In 2020, the European Union (EU) published a proposal on digital operational resilience known as EU-DORA. EU-DORA, albeit a proposal only, marks a turning point in EU banking regulation as it introduces wide-ranging new requirements in several areas and combines earlier singular regulatory provisions.
The proposal introduces wide-ranging changes to the way security, continuity and resilience will be regulated for financial institutions and their ICT service providers. In response, ISACA has produced a white paper, Digital Operational Resilience in the EU Financial Sector: A Risk-Based Approach, that addresses the proposed requirements in a concise and easy-to-read manner.
Some key aspects of the proposal are highlighted, and there is a great mapping of existing ISACA resources that address some of the DORA requirements. Risk management, cybersecurity and incident reporting are now subject to new regulatory requirements – just to name a few. “New” risk management will have to truly define and gain alignment on risk appetite, and it covers a larger number of risk categories within OpRisk. As a result, financial institutions and their ICT service providers will now have to take a proactive stance toward risk management as it defines their mitigation activities.
Furthermore, DORA places particular emphasis on the supply chain with new testing and risk regimes. Increasingly, the attacks on the “weakest link in the chain” are also seen as a control weakness on part of the principal. Financial institutions outsource key activities where they are likely to be held liable (or at least be implicated) in breaches and when they have neglected their control responsibilities.
The ISACA white paper provides an excellent starting point to address DORA in a strategic manner and is a must-read for senior management and C-level executives having to deal with operational resilience.