In conversation with Google Cloud — Building best practices for DORA compliance - Part 1

Anil: The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’) is a regulatory initiative by the European Union designed to safeguard the operations of financial institutions against digital disruptions.

The financial service industry's (FSI) increasing dependence on information and communication technology (ICT) tools and providers makes it more exposed to third-party ICT risks.  

The security and resilience standards for FSIs and third-party vendors aren’t currently standardized. The European Union (EU) is taking steps to change this, and DORA is central to these efforts.  

DORA aims to ensure financial entities can effectively withstand, respond to, and recover from all ICT-related disruptions and threats. 

What is the goal of DORA?  And why now?

Anil: The primary goal of DORA is to maintain the stability of the EU's financial system by improving the operational resilience of its financial institutions.  

With an increasing global reliance on digital infrastructure and the rise of sophisticated cyber threats, DORA regulations are timely. They address the urgent need for more robust cybersecurity measures and resilience in what is now a very interconnected and digitized financial space.

ICT risks can now lead to severe disruptions of financial services across borders, which can ripple effect other companies, sectors, and the broader economy. EU regulators are trying to prevent this by setting new security and resilience standards and imposing significant financial penalties and administrative sanctions on FSIs and ICTs that don’t comply with DORA standards.

When is it coming?

Anil: DORA will be enforced on January 17, 2025.

Financial institutions and their ICT providers must start preparing now to ensure full compliance by that date.

Who does it apply to?   

Anil: DORA applies to all financial institutions in the EU. This includes traditional entities such as banks, insurance companies, investment firms, and non-traditional entities, including cryptocurrency and crowdfunding platforms.

What are the requirements specific to ISVs? 

Anil: ISVs must ensure their technology solutions meet the security and resilience standards DORA sets.  

They must perform regular security assessments, ensure data integrity and availability, and maintain robust incident response and recovery procedures. ISVs will also be required to provide transparency at all times during regulatory reporting and threat mitigation efforts.

Who is impacted by DORA?  

Anil: DORA impacts a wide range of financial sector stakeholders, from major banks to smaller fintech companies and the ICT providers that support them.  

In addition to establishing clear expectations for the role of ICT providers, DORA will enable, for the first time, financial regulators in the EU to oversee critical ICT providers directly. The regulations will also apply to cloud service providers such as Google Cloud if EU regulators officially designate them as critical ICT providers. Furthermore, the regulations may apply directly to Independent Software Vendors (ISVs) like Regnology if EU regulators officially designate them as critical ICT providers.

Anil: DORA creates a genuine opportunity to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators. This will ultimately fuel more innovation across the European financial sector.

The new regulations will act as a direct communication channel between regulators and designated ICT providers via annual engagements, which include oversight plans, inspections, and recommendations.

In addition, it will act as a mandatory list of operational resilience requirements between financial institutions and critical ICT providers, initially forcing contractual changes between the parties, such as resilience testing, termination rights/exit plans, business contingency plans and mandatory participation of the ICT provider in the financial institution's infosec training sessions and threat led penetration testing (TLPT) activities.

DORA aims to significantly improve risk management and resilience across the financial sector by enforcing more stringent operational measures.