New requirements for the financial sector to reduce cyber threats - the DORA regulation

New EU legislation to strengthen the financial sector's digital operational resilience (Digital Operational Resilience Act, DORA) will apply from 16 January 2025. Financial institutions thus have just under two years to adapt to the new regulation. The regulations have been adopted as an regulation, and is intended to increase the resilience of the financial sector in Europe in relation to cyber threats. The regulation is expected to be implemented in Norwegian law. 

Rear view of programmers working on new project in dark office

The background to the regulation

The background for the regulation is that the increased digitization in the society has led to an increasing risk related to cyber threats and ICT disruptions for key sectors, including the financial sector. In recent decades, the use of ICT has taken on a central role in finance, including in the operation of typical day-to-day functions such as payments, credit assessment, claims processing, securities settlement, etc. Furthermore, there is a high level of interconnection across financial entities, financial markets and financial market infrastructures. Serious ICT breaches in the financial sector can trigger negative consequences for the stability of Europe's financial system. 

The DORA regulation is part of the European Commission's digital finance package.

Who is covered by the regulation?

DORA targets a number of financial companies ("financial entities"), as well as critical ICT subcontractors.

The requirements for companies vary depending on the company's size and function. Enterprises that are categorized as micro-enterprises are subject to, among other things, fewer requirements. This is defined as financial undertakings (with the exception of trading venues, central counterparties, transaction registers and securities registers) with fewer than ten employees and which have an annual turnover and/or annual balance sheet that does not exceed two million euros. 

Below is a list of financial institutions covered by the regulation: 

  • credit institutions
  • payment institutions
  • account information service providers (AISP)
  • e-money institutions
  • investment firms
  • crypto-asset service providers
  • central securities depositories
  • central counterparties (CCPs)
  • trading venues (regulated market etc.)
  • trade repositories
  • managers of alternative investment funds and management companies
  • providers of data reporting services
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • administrators of critical benchmarks
  • securitisation repositories, and
  • crowdfunding service providers.

What requirements are placed on the companies?

In the following, the most important requirements that the DORA regulation places on financial institutions are briefly described. 

Requirements for risk management

Firstly, the regulation set requirements for financial undertakings' risk management of information and communication technology (ICT). The requirements for risk management follow from Chapter II of the regulation. Financial institutions must prepare a framework for ICT risk management. As part of the framework, financial institutions must, among other things, identify, classify and document all ICT-supported business functions and roles, and continuously identify all sources of ICT risk. The classification and risk assessment must be reviewed at least annually.  

Financial institutions must also, among other things, prepare guidelines and procedures for backups. There is also a requirement to have crisis communication plans in place that enable responsible disclosure of major ICT-related incidents or vulnerabilities to customers, counterparties and the public.

The requirement for risk management follows the principle of proportionality. This means that the financial institutions' risk management must correspond to the enterprise's size, overall risk profile, and the nature and scope and complexity of their services, activities and operations. 

Requirements for incident handling

Secondly, the DORA regulation contains requirements for financial institutions to establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents (regulation chapter III). This means that financial institutions must, among other things, register all ICT-related incidents and significant cyber threats. Furthermore, the enterprises must establish procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that underlying causes are identified, documented and addressed to prevent such incidents from occurring. 

The financial institutions are obliged to classify all ICT incidents and determine their impact based on a number of criteria, including the duration of the incident and the geographical spread with regard to areas affected by the incident. Furthermore, the financial institutions must report major ICT-related incidents to the competent authorities. Customers must also be informed of such major ICT incidents, without undue delay, if the incident has an impact on the customers' financial interests. 

Requirements for testing

Thirdly, DORA includes rules on testing digital operational resilience (Chapter IV). Financial undertakings, with the exception of micro-enterprises, are obliged to establish a sound and comprehensive test program as part of the framework for ICT risk management. The test program must include a number of assessments, tests, methods, practices and tools.  

The test program must follow a risk-based approach, by, among other things, taking account of the company's specific risks. The tests must be carried out by independent parties, either internal or external. Furthermore, the financial institutions must establish procedures and guidelines to prioritize, classify and remedy all problems that are revealed during the execution of the tests. The tests must be carried out at least annually on all ICT systems and applications that support critical or important functions. 

Management of risks related to ICT suppliers 

Fourthly, there is a requirement that the financial institutions implement measures for proper management of risks linked to ICT service providers (chapter V). Risks linked to ICT suppliers must be assessed as part of the financial institution's risk assessment. Furthermore, financial institutions must adopt and regularly review a strategy for ICT suppliers' risks. The strategy must contain a policy for the use of ICT services that support critical or important functions provided by ICT suppliers.  

What is the consequence of breaking the rules?

The regulation gives the competent authorities the right to demand a temporary or permanent cessation of any practice in breach of the regulations. Furthermore, competent authorities are given access to adopt any type of measure, including of a financial nature. No guidelines have been laid down regarding the size of any infringement fees.