By Dr. Athanasios Staveris-Polykalas
In an era of increasing digital interdependence, the European Union (EU) has recognized the imperative need for robust cybersecurity and operational resilience in the financial sector. The Digital Operational Resilience Act (DORA), which entered into force on January 16, 2023, and will be applicable from January 17, 2025, aims to ensure that the EU’s financial sector can withstand, respond to, and recover from all types of Information and Communication Technology (ICT)-related disruptions and threats. This comprehensive article delves into the key components, objectives, and impacts of DORA, with a particular focus on how it will affect Greece.
Objectives and Scope of DORA
Enhancing ICT Risk Management
One of DORA’s primary objectives is to establish a robust ICT risk management framework across the EU’s financial sector. Financial entities, including banks, insurance companies, and investment firms, are required to implement comprehensive ICT risk management strategies. These strategies must cover all aspects of ICT risk, including identification, classification, mitigation, and continuous monitoring of threats. Entities must also conduct regular risk assessments and develop incident response plans to ensure swift and effective responses to cyber threats.
Strengthening Third-Party Risk Management
DORA places significant emphasis on managing risks associated with third-party ICT service providers. Financial entities must ensure that their third-party providers comply with stringent cybersecurity standards. This involves rigorous oversight, regular audits, and continuous monitoring of third-party service providers to ensure they adhere to the established security protocols. Critical third-party providers will be directly supervised by the European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
Incident Reporting and Management
Timely and detailed reporting of ICT-related incidents is a cornerstone of DORA. Financial entities are required to report significant ICT incidents to competent authorities within specified timeframes, typically ranging from 24 to 72 hours, depending on the severity of the incident. This structured incident reporting framework ensures that authorities can respond swiftly and effectively to mitigate the impact of cyber threats. Entities must provide initial, intermediate, and final reports, detailing the incident’s root cause, impact, and remediation measures taken.
Digital Operational Resilience Testing
To ensure ongoing resilience, DORA mandates regular testing of ICT systems. Financial entities must conduct basic and advanced tests, including vulnerability assessments and scenario-based testing, to evaluate their defenses against cyber threats. Entities deemed critical to the financial system are required to undergo threat-led penetration testing (TLPT) every three years. These rigorous testing protocols help identify and address vulnerabilities, ensuring that entities can withstand real-world cyber threats.
Implementation Challenges and Timeline
The implementation of DORA involves a phased approach with key milestones leading up to the January 2025 compliance deadline. The ESAs are responsible for drafting Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) that detail specific requirements for ICT risk management, incident reporting, and third-party risk management. These standards are expected to be finalized in 2024, providing financial entities with the necessary guidelines to achieve compliance.
Despite the clear benefits of DORA, the implementation process presents several challenges. Financial entities must navigate the complexity of secondary legislation, which adds layers of detail to the primary regulations. The ESAs have acknowledged the tight timeline and the potential difficulties entities may face in meeting all requirements promptly. As a result, financial entities must prioritize key activities, such as mapping ICT systems and defining critical functions, to lay the foundation for broader compliance efforts.
Impact on the Financial Sector in Greece
Strengthening Local Financial Institutions
DORA will have a profound impact on Greece’s financial sector, compelling local institutions to enhance their ICT risk management frameworks significantly. Greek banks, insurance companies, and investment firms will need to adopt comprehensive risk management strategies, conduct regular risk assessments, and implement robust incident response plans. These measures will not only bolster the resilience of individual institutions but also contribute to the stability of Greece’s financial system as a whole.
Enhancing Third-Party Oversight
Given the increasing reliance on third-party ICT service providers, Greek financial entities must establish rigorous oversight mechanisms to manage third-party risks effectively. DORA’s requirements for continuous monitoring and regular audits of third-party providers will ensure that these providers adhere to high cybersecurity standards. This enhanced oversight will mitigate risks associated with outsourcing critical ICT services, thereby enhancing the overall security posture of Greece’s financial sector.
Improving Incident Reporting and Response
DORA’s structured incident reporting framework will improve the ability of Greek financial institutions to respond to cyber threats. By mandating timely and detailed incident reports, DORA ensures that Greek authorities can coordinate swift responses to mitigate the impact of cyber incidents. This enhanced reporting capability will also enable better data collection and analysis, helping authorities understand the evolving threat landscape and develop more effective countermeasures.
Facilitating Digital Resilience Testing
Greek financial entities will benefit from the rigorous testing protocols mandated by DORA. Regular vulnerability assessments, scenario-based testing, and threat-led penetration testing will help institutions identify and address weaknesses in their ICT systems. By ensuring that critical systems are robust and resilient, these testing protocols will enhance the overall operational resilience of Greece’s financial sector.
Conclusion
The Digital Operational Resilience Act represents a significant step forward in strengthening the cybersecurity and operational resilience of the EU’s financial sector. By establishing comprehensive ICT risk management frameworks, enhancing third-party risk oversight, and mandating rigorous incident reporting and testing protocols, DORA aims to ensure that financial institutions can withstand, respond to, and recover from cyber threats and operational disruptions.
For Greece, DORA presents both challenges and opportunities. The rigorous requirements will compel Greek financial institutions to enhance their cybersecurity measures, thereby contributing to the stability and resilience of the national financial system. As the implementation deadline approaches, Greek financial entities must prioritize key activities, engage with stakeholders, and adapt to the evolving regulatory landscape to achieve compliance and safeguard their operations in an increasingly digital world.
By embracing the principles and requirements of DORA, Greece’s financial sector can strengthen its defenses against cyber threats, enhance operational resilience, and build a more secure and stable financial environment for the benefit of all stakeholders.
ATHANASIOS Staveris-Polykalas