For some time now, European bodies have been actively involved in supporting the financial sector’s defences against Information and Communication Technology (ICT) threats. In 2019, the European Banking Authority (EBA) issued its Guidelines on ICT and Security Risk Management, a set of non-binding guidelines that provided a framework for financial institutions to effectively manage ICT and security risk, emphasizing areas such as risk assessment, incident response, and business continuity. Then, in 2022, the European Parliament passed regulation (EU) 2022/2554 on digital operational resilience for the financial sector, better known as the Digital Operational Resilience Act, or DORA.
Enacted in 2023, this regulation significantly strengthens the EBA recommendations. DORA is legally binding and sets clear requirements for financial institutions and their critical third-party service providers (e.g., cloud platforms) regarding ICT risk management. More specifically, it outlines technical standards for areas like:
o ICT risk governance and management.
o Incident reporting and response.
o Digital operational resilience testing.
o Third-party risk management.
Ultimately, the shift from the EBA Guidelines to DORA signifies a move towards a more prescriptive and enforceable approach to cybersecurity within the European financial sector.
While specific to the financial sector, DORA is not the only piece of legislation that has been enacted in Member States to further improve the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole in the field of cybersecurity and critical infrastructure protection. While not specific to finance, the Network and Information Systems (NIS) Directive and its successor NIS2 play a key role by requiring essential service providers across various sectors (including some financial institutions) to implement robust cybersecurity measures. Furthermore, individual European countries and the UK have implemented additional regulations, policies or directives that complement DORA, the NIS Directive and the EBA Guidelines.
Overall, European bodies are taking a multi-layered approach to ensure that the financial sector is well-equipped to combat cyber threats. DORA stands out as the most recent and significant effort, aiming to establish a standardized and robust framework for operational resilience across the EU.
In some occasions, organisations in the financial sector are confused by and struggle with the frequency, overlapping, and complexity of regulations in the cybersecurity domain. Until DORA prevails and becomes the principal security and resilience legal requirement in the financial sector across the EU, it is useful to provide a brief comparison between DORA and the EBA Guidelines, specifically focusing on the EBA Guidelines on ICT Risk Management (2019):
• Focus: Both DORA and the EBA Guidelines aim to improve the cybersecurity posture of financial institutions by promoting sound ICT risk management practices.
• Key Areas of Emphasis:
o Risk identification and assessment.
o Incident response and reporting.
o Business continuity and operational resilience.
o Third-party risk management.
• Benefits: Both regulations aim to strengthen the overall cyber resilience of the financial sector and minimize the impact of cyber threats.
• Scope:
o DORA applies to a wider range of financial institutions and their critical third-party service providers (beyond just ICT service providers), while the EBA Guidelines primarily focus on financial institutions and their ICT service providers.
• Nature:
DORA is a legally binding regulation with clearly defined requirements and deadlines for compliance, while the EBA Guidelines are non-binding and only offer recommendations and best practices, aalthough in some countries these have been mandated by supervising authorities.
• Detail:
DORA provides a more comprehensive framework with specific technical standards for risk management, testing, and reporting, while the EBA Guidelines offer a high-level overview of key areas and principles for ICT risk management, including areas like ICT Operations Security, ICT operations management, ICT incident management, project and change management, etc.
• Enforcement:
Compliance with DORA is monitored and enforced by national competent authorities, with potential penalties for non-compliance, while enforcement of the EBA Guidelines is left to national authorities, with no specific penalties outlined.
Overall, DORA provides a more prescriptive and enforceable framework for achieving operational resilience, and builds upon and strengthens the foundation laid by the EBA Guidelines. The EBA Guidelines on ICT and Security Risk Management, as well as the Guidelines on Outsourcing Arrangements, served as a stepping stone, preparing the ground for DORA. This helped regulated organisations understand, establish and maintain a high-level cybersecurity and resilience framework that could be easily integrated with DORA. Now, the challenge for organisations in the financial services sector and beyond is to integrate their existing security and resilience frameworks with DORA, utilising the minimum amount of effort and resources.
Quadprime offers customised DORA implementation services, empowering organizations to build robust Digital Operational Resilience frameworks that meet supervisory authority requirements. Enhance risk and threat analysis and mitigation.
Contact us today to discuss your DORA compliance needs.