Grupa Woolshy | Your business our passion

In response to numerous challenges related to cybersecurity and the key aspect of continuity of IT systems, the European Union has introduced the DORA Regulation, aimed at enhancing the operational resilience of financial entities to cyber threats. In this article, we will take a closer look at these issues and their implications for the financial industry.

Introduction to the DORA Regulation

The Directive on Operational Resilience of Financial Institutions (DORA) was introduced in response to an increasing number of cybersecurity incidents that have impacted the stability and trust within the financial sector. The goal of DORA is to ensure that financial entities have adequate mechanisms and procedures in place to deal with various types of threats, including cyber attacks, ICT system failures, and other operational incidents.

The introduction of the DORA Regulation has significant implications for financial entities, both technically and organizationally:

Investments in Technology and Human Resources: Financial entities will need to invest in advanced technologies and qualified human resources to meet the requirements of the regulation. This entails investments in ICT infrastructure as well as training for staff in incident management and cybersecurity.
Flexibility and Responsiveness: Financial entities must be more flexible and ready to respond quickly to changing operational conditions. They need to be able to adapt to new threats and technologies to maintain their operational resilience.
Risk Monitoring and Analysis: DORA imposes a requirement on financial entities to continuously monitor and analyze the cybersecurity and ICT incident-related risks. They must be able to identify potential threats and take appropriate preventive actions.
Collaboration with Partners and Suppliers: Financial entities must also ensure that their partners and suppliers comply with the requirements of the DORA Regulation to minimize the risks associated with the supply chain.

DORA Regulation: Key Principles

One of the key principles of the DORA Regulation is the need for financial entities to establish effective procedures for managing ICT-related incidents. These incidents can have a negative impact on the availability, authenticity, integrity, or confidentiality of data, which in turn can lead to disruptions in the provision of financial services.

Under the DORA Regulation, financial entities are required to establish and implement processes for managing ICT-related incidents. These processes include the identification, registration, classification, and reporting of incidents, as well as the development of action plans to mitigate the effects of incidents and restore the normal functioning of IT systems.

An important aspect of managing ICT-related incidents is also the proper preparation of staff and the definition of roles and responsibilities in the event of different types of incidents. This way, financial entities can effectively respond to threats and minimize losses resulting from incidents.

Requirements of the Regulation

The DORA Regulation imposes a number of specific requirements on financial entities regarding the management of ICT-related incidents. One of the main requirements is the recording of all ICT-related incidents and the establishment of appropriate procedures for monitoring and reporting these incidents.

Financial entities are also required to implement information action plans that enable responsible disclosure of serious ICT-related incidents and notification plans for customers and counterparties in the event of incidents.

The regulation is based on 5 key pillars:

ICT Risk Management

Effective management of risks associated with information and communication technologies (ICT). Financial entities must develop comprehensive ICT risk management strategies, including the identification, assessment, monitoring, and management of risks in the context of their business processes and technological infrastructure. It is also crucial to implement appropriate procedures and ICT security policies to minimize cyber risks and ensure business continuity.

Reporting ICT Incidents

The obligation to effectively report incidents related to information and communication technologies (ICT). This means that financial entities must implement incident reporting procedures and mechanisms that enable rapid identification, classification, and response to various ICT-related threats. Transparency and prompt response to incidents are key to maintaining the trust of customers and business partners.

Operational Testing

Conducting regular operational tests, including performance, emergency, and cyber control tests. These tests aim to assess the operational resilience of financial entities to various threats and incidents, as well as to identify potential areas of weakness that may require further improvement. It is crucial to ensure that operational tests are realistic and that their results are used to continue improving operational processes and increasing resilience.

Management of External Supplier Risk

Management of risks associated with external suppliers. Financial entities are increasingly using services from external suppliers, which brings additional risks related to data security and business continuity. DORA requires financial entities to have implemented appropriate mechanisms for assessing and monitoring the risk associated with external suppliers, as well as to apply appropriate safeguards and clauses in contracts to minimize the risk to their business.

Collaboration and Coordination

Promoting collaboration and coordination among financial entities and supervisory authorities. This collaboration aims to enable rapid exchange of information about threats and incidents, allowing for more effective response to changing operational conditions and minimizing potential damage.