The Digital Operational Resilience Act (DORA) will significantly change the way financial institutions manage their data security. DORA requires all financial institutions to implement a cybersecurity program that includes policies, procedures, and risk management activities. These policies must be reviewed annually by a third-party financial regulator, who will assess their adequacy based on industry standards.
Financial institutions must also implement an incident response plan that describes how they will respond if a cyber attack occurs or indicates that one may occur in the near future. This plan must include a strategy for dealing with different types of attacks (such as phishing attacks), as well as procedures for recovering from an attack.
DORA: Key Terms and Objectives
The Digital Operational Resilience Act (DORA) ensures that the financial sector can operate in a secure and resilient manner. The Act includes the following key requirements:
Companies must have an incident response plan that includes a detailed description of what constitutes a cyber-attack, how employees should respond and how operations will be restored in the event of a breach.
Companies must maintain a cyber security programme that includes an assessment of the risks posed by cyber-attacks and an action plan to mitigate those risks.
Companies must maintain adequate security controls over their digital infrastructure. These include encryption, authentication, access controls, audit logs, monitoring systems, event management systems and incident response plans.
Companies must report incidents when they occur so that regulators can assess their vulnerability and make recommendations for improving their security posture.
Companies must have a plan to ensure continuity of service during any potential disruptions.
Financial institutions have until 17 January 2025 to comply with the DORA requirements. There will be no preferential rates after that date – the FSA has warned in training and meetings with the financial sector that it will not wait for latecomers and plans to test and enforce the new obligations from day one.
In the event of violations of DORA, supervisory authorities may apply various administrative sanctions. These include, in particular, orders to cease non-compliant activities, a requirement to cease practices that are contrary to regulations, and the imposition of financial sanctions aimed at ensuring compliance.
