The proposed legislation will ensure all firms are prepared for any disruptions and threats and that contributors in the financial system are subject to the same standards.
The relevance of digital finance has increased during the past months with a significant rise in the use of financial apps, globally. Financial institutions have accelerated the incorporation of technology into their operations, while making sure this transition is smooth and secure for the customers. Current rules and legislations on ICT-risk management vary significantly in between different financial services, hence a proposal that ties together different initiatives has been developed.
With the proposal of the Digital Operational Resilience Act (DORA), drafted in September 2020 by the European Commission, the ICT risk requirements in the financial sector are set to be consolidated and upgraded to minimize the danger of cyber-attacks and other risks.
This proposed legislation will ensure all firms are prepared for any disruptions and threats and that contributors in the financial system are subject to the same standards, which are brought together into a common legislative act. Given that the current EU rules differentiate between the financial services sectors, they only partially address the ICT risks on the agenda. DORA is intended to bridge this gap and combine obligations to ensure all participants are subject to the same standards.
This will also help in the regulation of ICT-third party service providers and the reporting of major ICT-related incidents and information sharing between different financial entities. Given that these risks depend on the size, purpose and business functions, these requirements are to be applied accordingly, ensuring all financial entities are covered and their individual needs are met.
The use of financial applications increased by 72% in a week at the beginning of the Coronavirus pandemic
The key of ICT-related requirements on financial entities as proposed in the DORA legislation include:
Image Source: https://www.grantthornton.ie/insights/factsheets/dora-digital-operational-resilience-act/
The main obligations of the DORA proposal
- ICT Risk Management – This will require the financial entities to have a framework in place which ensures the management of ICT risks, including identification, protection, prevention, detection, response and recovery. These will need to be set-up and constantly overseen by the management as part of operational business continuity.
- ICT-related incident reporting – Financial entities will be required to streamline a process to detect, classify and report major ICT-related incidents to the relevant authorities and institutions. The information needs to be provided within the set timeframes, to allow the financial supervisors to access the impact and give feedback and guidance.
- Digital operational resilience testing – The ICT risk management framework needs to be constantly tested by independent parties to ensure the firms will be able to identify any deficiencies or weaknesses and at upon them.
- ICT third-party risk – With the financial firms becoming more and more dependent on technology firms, this proposal is designed to safeguard the monitoring of ICT third-party risks and set the minimum requirements. Contracts between financial and technology firms need to adhere to a set of requirements as well as have a full list of procedures to mange risks, be able to provide the requested information for investigations and pay the lead overseer the regulator’s cost in proportion to the company’s turnover.
- Information sharing – This will allow financial entities to share between them information on cyber-threats and intelligence, subject to the EU data protection and laws.
The use of financial applications increased by 72% in a week at the beginning of the Coronavirus pandemic (A Digital Finance Strategy for Europe – European Commission 2020). This proposal will be important to assist in customer identification across all EU Member States. It will be more beneficial to customers as they will be required to identify themselves once across different services. However, it will also ensure customers have control over their personal data while enabling the financial services providers to offer more personalized services, which will address the customer needs directly.
The digital finance strategy for Europe introduces new rules and guidance to digital and financial entities which will help in harmonizing their operations. All financial entities across markets will be subject to supervision, to avoid risks and ensure financial sustainability is protected.
This article is part of the FinTalk Podcast Series by Finance Malta and Tech.mt’s CEO, Dana Farrugia.
Posts in Series:
- The Digital Transformation in the Financial Industry
- The priority areas of the Digital Finance Strategy by the EU Commission
- A step forward in regulating crypto assets
- Addressing the mitigation of ICT-risks within the financial sector in relation to the EC proposal
- The rise of Digital Payment Methods
