With just 10 weeks before the Digital Operational Resilience Act (DORA) becomes applicable to credit and payment institutions, electronic money institutions, investment firms, other financial entities, and ICT third-party service providers, all such firms must ensure they are aligned with its framework. Here below is an outline of the said framework and the respective firms’ obligations.
A. What is DORA?
DORA is a pivotal European Regulation establishing a harmonized framework, pursuant to which financial institutions must have the appropriate internal infrastructure to exchange information, monitor and respond to ICT threats and ensure that disruptions are pre-empted and avoided to the extent possible.
B. What does the DORA framework include?
The core elements of this Regulation include:
a) A suitable governance and organization structure, with identified officers responsible for mapping a digital operational resilience strategy, establishing policies, defining clear responsibilities and creating appropriate reporting channels.
b) ICT risk management procedures and tools to protect information and ICT assets, which must be regularly tested and reviewed. Such procedures and tools must exist both internally, as well as in third-party service providers.
c) Appropriate and proportionate methods of detecting, managing and notifying ICT-related incidents, which must be developed while high-impact incidents must be swiftly reported to the appropriate regulator of the financial entity.
d) A digital operational resilience testing program on a risk-based strategy to examine firms’ readiness to handle ICT-related incidents and identify shortcomings, which must be improved.
e) Reporting to the regulator the ICT-third party service providers and any risk associated with such outsourcing, and effectively monitoring and managing such risks.
C. Who is responsible for DORA implementation?
The main responsibility lies with the executive members of firms. As such, senior officers holding executive positions are accountable for the organization meeting its regulatory obligations.
D. Who regulates DORA compliance?
The respective regulators, which predominantly include the Central Bank of Cyprus, and the Cyprus Securities and Exchange Commission are entrusted with supervision, investigation and sanctioning non-compliant entities obliged to have the DORA framework implemented within their firm and operations.
E. Remarks - next steps
The obligation of firms to maintain a secure and uninterrupted platform of operation is not new. The new element in this necessity is for firms to ensure their robust digital operational resilience is evident throughout.
Our regulatory experts will be glad to support firms in reviewing their governance structure, policies, detection and response mechanisms, and their contracts with clients, suppliers and ICT-outsourcing entities, to confirm their readiness and compliance with the DORA Regulation.
By:
Elina Iosifidou
Andria Koukounis