Compliance with a new EU regulatory framework called Digital Operational Resilience Regulation (DORA) will soon become mandatory. What do cyber insurance professionals need to know?

Cyberattacks are becoming increasingly sophisticated with each passing year. In 2023, cyberattacks occurred every 39 seconds, this adds up to over 2,200 attacks daily. Furthermore, the European Union estimates the global annual cost of cybercrime exceeds €5 trillion, underscoring the urgent need for a robust response.

To address these threats, the EU has developed a comprehensive regulatory framework in collaboration with key authorities called Digital Operational Resilience Regulation (DORA). This framework aims to mitigate risks stemming from the cyber environment and information and communication technology (ICT).

The History of Regulations in the Financial Sector

In recent years, the emphasis on cybersecurity has increased, starting with initiatives like the 2016 NIS Directive, which aimed to secure network and information systems across critical sectors. DORA represents a significant evolution, being the first EU regulation specifically designed for the financial sector to mandate the identification and management of digital ICT risks. DORA’s scope is broad, applying not just to large, well-regulated banks but also to smaller financial entities and ICT service providers. By creating uniform requirements across the sector, the regulation ensures that all players prioritize cybersecurity and operational resilience to a similar standard.

What is DORA?

DORA is a new EU initiative aimed at bolstering cybersecurity and operational resilience across the financial services sector. The regulation works to establish a unified framework to address the growing risks posed by digital threats. DORA requires businesses to meet strict compliance standards designed to safeguard the stability of the financial ecosystem.

Why Was DORA Created?

While the financial sector has long been governed by various laws and regulations, these have traditionally focused on financial risks such as credit exposures or fraud prevention. However, the growing digitalization of the industry has introduced new challenges that existing frameworks fail to address comprehensively.

Key Focus Areas of DORA Regulation

• ICT Risk Management: Implement a comprehensive framework to identify, assess, and manage risks associated with ICT systems.
• ICT-Related Incident Reporting: Establish standardized processes and templates for reporting ICT-related incidents, ensuring consistency and transparency in incident management.
• Digital Operational Resiliency Testing: Conduct thorough testing to assess and ensure technology resilience, using a variety of techniques and harmonizing data collected by financial organizations.
• ICT Third-Party Risk: Introduce stricter controls and oversight processes to manage risks arising from third-party ICT service providers.
• Information Sharing: Develop mechanisms to facilitate the exchange of information on threat actor activities, promoting collaboration and enhanced security across the financial sector.

When Does DORA Go Into Effect?

DORA officially came into effect on January 16, 2023. However, compliance becomes mandatory for all European financial entities starting January 17, 2025. With the compliance deadline approaching, businesses have a limited window to prepare and ensure they meet DORA’s requirements. Early planning, comprehensive risk assessments, and robust implementation strategies are essential steps for ensuring readiness and safeguarding against the challenges posed by DORA.