Increased digitalisation and interconnectedness of national economies including everyday activities can amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) that entered into force on 16 January 2023 aims to solve this issue by consolidating and upgrading ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience.
The DORA regulation fills in the gaps and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring. The regulation also raises awareness of ICT risk and acknowledge that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of financial entities. In order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling and reporting ICT-related incidents.
DORA regulation is binding in its entirety, directly applicable in all Member States, and applies from 17 January 2025.
On 6 February 2023, the European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)) will jointly hold an online event to proceed with technical discussion on the upcoming DORA. The event is addressed to all EU financial entities falling under the scope of DORA (Article 2) and ICT third–party service providers.
Recently, the ABBL has set up a dedicated task force for its members with an aim to engage in dialogue regarding forthcoming Regulatory Technical Standards (RTS) under DORA.
Andrey Martovoy, Innovation & Digital Adviser