordability with the help of PSD2”
Infocredit Group Limited

by Infocredit Group Limited

8th April 2022

Infocredit Group and MACM join forces to support the Maltese Business Community with Innovative Credit Risk Management and Compliance Solutions
Infocredit Group Limited

by Infocredit Group Limited

8th April 2022