Kapolyi’s client breakfast around DORA (Digital Operational Resilience Act)

Kapolyi Law Firm held a client breakfast at Larus Restaurant together with Rubrik – a cybersecurity firm headquartered in Palo Alto, California.

 Amidst the rapid digitalization of Europe’s financial sector, the pressure to adequately address the corresponding rise in cyber threats has been building up. The Digital Operational Resilience Act aims to address this challenge through a unified strategy for ICT risk management and digital resilience. With the act’s compliance deadline just a year away, financial institutions in Hungary and across the EU need to get their ducks in a row.

The aim of the event was to help clients in the financial sector understand how to navigate the Digital Operational Resilience Act (DORA) and identify effective implementation strategies.

The participants heard from Kapolyi’s senior lawyers – Head of Capital Markets Dr. Viktor Krezinger and Head of IT Dr. Éva Kazella.

Dr. Krezinger explained the tasks and responsibilities that the DORA regulation has set out for managers of financial institutions and what the penalties for non-compliance are.

Dr. Kazella offered practical advice on how to ensure successful compliance of ICT systems with DORA regulatory requirements. She also walked the participants through methods and best practices for achieving regulatory objectives, emphasizing the importance of integrating these practices into ICT systems through a structured approach.

The speakers were joined by Rubrik’s Account Executive Dávid Bokrossy, who highlighted critical practical aspects of the regulation.

Following the presentations, the participants had an opportunity to ask questions and discuss their main concerns, priorities, and projected timelines.

So what is the Digital Operational Resilience Act, and what challenges does it strive to address? Let’s dive in.

What is the Digital Operational Resilience Act?

In force since January 16, 2023, the Digital Operational Resilience Act (DORA) is an EU directive that consolidates and harmonizes the strategy for addressing ICT risk management in the financial sector across EU member states.

One of the main changes the DORA introduced is the requirement for financial institutions to follow “targeted qualitative rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities.” In short, the DORA emphasizes digital resilience. That’s in contrast to the strategy that has so far been favored by financial institutions – namely managing the main categories of operational risk through capital allocation without necessarily managing all the components of operational resilience.

As outlined in Article 1(1), the requirements set out by the DORA focus on the following core areas:

  • ICT risk management,
  • major ICT-related, operational, and security payment-related incidents reporting,
  • digital operational resilience testing,
  • information and intelligence sharing in relation to cyber threats and vulnerabilities,
  • ICT third-party risk management,
  • cooperation among competent authorities, and rules on supervision and enforcement by competent authorities.

The deadline for implementing the technical standards set out by the DORA is January 17, 2025.

It is worth noting that financial institutions – credit institutions, trading venues, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and other entities in the sector – are not the only ones that need to align their operations with DORA requirements. The directive also applies to “critical ICT third-party service providers” of financial institutions, including providers of cloud computing services, software, data analytics, and data center services. For the list of entities that the DORA does not apply to, see Articles 2(3) and 2(4).

The rising need for a coordinated cybersecurity strategy

The Digital Operational Resilience Act did not get formed in a vacuum. In fact, the pressure for a unified cybersecurity and digital resilience strategy across member states has been building up for a while.

In her speech in 2020, European Central Bank President Christine Lagarde warned that a well-organized cyberattack on major financial institutions could lead to a financial crisis.

The COVID-19 pandemic significantly accelerated digital transformation across most industries – the financial sector has been no exception. From the modernization of payment systems to the proliferation of digital currencies and the rise of online banks, the sector has integrated a whole range of innovations over the past few years.

This deepened the digital ecosystem and infrastructure, thus expanding the cybersecurity risk parameter of the sector ­– in 2022, 78% of Europe’s largest financial institutions experienced a third-party breach. In fact, around the world, the financial sector experienced the second-highest volume of data breaches last year.

In response to the rising cybersecurity challenges, the European Commission adopted the Digital Finance Package that aims to facilitate the delivery of digital innovation to European consumers while effectively managing the risks of the evolving digital ecosystem. The DORA is one of the main legislative frameworks of the package.

With only a year left to ensure compliance with the DORA, it is imperative that financial service providers make digital resilience and ICT governance a priority.