DORA (Digital Operational Resilience Act) Batch 2 Changes and Expectations from BFSI sector

This is an exclusive article series conducted by the Editor Team of CIO News with Kavitha Srinivasulu, Global Head – Cyber Risk & Data Privacy: R&C BFSI – Tata Consultancy Services (TCS).

In recent times, the dependency of financial institutions on information and communication technologies (ICT) has tremendously increased due to rapid digitization and preference for digital channels for customers to do business with. However, banks and other financial entities have become more vulnerable to cybersecurity incidents disrupting their business operations and increasing the risk of loss across the European region. As a measure to enhance the overall digital operational resilience of the EU financial sector, on 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union1 and entered into force on 16 January 2023. All the financial institutions under the regulation of the European Commission must be compliant with DORA by January 2025. This is primarily keeping in mind to strengthen the security controls, enhance the data protection, and gain customer trust.

DORA Batch 1 and Batch 2 rules have been released in January and July 2024 to emphasize more on the security of data and strengthen the resilience controls. There is significant pressure to put changes in place by that deadline, and the lack of clarity while awaiting the final text of the level 2 rules has presented a challenge for both financial entities and IT suppliers. The impact on financial institutions is expected to be high, and its need to step up their core capabilities will see a large push across the EU in regulators seeking to acquire ICT knowledge and capabilities. Some of the batch 2 rules are now treated as final and have huge expectations from the BFSI organizations to comply with before January 17^th, 2025. Those that take the form of Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”) still need to go through an additional review process to meet the regulatory requirements. They will need to be adopted by the European Commission, and, in the case of RTSs, the European Parliament and the Council of the European Union will have an opportunity to scrutinize the draft and raise objections. If there are no objects raised, then more likely they will be in force by January 2025. However, significant changes at this stage are unlikely.

DORA will impact all financial entities regulated at the EU level, including:

• The Financial Services Industry
• Payment institutions
• ​Investment firms
• Credit rating agencies
• Crypto-asset service providers
• Crowdfunding service providers
• Fintech
• ​Trading venues
• Financial system providers
• Credit institutions

DORA will not only apply to banks and financial institutions but also to critical suppliers to the financial sector, explains De Nies: ‘For example, the company that manages the network of a bank.

The main objectives of DORA regulation are:

1. Enhancing the EU’s financial sector operational resilience.
2. Strengthening security controls for customer information to avoid data breaches.
3. Establishing robust governance structures and improving ICT recovery capabilities.
4. Improving the regulators’ roles and responsibilities to strengthen the regulatory requirements.

DORA Regulatory Timeline:

5 key pillars of DORA:

DORA increases the attention on ICT used by financial institutions. DORA converges on five key pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing agreements. The scope of financial institutions to whom this applies has been broadened. Besides the traditional financial institutions, such as banks and insurance companies, crypto-asset service providers are also required to comply with the guidelines and require more formalization since no current standards are published yet for crypto-asset service providers. To meet the requirements and continue to conduct business appropriately and successfully, ICT systems need to be updated, processes optimized, and employees trained.

DORA Challenges:

1. Increased compliance costs.
2. Increased regulatory oversight.
3. Changes in business practices.
4. Greater emphasis on 3^rd party risk management.
5. Robust risk management framework.
6. Rigorous risk management processes and procedures.
7. Improved operational resilience.

While DORA regulation may pose various challenges for financial institutions, it is expected to result in improving operational resilience and strengthening data protection.

DORA Batch 2 Changes and Expectations:

Some of the key changes expected by the DORA regulation are:

• RTS requires the financial entities to monitor subcontracting conditions for critical or important functions.
• RTS and ITS on major incident reporting to ensure there is timely notification to the required stakeholders.
• RTS specifies elements related to threat-led penetration tests (“TLPT”).
• RTS defines time limits for reporting incidents. The 24-hour/72-hour window for reporting will begin with the submission of the previous notification/report instead of the moment of classification of the incident (as per the last draft).

• Focus and comply with the additional DORA requirements as associated with existing and new batch EBA/EIOPA guidelines.

• Financial entities should ramp up their efforts to implement the changes required to comply with DORA by January 17, 2025, to meet the defined deadline.

Best Practices to comply with DORA:

The following action items will help your organization prepare for this legislative proposal:

1. Perform a robust gap analysis.
2. Determine the maturity level of the organization with DORA key requirements.
3. Implement a threat-led penetration testing framework.
4. Assess Response and Recovery Strategies
5. Perform a gap analysis to mitigate the risks in a proactive and timely manner.

DORA changes the requirements regarding the responsibility and liability risks of organizations concerning third-party ICT risks. For example, it is necessary to review and, if necessary, adjust the scope and conditions of insurance coverage. DORA primarily introduces a holistic approach to ICT risk management that brings in a consistent approach across all the financial institutions. It could help in establishing a unified risk framework, allowing a better assessment of the organization’s ICT risks, and simplifying overall reporting to the top management. It is a unique opportunity to work on the realistic operational model to increase business resilience and decrease the unforeseen threats evolving day by day. DORA shows or brings not only a challenge but also a substantial opportunity for banks and other financial institutions to know the strategic value of fit-for-purpose resilience in the uncertain threat environment.

About Kavitha Srinivasulu

Kavitha Srinivasulu is an experienced cybersecurity and data privacy leader with over 20 years of experience focused on risk advisory, data protection, and business resilience. She has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech, and emerging technologies, with diverse experience across corporate and strategic partners. She possesses a solid balance of domain knowledge and smart business acumen, ensuring business requirements and organizational goals are met.

Disclaimer: The views and opinions expressed by Kavitha in this article are solely her own and do not represent the views of her company or her customers.

Also read: Top 3 Workforce Management Companies in India You Should Know

Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.