The DORA Regulation: there’s time to comply… but an adequate RegTech tool is needed

The impact of the DORA on finance? Cyber Security, Governance, Risk Management and more

‍The growing regulation process in the financial world will experience another crucial chapter in the coming months. This time we are not talking about the increasingly central regulatory area related to ESG goals nor to the regulatory future of Crypto and FinTech worlds. This year, the year of financial compliance, will also see operators engaged in the IT field. Indeed, it is the focus area of the so-called DORA, the Digital Operational Resilience Act. Namely the Regulation (EU) 2022/2554 of 14 December 2022, which was published in the European Union Gazette on 27 December 2022, and relates to digital operational resilience for the financial sector. The DORA Regulation already came into force within the European Union on 17 January 2023, but financial operators will have time until 17 January 2025 to comply with it. This is certainly a sufficient amount of time and may also seem very ample, but it could be insidious for those who do not equip themselves with the right tools to comply with all the new obligations introduced by the EU.

Discovering the new European digital resilience law: all the interested financial operators

Before analyzing the new elements introduced by the DORA, it is appropriate to identify which financial players will have to comply with it. And the list is really long. It starts with credit and payment institutions to account information service providers, electronic money institutions, investment firms, cryptocurrency service providers, central securities depositories, central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers and management companies. But the DORA Regulation also applies to providers of data communications and crowdfunding services, insurance and reinsurance companies, insurance, reinsurance and ancillary insurance intermediaries, occupational pension institutions, credit rating agencies, critical benchmark index administrators, securitization data repositories, and information and communication technology (ICT) service providers. In short, the entire EU financial ecosystem will have to face the DORA, burdening the compliance departments of all the above-mentioned entities with efforts and responsibilities.

What operators need to change to comply with the DORA Regulation? Here’s a summary

To clarify the context on which the DORA intervenes, it is useful to refer to the document published by the European Systemic Risk Board (ESRB) on the macroprudential tools for cyber resilience in the financial sector. One of the greatest risks to financial stability identified by the ESRB is cyber incidents, also in respect to the current geopolitical situation, which has required further strengthening of digital resilience. Particular attention should be paid, according to the ESRB, to interventions aimed at mitigating the risk of cyber incidents disrupting the delivery of key economic functions and turning into systemic events. These incidents can in fact result in the disruption of the operation of technology systems or availability of a critical service, but also in the loss of confidentiality, integrity or reliability of the data underlying a critical service. One of the main causes of cyber incidents are cyber attacks, against which three levels of defense have been identified:

1. resilience and detection capabilities of financial institutions;
2. institutions' ability to respond and recover;
3. coordination and action capabilities of authorities.

Returning to the DORA Regulation, it can be said that this document aims precisely to strengthen the key elements of the first level of defense, whose capabilities of resistance, detection and initial response are evaluated with the penetration tests outlined in the DORA.

Compliance with the DORA in a nutshell: here’s what the EU requires from financial operators

‍At this point, it only remains for us to take a look - general and not exhaustive - at the obligations introduced by DORA, following the macro-areas of application of the Regulation itself.

• Governance and internal organization
  Set up internal policies that ensure effective and prudent control of ICT risks related to Cyber Security and guarantee business continuity; implement systems and recovery plans; provide in-house professional figures and appropriate tools to detect vulnerabilities, threats, incidents and cyber attacks; develop specific communication plans towards customers.‍
• Cyber Security & Risk Management
  Adopt an appropriate Cyber Risk management framework, through ICT tools and systems such as to minimize the impact of related risks, with an end-to-end view of business processes; anticipate and quickly identify sources of risk; adopt mechanisms to detect abnormal activities and implement appropriate protection and prevention methods; classify cyber threats and incidents related to ICT vendors; create a cyber incident reporting system and provide for information sharing protocols on cyber threats; conduct digital operational resilience testing; adopt a system to manage cyber risks arising from third parties.

A very dense, but still not exhaustive, list of activities to be completed in less than two years. A list that clearly highlights the amount of work to be completed by 17 January 2025. But in addition to this, the DORA Regulation has various interconnections with other regulations in the field of Cyber Security, both at the European level (NIS 1 Directive, NIS 2 Directive, TIBER EU Framework, EBA Guidelines, MiFID II, GDPR, Basel Committee's 2021 Principles on Operational Resilience, EIOPA Guidelines) and at the Italian level (National Cyber Security Perimeter - PSNC -, Bank of Italy Circular 285, IVASS Regulation). In light of this, it seems clear that the most complex challenge for financial operators is to identify the regulatory delta between the obligations introduced by the DORA and the obligations already carried out under previously enacted regulations, so as to detect the points of agreement and those of discrepancy. Only at that point, they will be able to proceed with the activities required by the EU through the DORA Regulation.

Calculating the impact of the DORA Regulation is easy... with appropriate RegTech tools, like Daitomic‍

It is quite clear, then, that the efforts required of financial compliance professionals in the coming months, with respect to compliance with the DORA Regulation, will be many and crucial in order to prepare a compliance plan that determines the actual impact of the DORA on their organization. To carry out these tasks accurately and as quickly as possible, financial compliance departments will need RegTech tools to make the job faster and more precise. And at Aptus.AI, we know this is possible by automating some precise steps in compliance processes. The ones that Daitomic, our RegTech SaaS, intervenes on, exploiting its machine readable format of financial regulations, which enables it to automatically extract regulatory requirements and obligations, taking also into account internal processes and policies. This automated analysis through Artificial Intelligence - also integrated with Generative AI tools - provides fast and accurate first-impact analysis on every regulatory perimeter, including Cyber Security, the one related to the DORA Regulation. In a multi-regulatory and cross-country context such as the European Union’s one, Daitomic enables not only to reduce time and costs for the transposition of regulatory updates, but also faster the compliance process followed by financial operators when facing new regulations.