January 17, 2025 is the day feared by managers of many an entities obliged to implement Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on the operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter: “the Regulation” or “DORA”), because it is that date from which the Regulation will be applied. What’s important, there is still nearly a year to this date, but financial sector institutions are already working intensively on the implementation of DORA in their organizations. In this article we introduce the subject of the Regulation, as well as discuss its possible impact on the financial market.

Financial services and the digital world

In 1980, United American Bank offered electronic banking services to customers. Fifteen years later, another U.S. bank Wells Fargo launched an online banking service as we know it today. In contrast, in 1999. Fokus Nettbank of Norway allowed customers to access banking using a cell phone. While there is no consensus in the banking world as to which bank pioneered electronic banking, it is certain that today it is difficult to imagine financial services without the use of the Internet.

With the rapidly changing digital environment, including in the financial world, many threats to the security of information systems have emerged. Cybercriminals are increasingly specialized criminal groups, often associated for instance with the administration or special services of countries such as Russia, Belarus or North Korea. To counter cyber-attacks, financial institutions are obliged to make significant involvement of monetary assets and a large number of people, and spending of these institutions on cyber-security activities is constantly increasing. DORA is the European Union’s response to cyber threats.

What does DORA concern?

As the full name of the Regulation indicates, it deals with the operational digital resilience of the financial sector – it is defined in DORA as the ability of a financial entity to build, underwrite and verify its operational integrity and reliability by providing, either directly or indirectly – using third-party ICT service providers – the full range of ICT capabilities necessary to ensure the security of the networks and information systems that the financial entity uses and that support the continuous provision and quality of financial services, as well as during disruptions.

The regulation establishes the following uniform requirements for the security of networks and information systems supporting the business processes of financial entities:

• requirements applicable to financial entities with respect to:
• information and communications technology (ICT) risk management;
• report serious ICT-related incidents to competent authorities and voluntarily inform them of significant cyber threats;
• reporting of serious operational incidents or serious security incidents related to payments to the competent authorities by financial entities referred to in Article 2(1)(a)-(d) of the Regulation;
• testing operational digital resilience;
• exchange of information and analysis in connection with cyber threats and vulnerabilities in this area;
• measures for sound risk management by external ICT service providers;
• requirements for contractual arrangements between third-party ICT service providers and financial entities;
• principles for the establishment and operation of a supervisory framework for key third-party ICT service providers providing services to financial entities;
• principles of cooperation between competent authorities and principles of supervision and enforcement by competent authorities on all issues covered by the Regulation.

Who is affected by DORA?

The catalog of addressees of the Regulation (known as “financial entities”) indicated in Article 2(1) is quite extensive. The regulations are applicable to:

• credit institutions (banks);
• payment institutions;
• electronic money institutions;
• investment companies (including brokerage houses);
• cryptocurrency service providers (under the MiCA Regulation);
• central securities depositories;
• alternative investment fund managers (excluding AIFMs referred to in Article 3(2) of Directive 2011/61/EU);
• insurance and reinsurance companies (excluding those designated in Article 4 of Directive 2009/138/EC);
• rating agencies;
• crowdfunding providers;
• or, finally, external ICT service providers.

Impact of DORA on the financial market

The purpose of DORA is to consolidate and update the ICT risk requirements previously set forth in various EU legal acts. The idea is that the addressees of the Regulation are to adopt the same approach and follow the same rules when tackling ICT risks. This is expected to help strengthen confidence in the financial system and protect its stability.

Moreover, the implementation of DORA by financial entities is also expected to reduce regulatory complexity, promote supervisory consistency, increase legal certainty, and help reduce compliance costs.

Undoubtedly, it is essential for financial sector players to continuously improve cyber resilience. The imagination of cybercriminals knows no bounds, and they are using increasingly sophisticated methods to achieve their unlawful goals.

The emergence in recent years of computer programs based on artificial intelligence, including voice generators or face generators that enable impersonation, has created further challenges for institutions significantly threatened by cybercrime to address. The fundamental problem in question related to DORA entry into force is whether, once the Regulation begins to apply, the procedures implemented by financial entities shall actually be applied, or whether, as reality often shows, an institution’s actions will end with their formal implementation. Protecting customers’ funds is crucial, but it seems that in addition to the actions of financial sector entities, educating the public about cyber security is also essential. Without raising customer awareness of cyber threats, even the best procedures and IT systems may not be enough.