In conversation with Google Cloud - DORA overview

DORA is coming

An overview of the new regulation

The European Union's upcoming DORA regulations will create a critical regulatory framework to increase financial institutions' resilience against digital disruptions. This year will be a turning point for financial entities and their ICT providers, who must ensure they are ready to effectively meet and uphold the new compliance standards.

To offer insights into the regulations, Anil Saboo from Google Cloud and Regnology’s Chief Information Security Officer, Konstantinos Andreopoulos, discuss the significance of DORA.

In this two-part interview series, they explore the intricacies of the DORA regulation and share how Google Cloud and Regnology prepare themselves as solution providers for DORA’s rollout and how Regnology, as a Regulatory Reporting specialist, can help financial institutions prepare for DORA compliance.

With an increasing global reliance on digital infrastructure [...] DORA regulations [...] address the urgent need for more robust cybersecurity measures and resilience in what is now a very interconnected and digitized financial space.

Anil Saboo Director, ISV Partnerships
Google Cloud

What is DORA?

Anil: The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’) is a regulatory initiative by the European Union designed to safeguard the operations of financial institutions against digital disruptions.

The financial service industry's (FSI) increasing dependence on information and communication technology (ICT) tools and providers makes it more exposed to third-party ICT risks.

The security and resilience standards for FSIs and third-party vendors aren’t currently standardized. The European Union (EU) is taking steps to change this, and DORA is central to these efforts.

DORA aims to ensure financial entities can effectively withstand, respond to, and recover from all ICT-related disruptions and threats.

Key requirements of DORA:

Framework for ICT risk management
ICT third-party risk management
Digital operational resilience testing
Management of ICT-related incidents
Information sharing
Oversight of critical third-party providers

What is the goal of DORA? And why now?

Anil: The primary goal of DORA is to maintain the stability of the EU's financial system by improving the operational resilience of its financial institutions.

With an increasing global reliance on digital infrastructure and the rise of sophisticated cyber threats, DORA regulations are timely. They address the urgent need for more robust cybersecurity measures and resilience in what is now a very interconnected and digitized financial space.

ICT risks can now lead to severe disruptions of financial services across borders, which can ripple effect other companies, sectors, and the broader economy. EU regulators are trying to prevent this by setting new security and resilience standards and imposing significant financial penalties and administrative sanctions on FSIs and ICTs that don’t comply with DORA standards.

When is it coming?

Anil: DORA will be enforced on January 17, 2025.

Financial institutions and their ICT providers must start preparing now to ensure full compliance by that date.

Who does it apply to?

Anil: DORA applies to all financial institutions in the EU. This includes traditional entities such as banks, insurance companies, investment firms, and non-traditional entities, including cryptocurrency and crowdfunding platforms.

What are the requirements specific to ISVs?

Anil: ISVs must ensure their technology solutions meet the security and resilience standards DORA sets.

They must perform regular security assessments, ensure data integrity and availability, and maintain robust incident response and recovery procedures. ISVs will also be required to provide transparency at all times during regulatory reporting and threat mitigation efforts.

Who is impacted by DORA?

Anil: DORA impacts a wide range of financial sector stakeholders, from major banks to smaller fintech companies and the ICT providers that support them.

In addition to establishing clear expectations for the role of ICT providers, DORA will enable, for the first time, financial regulators in the EU to oversee critical ICT providers directly. The regulations will also apply to cloud service providers such as Google Cloud if EU regulators officially designate them as critical ICT providers. Furthermore, the regulations may apply directly to Independent Software Vendors (ISVs) like Regnology if EU regulators officially designate them as critical ICT providers.

How will DORA impact the overall security of the financial sector in the EU?

Anil: DORA creates a genuine opportunity to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators. This will ultimately fuel more innovation across the European financial sector.

The new regulations will act as a direct communication channel between regulators and designated ICT providers via annual engagements, which include oversight plans, inspections, and recommendations.

In addition, it will act as a mandatory list of operational resilience requirements between financial institutions and critical ICT providers, initially forcing contractual changes between the parties, such as resilience testing, termination rights/exit plans, business contingency plans and mandatory participation of the ICT provider in the financial institution's infosec training sessions and threat led penetration testing (TLPT) activities.

DORA aims to significantly improve risk management and resilience across the financial sector by enforcing more stringent operational measures.