Europe’s financial landscape continues to rapidly evolve, driven by technological advancements and increasing digitalization, including the possibly profound role that artificial intelligence (AI) will play in business models, sales, marketing, and product development.
As financial institutions embrace more powerful and sophisticated information and communication technology (ICT) to enhance their operations, they also become more vulnerable to cyber threats and disruptions. In response to this growing risk, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA), a comprehensive regulation aimed at fortifying cybersecurity within the financial sector.
What is DORA?
DORA, which entered into force on January 16, 2023 and will become fully applicable on January 17, 2025, establishes a comprehensive framework for ICT risk management across the EU financial sector. This includes banks, insurance companies, and investment firms, bringing a large number of fund managers squarely within its scope.
It covers a wide range of areas, including ICT risk management, incident management, digital operational-resilience testing, and oversight of critical ICT third party providers.
The finalization of DORA, expected later in 2024, will solidify these regulations, mandating specific requirements in various areas. However, while there’s still time before the deadline, fund managers operating within the EU should take proactive steps now to ensure compliance and avoid potential disruptions.
Five key areas for fund managers in scope to watch include:
ICT Risk Management:
DORA places emphasis on strong internal governance and control frameworks for managing ICT risks. Fund managers, with the support of their boards, will need to develop a robust framework, with clear accountability structures, risk identification processes, and effective mitigation strategies.
Incident Reporting:
DORA outlines clear standards for managing and reporting ICT-related incidents. This includes establishing procedures for classification, adhering to reporting timelines, and ensuring a thorough understanding of the existing incident reporting landscape within the financial sector. Fund managers should evaluate their ICT incident management and reporting maturity to identify current capabilities and any gaps that need to be addressed.
Digital Resilience Testing:
DORA mandates digital resilience testing to ensure critical systems can withstand disruptive events. Fund managers will need to develop the necessary capabilities to design and conduct effective testing. This may involve investing in building in-house expertise or identifying qualified external partners.
Third Party Risk Management
With increasing reliance on outsourcing, fund managers must be aware of the risks associated with third-party ICT service providers. DORA specifically requires fund managers to map provider connections, understand critical dependencies on these services, and conduct vulnerability assessments.
Information Sharing
DORA recognizes the importance of information sharing in combating cyber threats. The regulation encourages the creation of Information Sharing Communities (ISCs) where financial entities can share threat intelligence and best practices. Fund managers should explore participation in relevant ISCs to stay informed about the latest cyber threats and mitigation strategies.
Fines of up to 2% of total annual worldwide turnover
By taking these proactive steps well ahead of the January 2025 deadline, fund managers can avoid potential disruptions and ensure compliance with DORA.
Failure to do so will leave funds with weaker cybersecurity and liable to financial penalties for violations of its requirements. A breach could see institutions fined up to 2% of their total annual worldwide turnover which means for some businesses, the risks of non-compliance could be measured in the millions.
Keep up to date with the latest insights and financial markets news. Subscribe now to receive our free blogs straight to your mailbox.