DORA comes into force
The DORA regulation came into force on 17 January 2025, which means that covered entities should already be prepared, as recently confirmed by the Polish Financial Supervision Authority (KNF). This is despite the fact that the law implementing DORA has not yet been adopted and the delay could be more than ten weeks.
In the absence of adequate national legislation on the KNF’s supervisory framework, the market had hoped for the introduction of a so-called ‘cooling period’, i.e. a period to adjust to legislation that is not yet applicable. Unfortunately, no such period has been established, which means that the obligations under DORA will apply, although it is unclear whether they will be enforced.
More than 20,000 businesses covered by DORA
It is estimated that DORA will cover more than 20,000 financial entities and ICT service providers across the European Union.
These will mainly include credit institutions, payment institutions, insurance companies and investment firms, but also credit rating agencies or crypto-asset service providers (with some exemptions foreseen due to the scale of the entities’ activities). In total, there are 20 categories of financial sector entities and third party ICT service providers.
While it was clear from the outset that banks would be covered by the new rules, the inclusion of insurance companies and investment firms was not so obvious. Some of them still have doubts in this respect. In such a situation, an appropriate qualification based on the list contained in DORA will have to be made in each case.
DORA – how to prepare for digital operational resilience
In order to adapt to the new requirements in the area of digital operational resilience, each financial entity should first ensure that it is adequately prepared internally.
In practice, activities at this stage boil down to the development of relevant policies, procedures, mechanisms and documentation. Although this is a large and advanced undertaking, it is fairly standard for financial institutions and most are already prepared in this respect.
The next stage, external preparation, involves ensuring the security of contractual relationships with ICT service providers.
Unlike the first stage of preparation, which is generally a one-off exercise, external preparation is an ongoing process.
Financial entities need to analyse which ICT processes they outsource to external providers and secure them one by one. As part of this, risks need to be assessed and reviewed in order to align provider contracts with DORA requirements, including by introducing appropriate terms and mechanisms in the area of security standards, data protection guarantees and audit powers.
However, this is a highly problematic process due to a number of interpretative uncertainties, e.g. in determining who is and who is not an ICT service provider.
It also involves the need to potentially amend up to several hundred contracts, often with foreign providers. It is therefore unlikely that every organisation will have completed this process by Day 0.
So what does digital business resilience mean for financial entities? It is their ability to ensure the continuity and maintain the quality of ICT-based services provided, both inside and outside the organisation.
Not only do financial institutions need to ensure that their contractual relationships with providers are properly structured, but they also need to regularly audit and test the performance of the system.
Indeed, DORA’s main objective is to ensure that financial services are delivered in an uninterrupted and secure manner. Every financial entity must therefore be prepared at all times to respond to and effectively minimise ICT infrastructure problems.
Source: Rp.pl
Date: 17.01.2025
Any questions? Contact us
