DORA – A potential blueprint for Global Cyber Resilience Regulation?

By Jason Harrell, Managing Director of Operational and Technology Risk, DTCC

With less than a year until the European Union’s Digital Operational Resilience Act (DORA) takes effect, financial organizations must prepare to comply with this landmark regulation. By January 2025, financial institutions operating in the EU will be required to adhere to strict standards for cyber risk management, cyber incident reporting, cyber resilience testing and more.

While DORA will standardize cybersecurity controls across all EU members, its impact will have global relevance.

As organizations gear up to achieve DORA compliance, they may encounter several challenges. First, with many financial institutions relying on numerous third-party providers, DORA will set out more detailed requirements for the management of outsourced services.

These new requirements will cover a service provider’s entire life cycle—from pre-contract negotiations to ceasing partnerships. Specifically, it is critically important for firms to proactively review the resilience of their information and communication technology (ICT) third-party service providers and monitor external risks. To ensure compliance, financial institutions will have to collectively push compliance with their third-party providers while ensuring minimal disruption to their day-to-day operations.

To achieve this, firms must have plans in place allowing for the continuation of their services should some third parties be unable to achieve this compliance. These plans could include the smooth transition of technology services to new providers or bringing these services back in-house.

Compliance with DORA will depend on organizations’ ability to identify and document their critical ICT business functions, information assets, roles and dependencies as part of a comprehensive cyber resilience framework. This could be difficult for some firms, especially those with complex ICT systems or extensive reliance on outsourcing.

Even though most organizations already have existing cyber risk management programs in place, firms will need to ensure these programs align with DORA’s requirements. As a starting point, organizations should perform a gap analysis to identify areas that require prioritization.

Unlocking Opportunities with DORA

Despite these challenges, DORA presents numerous opportunities for financial services organizations to continue to raise their cyber resilience capabilities and standards. DORA encourages collaboration between financial institutions by placing emphasis on information-sharing of cyber threat intelligence, enabling firms to adapt their defences to better respond to threats.

Additionally, DORA provides a unified cyber incident reporting approach that may allow for better correlation of cyber incident information. This information can be used to inform the financial services sector of changing and evolving cyber threats, enhancing transparency and trust across the European financial sector.

Furthermore, DORA presents an opportunity to drive innovation through the adoption of newer, more efficient technologies and practices, ultimately increasing operational efficiency, lowering costs, and enabling financial institutions to be better positioned to adjust to the rapidly evolving digital landscape.

Beyond serving as a blueprint for harmonizing the supervision of ICT and cyber threats within the EU, DORA may set a precedent for other jurisdictions. By further streamlining deviations from their cyber risk management frameworks, DORA could simplify regulatory complexity for multinational institutions. DORA also seeks to address the burdens associated with diverging cyber risk management rules across the EU that apply to financial institutions.

DORA’s Global Impact

The global repercussions of DORA’s implementation should not be overlooked. Due to the financial sector’s interconnected nature, financial authorities could adopt similar measures to coordinate their approach to managing cyber risk across jurisdictions.

This regulatory coordination could lead to a more consistent, robust and resilient global financial system, reducing vulnerabilities and enhancing overall stability. DORA’s principles and practices may serve as a template for future global regulatory frameworks, highlighting the importance of a structured approach and collaboration to address cybersecurity on a global scale.