5 Key Takeaways from the EU’s Digital Operational Resilience Act (DORA)

In this article, we look at how financial services firms can prepare for heightened oversight in a changing regulatory landscape in the EU and UK.

Digital Operational Resilience Act

In our recent white paper, “Strengthening Operational Resilience in Financial Services,” we explore how operational resilience (OR) has emerged as one of the most important issues in the financial industry. The growth of interconnected systems and ever-increasing threat of cybercrime and other challenges have brought to light that much more must be done to address OR. 

Industry regulators have taken notice and are making resilience a centerpiece of their activities. This is particularly true in the EU, with the Digital Operational Resilience Act (DORA), and in the UK, with the new operational resilience regime that took effect in 2022. Here are the highlights that every financial services firm should know along with the key elements needed to respond to a changing regulatory landscape.

financial services

The UK Takes the Lead in Enforcement

While the first OR directives were issued by the EU several months ahead of the UK, the latter has taken the lead when it comes to enforcement, issuing a nearly $60 million fine related to a resiliency incident at a UK bank in late 2022. The action came after the Financial Conduct Authority (FCA) along with the Bank of England (BoE) and the Prudential Regulation Authority (PRA) issued their operational resilience policy in March 2021. The rules went into effect in April 2022 with full and continual compliance required by 2025, a date that is fast approaching.

This new regime emphasizes a need to prevent, adapt, respond to, recover, and learn from operational disruptions. The FCA, BoE, and PRA have adopted a very comprehensive approach to crafting and implementing OR policies, which is also designed to manage systemic risks posed by “critical third parties.”

Five Takeaways for Financial Services Firms from EU’s DORA

While the UK OR regime is a tough one, the EU’s Digital Operational Resilience Act (DORA) is the most comprehensive and prescriptive approach to OR and cybersecurity from any global regulator. As with the UK’s policy, full implementation is scheduled for 2025, making it crucial that firms take steps now to be prepared. Here are five things that every firm doing business in financial services needs to know about DORA:

1. Five pillars: This may be the most far-reaching regulation ever enacted. DORA’s five pillars include: 

  • Information and communications technology (ICT) risk management
  • Incident reporting
  • Digital operational resilience testing
  • Third-party risk management
  • Information sharing 

2. Broad impact across the ecosystem: The breadth and depth of DORA is unprecedented. The act applies to banks, insurance companies, investment firms, and the like, but it also includes critical third parties. The objective is to ensure that risk stemming from increasing dependence on firms providing support and services, such as cloud service providers, ISVs, and payment processors, are addressed directly at the service provider level, rather than on an individual firm basis.

3. Harmonizing and expanding existing regulations: The first objective of DORA is to harmonize existing regulations across the EU. But it goes much further and dramatically expands regulatory coverage and requirements. For example, DORA introduces more stringent reporting requirements for cyber incidents and imposes strict timeframes for reporting. 

4. Enterprise-wide impact: Unlike previous approaches to cybersecurity, compliance with DORA is not solely an IT issue. Firms must adopt an enterprise-wide approach, involving legal, compliance, risk management, as well as IT from the outset. 

5. Preparing for DORA compliance: DORA’s enforcement is scheduled for 2025 so financial services firms need to be working to ensure a smooth transition. It’s crucial for organizations to act now so that they’re able to implement the necessary changes in a timely manner.

Top “To-dos” for UK and EU OR Readiness

Knowing and doing are two very different things and this is certainly true in the case of the far-reaching and often complicated mandates in both the UK and EU.

  • Expansive regulation requires broader vision: These new OR regimes impose a wide array of new requirements on a business and this increased scope means that more areas of the enterprise must be included in formulating and carrying out activities to enhance resilience. It’s advisable to take a “blank slate” look at future requirements and then design and build an apparatus and procedures that include all relevant parties with a particular focus on new areas that need to be included. Old metrics may need to either be discarded or substantially revised to bring processes and performance into alignment with new requirements.
  • Focus on cybersecurity: Central to the new resilience efforts is cybersecurity, with an emphasis on awareness and preparedness for ransomware episodes and the timely and thorough reporting of incidents when they occur. Firms must have plans in place to maintain and restore critical business operations as well as visibility into their data pipelines and crucial workflows to detect anomalies and enhance prevention and mitigation of cyber events.
  • Data is at the heart of the enterprise: One helpful way to tackle a new challenge is to break it down into its components so you aren’t overwhelmed by complexity. In the case of these new regimes, a common denominator boils down to data. Data is the ultimate target of most bad actors and the fundamental item required to ensure resilience, particularly as it relates to ICT risk management. The management, accessibility, and protection of data must be a central focus of any plan.

A Great Leap Forward for Regulation in the EU and UK

The EU’s Digital Operational Resilience Act (DORA) along with resilience regimes from UK regulators (and others) represent a giant leap forward in regulation for the financial services industry. What’s more, their implementation dates are drawing near, making preparation and action essential. Strengthening OR within the financial services sector is a necessary and laudable goal, but it will not come without great cost, both in terms of time and resources. 

With the help of Pure Storage and other partners, financial services firms can navigate the complexities of DORA and work toward creating a more secure and resilient future. Pure Storage solutions support operational resilience by design. With an all-flash configuration, speed, simplicity, and flexibility are maximized. And with built-in data protection capabilities, such as SafeMode™, Rapid Restore, and Pure1® Data Protection Assessment, as well as a ransomware recovery SLA and a Zero Data Loss Guarantee across the Evergreen® portfolio, financial firms can have peace of mind that recovery in the event of a disruption is optimized, and maximum data security is built in.

To learn more, download our white paper, “Strengthening Operational Resilience in Financial Services,” or contact us for a free expert consultation.