EBAday 2022: Why European FIs need to prepare for DORA

In January, EU Commissioner Mairead McGuinness stated that she hoped DORA would be given the green light soon, both by member governments and the European Parliament, and recent publications by the European Systemic Risk Board (ESRB) have given further clarity around the final shape the legislation is likely to take.

Aiming to set a global standard for operational resilience in the financial sector as well as for the information or communication technology providers which service it, DORA seeks to improve risk management requirements that are applicable to financial institutions across the European Union. This goes so far as to include risks presented to financial institutions by third-party service providers.

In December 2021, the ESRB published a recommendation, calling for a pan-European systemic cyber incident coordination framework or EU regulators to build on the proposed DORA rules.

The recommendation was followed by the ESRB’s report ‘Mitigating systemic cyber risk’ in January 2022, which read: “Of particular importance is the need to overcome the risk to financial stability stemming from a coordination failure during the response to an incident. A cyber incident’s scale, speed and propagation call for a swift response from firms and financial authorities in order to preserve financial stability.”

The report continued that financial authorities in the EU must coordinate among themselves, at both the global level and with parties that they do not usually interact with, such as cyber authorities. The risk of a coordination failure by authorities also exists. “Uncoordinated action could contradict or even jeopardise the response of other authorities, lead to an erosion of confidence in the functioning of the financial system and thereby amplify the shock for the financial system. In the worst case, financial stability may be threatened.”

The ESRB has warned that this existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures - particularly the interdependencies of their systems - may potentially constitute a systemic vulnerability. This is because localised cyber incidents can quickly spread from any of the approximately 22 000 EU financial entities to the entire financial system, “unhindered by geographical boundaries.”

Deloitte explains that while DORA is likely to have a 24-month implementation period, important Level 2 technical standards will take longer to finalise, reducing the amount of time firms have to comply with the new requirements. “Firms cannot afford to wait for the political process to conclude but should already be considering what successful implementation requires,” warns Deloitte.

Identifying several “no regret” actions on the DORA’s key initiatives, Deloitte argues that there are four areas firms should begin to reflect on now in anticipation of the incoming legislation:

1. ICT risk management: conduct a gap analysis of existing ICT risk management and governance practices, specifically through a critical function lens. Increase resources dedicated to threat and incident detection and improving firm-wide ICT security awareness training programmes.
2. Incident reporting: run an incident management and reporting maturity evaluation to understand the firm’s current-state capabilities, and evaluate the firm’s awareness of the multiple ICT incident reporting requirements.
3. Resilience testing: understand the skills and capabilities required to shape and run resilience testing, and the implications for remediation.
4. TPP risk management: focus on improving mapping of TPP contracts and connections, document and review third party vulnerabilities to help inform the development of a risk containment strategy.

Given the significance and number of financial institutions the legislation is likely to capture, firms need to be aware of the sheer scale that compliance with DORA will require. A proactive approach with a clear strategy toward implementation will be essential.

After two years as a virtual conference, EBAday 2022 will run in person for its seventeenth year, welcoming a host of board directors, chief executive officers, and payments and technology heads from Europe’s leading banks, as well as selected fintechs.

Register now to attend EBAday 2022 in Vienna, Austria on the 31st of May and 1st of June.