In a recent post by Novatus Global, the firm took a deep dive into DORA legislation and the role it will help play in financial compliance.
Introduced to regulate and ensure security of information systems in the financial sector, the DORA experienced its formal approval on 10th November 2022.
It was subsequently published in the Official Journal on 27th December 2022. The act will be actively enforced from 17th January 2025. Thus, financial entities are advised to be DORA-compliant by the onset of 2025.
DORA encompasses a vast spectrum of financial institutions, spanning various sectors. The sectors covered include:
- Cryptoasset service providers
- Investment firms
- Central security depositories
- Trading venues
- Credit, payment, and e-money institutions
- Data reporting service providers
- Insurance undertaking firms
- Credit rating agencies
Though broadly applied, DORA classifies financial institutions into three categories. Each category experiences a different interpretation and application of the rules. These categories are:
- Basic Financial Entity
- Microenterprise Financial Entity
- Article 16 Financial Entity
The inception of DORA was driven by the intent to bolster the security of networks and information systems integral to the financial industry. Key requirements under DORA incorporate harmonising existing mandatory and voluntary regulations, comprehensive incident reporting, digital resilience testing, and a deeper focus on the ICT risk management process.
DORA is applicable to 20 distinct types of regulated financial institutions, ranging from central counterparties to trading venues and investment managers. Moreover, third-party digital and data service providers to these institutions also fall under its purview. By 17th January 2025, all these financial entities are expected to adopt the appropriate framework to ensure full DORA compliance.
At its core, DORA outlines five central pillars of the digital resiliency framework. These pillars encompass governance and ICT risk management, incident reporting, digital resilience testing, third-party ICT provider risk management, and threat information sharing.
For effective DORA compliance, financial entities should institute robust governance measures. Management bodies must assume responsibility for ICT risks, maintain high data standards, and establish a strategy for digital operational resilience. Furthermore, there’s a pressing need for training and awareness about ICT risks.
DORA mandates a consistent framework for classifying and reporting significant ICT-related incidents. Concurrently, regular digital operational resilience testing is essential for understanding potential threats and vulnerabilities.
Non-compliance with DORA can have severe repercussions, primarily in the form of substantial fines. These fines can potentially reach up to 2% of a firm’s global revenues. However, financial entities can mitigate these risks by ensuring continuous learning, development, and adherence to DORA requirements.
While DORA is still evolving, past instances provide an insight into the implications of non-compliance. For instance, in December 2022, a Tier 1 bank, which failed to meet operational resilience guidelines, faced a staggering fine of £48,650,000. Thus, it’s evident that adhering to DORA’s regulations is not just about compliance; it’s about safeguarding an institution’s reputation and financial health.
Read the full post here.
Copyright © 2023 RegTech Analyst
Copyright © 2018 RegTech Analyst