Exploring DORA
You’ve probably heard about Dora the Explorer the intrepid seven-year-old that helps children to speak Spanish, but what about DORA, the European Union’s new regulation that comes into force in January 2025?
DORA is short for the Digital Operational Resilience Act. It is a European Union (EU) regulation aimed at increasing the digital operational resilience of the financial sector.
But why is it being introduced and what will its impact be? Tom-Martijn Roelofs, ING’s global head of Security Strategy and Data has the answers.
What problem is the DORA legislation attempting to solve?
With ever-increasing digitalisation in the financial services industry, our daily lives are dependent on these digital services. As consumers, we are so used to always having access to internet banking, for instance, and executing transactions within a few seconds. However, if those services are not available, the impact can be significant not just on individuals but also on society as a whole. For example, businesses could grind to a halt because there is no cash money and could you imagine salaries not being paid because a bank is suffering an outage?
You only need to see what happened recently with American cybersecurity company CrowdStrike’s faulty update to see what impact IT outages have.
It shows that financial institutions must design and operate their services so that they are resilient to the various root causes of outages, including cyber-attacks.
What impact will it have on customers?
As such, the Act will not directly impact customers and clients. It is all about financial institutions making sure their critical business services are sufficiently resilient. You could say that if we do our jobs properly, customers will not know about all the work that has been done because everything is robust and functioning 24/7.
And third parties?
There is an impact outside of the bank though. It is what is referred to as a ‘vertical law’ meaning that every critical business service, such as hosting providers and cloud providers, are in scope. Via what’s called third party risk management, the technical standards that are enforced on the financial service providers are also in force for these third parties (and can even impact fourth parties).
This is a step that the EU has taken to enforce resilience on the entire EU market.
When will it be introduced?
The law passed the European Parliament in November 2022, and becomes effective on 17 January 2025. In the time between the adoption and the effective date, European Supervisory Authorities have published regulatory technical standards on the various topics that are covered within DORA.
What impact will there be outside of the EU?
DORA is an EU law, but it will have a wide impact because EU-based financial institutions will implement requirements uniformly, e.g. via global services, policies, and internal standards. This will also impact big service providers, such as telecommunications companies. So non-EU based providers will also notice the effects although they are strictly not in the scope of DORA. In that way it is perhaps similar to the Sarbanes-Oxley legislation which has a global effect despite being US legislation.
What has ING been doing to prepare for DORA?
To ensure ING is compliant, our chief operating officer introduced a DORA programme quite some time ago. This programme involves a number of bank functions including my department, the Chief Information Security Office because of the cybersecurity requirements that are packed into the regulatory technical standards.
One of the first steps was to assess the impact of DORA and distinguish between new requirements and those requirements that ING was already undertaking, such as European Banking Authority standards.
Then, the quite complex step was made to define our critical business services and to register the relevant applications and infrastructure connected to these.
The last part will be to ensure compliance to the regulatory technical standards of all critical business services, and this is still ongoing.