A few months ago an agreement was reached on what is called a real revolution: the Digital Operational Resilience Act, also known as DORA.
This is the new European regulation that affects the financial sector and which aims to standardize the requirements for the security of the IT infrastructures of operators in the sector and ICT service providers at a European level. A revolution that starts from typology. The regulation, in fact, unlike the previous regulations, being a binding piece of legislation, is directly applicable in all its elements in the individual countries, ensuring greater homogeneity among all member states. Furthermore, DORA is based on an innovative approach of risk integration and supervision of third parties which can lead to a more in-depth and effective management of IT security in the financial world.
A path started in 2019, which reached the agreement on the draft regulation in May of this year with a view to its publication and application starting from next year and which emphasizes the concept of resilience applied to the cybersecurity sector. Certainly not a new concept, for some years now also applied specifically to the financial sector, meaning the ability of a system to withstand the stress of a negative event without collapsing strategic operations.
Thus in the text of the proposal we read, in Article 3, the following definition of "digital operational resilience": the ability of the financial entity to create, ensure and review its operational integrity from a technological point of view, guaranteeing, directly or indirectly, through the use of services offered by third-party ICT providers, the full range of ICT-related capabilities necessary to ensure the security of the networks and information systems used by the financial entity, on which the constant supply of financial services is based and their quality.
What is the Digital Operationa Resilience Act.
The fundamental purpose is to create a clear and defined basis, uniform among all European countries, for the management of risks deriving from the digitization of companies active in the financial services sector, thus integrating the NIS Directive. Both traditional operators such as banks and insurance companies, as well as service providers in the cryptocurrency sector are involved. DORA also provides for greater attention to the risk associated with services provided by third parties, providing for the possibility of monitoring the risk for the entire duration of the relationship.
The concept of operational resilience aims to highlight the ability of companies to remain operational in the event of accidents and / or malfunctions, effectively managing risks through a resilience test program to be repeated at least annually with a view to continuous improvement. The objective is that the organization is able to avoid serious impacts such as to affect the availability of critical services and to intervene promptly by quickly identifying any violations or critical issues.
As regards the recording and reporting of incidents, DORA introduces a common method and predefined criteria for their classification, defining the management process through standard phases and establishing a strategic plan for communication and reporting both internally and towards the external and competent authorities.
The DORA Framework.
The Framework is designed and prepared to minimize the impacts of adverse events against critical functions that can also lead to the interruption of services. Simplifying, the scope of intervention can be summarized in 5 areas:
- Identification of critical functions and mapping of the assets to be protected;
- Collection of information and data necessary for understanding and defining risk scenarios;
- Analysis of scenarios and risk acceptability in relation to the different functions;
- Definition of testing scenarios based on the assessments made and the data collected;
- Continuous monitoring of the level of operational resilience.
A regulatory framework, therefore, thanks to which financial sector players should be able to face the growing cyber threats, mitigating their risks and ensuring the operational resilence necessary to protect users and the organization itself.