DORA: A harmonized framework to strengthen the digital operational resilience of the EU financial sector
Within less than two years, all insurance companies in the EU and their ICT suppliers have to respect detailed rules on how to deal with all kinds of ICT-related disruptions and threats, including cyber attacks. The EU watchdog for the insurance sector EIOPA is currently developing technical standards to implement DORA, the Digital Operational Resilience Act, which was published end 2022 and shall apply from January 2025.
DORA is about security and IT risk management but is also about promoting technological advances. For a couple of years, the EU institutions are working on a broad digital finance package, which has exactly those two goals: fostering operational resilience while ensuring financial stability and consumer protection.
Of course, companies have been working on their security for years now, but DORA takes this a step further for the whole financial sector: banks, insurance companies, payment institutions, investment firms, etc. They all have to be able to stay resilient through a severe operational disruption.
As an EU regulation, DORA is an obligation for all European financial companies and their ICT providers since the beginning of 2023. Member states are in the course of transposing it into national law and the European Supervisory Authorities (ESAs) are drafting the technical standards. For the insurance sector, this is done by EIOPA, the European Insurance and Occupational Pensions Authority. As of early 2025, all insurance companies will have to make sure their IT framework and governance respects those uniform requirements.
The DORA framework consists roughly of five parts or pillars: an ICT risk management framework, ICT-related incident management, classification and reporting, Digital operational resilience testing, Third-party risk management and cyber threat intelligence, and Information sharing.
- ICT risk management: introduces enhanced requirements to have in place a sound and comprehensive internal governance and control framework for the identification and management of ICT related risks .
- Incident classification and reporting: insurance companies need to have systems to monitor and identify ICT incidents and report them to competent authorities.
- Digital operational resilience testing: requirements on analysing vulnerabilities and network security, on gap analysis and on the testing of software solutions.
- Third-party risk management: DORA doesn’t only apply to financial institutions, but also to all their suppliers of ICT including cloud service providers. The relevant watchdog of the sector will have the authority to request information, carry out inspections and even impose sanctions. Financial institutions will also have to analyze and minimize the potential risks related to their external providers.
- Sharing of information: financial companies are encouraged to share all information on cyber security with companies in other countries.
It’s clear that DORA consists of numerous binding obligations and will require considerable transformations in ICT. So, although the regulatory and implementing standards still have to be written, companies shouldn’t lose time. To be ready by the beginning of 2025, the implementation of the framework should start today.In case of questions