Exploring DORA: Understanding the Global Regulatory Landscape

In an increasingly interconnected world, the importance of robust regulatory frameworks to increase the stability and security of financial systems cannot be overstated. The European Union’s Digital Operational Resilience Act (DORA) is a significant regulatory development aimed at enhancing the operational resilience of financial entities. This blog explores how DORA compares to other major regulations globally, highlighting its unique features and the broader implications for the financial industry.

Understanding DORA

The European Commission introduced DORA as part of the Digital Finance Package in September 2020. Its primary objective is to enhance the ability of financial institutions to withstand, respond to, and recover from all types of ICT-related disruptions and threats. DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, and third-party ICT service providers.

Key components of DORA include:

1. ICT risk management: Financial entities must implement comprehensive ICT risk management frameworks to identify, assess, and mitigate risks.
2. Incident reporting: Mandatory reporting of significant ICT-related incidents to competent authorities.
3. Digital operational resilience testing: Regular testing of ICT systems to enable resilience against disruptions.
4. Third-party risk management: Enhanced oversight of third-party ICT service providers to hold them to resilience standards.
5. Information sharing: Encouragement of information sharing among financial entities to improve collective resilience.

Comparing DORA to Other Regulations and Industry Best Practices

1. NIST Cybersecurity Framework (United States)

The National Institute of Standards and Technology Cybersecurity Framework is a voluntary framework that provides guidelines for managing and reducing cybersecurity risks. While not a regulatory requirement, it is widely adopted by U.S. financial institutions.

• Scope: Unlike DORA, which is mandatory for EU financial entities, the NIST framework is voluntary and can be applied to any industry.
• Focus: Both frameworks focus on broader cybersecurity risk management practices, with DORA placing significantly more focus on operational resilience.
• Incident reporting: DORA mandates incident reporting, while NIST encourages it but does not require it.

2. GDPR (European Union)

The General Data Protection Regulation another significant EU regulation, primarily focused on data protection and privacy.

• Scope: GDPR applies to all organizations processing personal data of EU citizens, while DORA is specific to financial entities.
• Focus: GDPR emphasizes data protection and privacy, whereas DORA focuses on operational resilience and ICT risk management.
• Incident reporting: Both regulations require incident reporting, but GDPR focuses on personal data breaches, while DORA covers a broader range of ICT incidents.

3. Basel III (Global)

Basel III is a global set of international regulatory standards developed by the Basel Committee on Banking Supervision to strengthen regulation, supervision, and risk management within the banking sector. The EU is implementing the Basel III framework beginning January 1, 2025, while the implementation in United States and United Kingdom is likely to be delayed.

• Scope: Basel III is specific to internationally active banks, while DORA applies to a wider range of financial entities.
• Focus: Basel III focuses on capital adequacy, stress testing, and market liquidity risk, whereas DORA focuses on ICT risk management. Both address operational resilience.
• Incident reporting: Basel III does not specifically mandate ICT incident reporting, unlike DORA.

4. FCA Operational Resilience Framework (United Kingdom)

The Financial Conduct Authority in the UK has its own operational resilience framework, which shares similarities with DORA.

• Scope: Both frameworks apply to financial entities, but the FCA framework is specific to the UK.
• Focus: Both frameworks emphasize operational resilience, but DORA has a broader scope, including third-party risk management and information sharing.
• Incident reporting: Both frameworks require incident reporting, but DORA has more detailed requirements.

Implications for the Financial Industry

The introduction of DORA represents a significant step toward enhancing the operational resilience of financial entities in the EU. By mandating comprehensive ICT risk management, regular resilience testing, and robust incident reporting, DORA aims to mitigate the impact of ICT-related disruptions on the financial system.

For financial entities operating globally, compliance with multiple regulatory frameworks can be challenging. However, the principles of DORA align with many existing regulations and industry best practices, such as the NIST Cybersecurity Framework and the FCA Operational Resilience Framework. This alignment can facilitate a more integrated approach to managing ICT risks and operational resilience. As long the main capabilities required by DORA are addressed, financial entities remain free to use ICT risk management models that are differently framed or categorized.

Conclusion

DORA sets a high standard for operational resilience in the financial sector, with its comprehensive approach to ICT risk management, incident reporting, and third-party oversight. While it shares similarities with other regulations, its mandatory nature and broad scope make it a unique and influential regulatory framework. As the global regulatory landscape continues to evolve, financial entities must stay informed and adapt to maintain compliance and resilience in an increasingly digital world.