The Presidency of the Council of the European Union and the European Parliament have reached a preliminary agreement on the content of DORA (Digital Operational Resilience Act).
DORA aims to create common requirements for the security of the use of information technology (ICT) by financial entities (min. banks and insurers). Current obligations related to this are scattered in various pieces of legislation, are insufficient and need to be harmonized. The Commission presented a proposal including a draft DORA in September 2020. Last December, the first reading of the draft began in the European Parliament.
DORA provides responsibilities for the development of internal procedures and policies for effective internal (i.e. by the financial entity itself) risk management, including ICT audits, data recovery and ICT incident reporting. The regulation also stipulates the obligation to conduct a series of digital resilience tests annually. At the same time, entities are being given a new tool for carrying out their duties – the ability to share incident information with each other.
In addition to internal risk management, DORA emphasizes the management of external risks involving IT service providers – it is to provide requirements for the shape of the parties’ contractual obligations, the standards of protection to be provided by the providers, as well as keeping a record of the contracts entered into and reporting on them to the regulator. Entities will also have to classify whether the activities covered by IT outsourcing are critical to them. Of course, DORA is thus to cover cloud outsourcing as well. DORA will also create a new organizational framework for national and EU regulators.
DORA covers a very wide range of activities of financial entities, because related to IT, which is already partly regulated by various types of recommendations of EU and national supervisory authorities (min. concerning cloud outosourcing), so it remains interesting to see the relationship between all the documents issued. However, it can be assumed that the more an entity already meets the current requirements, the fewer changes it will have to make to comply with DORA, which, however, is based on existing solutions. In the meantime, European regulators are working to develop specific technical standards for security. Only then will it be possible and necessary to verify compliance with them of the solutions already used by financial entities.
