Complementing the NIS2 directive, the DORA (Digital Operational Resilience Act) regulation adds another layer of cybersecurity to the financial sector. To protect their assets and the economic interests of European nations, financial institutions must strengthen their digital operational resilience.
The financial sector is heavily affected by cyber threats
Cyber attacks on the increase
Massive cyber attacks target financial sector infrastructures. Cyber risk now represents a major risk to financial stability. In its Financial System Risk Assessment report published in June 2023, the Banque de France notes that “the financial system remains exposed to a very high level of risk from cyber attacks“. This is due to the geopolitical context and also to artificial intelligence, which opens the way to highly sophisticated attacks that are harder to counter.
The very rapid digitisation of companies in the finance sector also explains this massive exposure to cyber risk. While the digitisation of banking services began very early on, information systems were not secured as quickly. In addition, employees of banking organisations make greater use of mobile devices and are more exposed to the risk of cyber attacks.
DORA complements NIS2 for cybersecurity
Because of the many risks and challenges involved, the European Union has classified the banking sector as highly critical under the NIS2 directive. As a result, organisations will need to strengthen their cybersecurity and train their decision-makers. Furthermore, DORA regulations are forcing financial institutions to redouble their efforts to better manage their cyber risk and become more agile.
Key points of the DORA regulations
Which organisations are concerned?
DORA is relevant to most organisations operating in the financial sector, such as :
- Credit institutions,
- Investment, payment and electronic money companies,
- Management companies,
- Insurance and reinsurance companies,
- Insurance and reinsurance intermediaries.
Objective: strengthen digital operational resilience
Better mapping and management of cyber risks
Like the “all-risks approach” in the NIS2 directive, the DORA regulation aims to improve risk awareness in the financial sector. Financial institutions must take into account the risks inherent in their operations. The regulation therefore calls for these risks to be identified and their level of impact on the organisation to be quantified, both internally and externally. In this way, organisations will have better visibility of the measures to be put in place and will be more agile.
Risk management also helps to reassure the company’s ecosystem. This is the case for customers, whose assets and personal data must be fully protected.
ICT service providers covered by the regulations
Today’s banks and financial institutions are dependent on information and communication technologies. If they are not sufficiently secure, these technologies expose the sensitive data they transmit.
Under the DORA regulations, the financial sector will have to be resilient in the face of operational disruptions linked to these technologies. Organisations will be responsible for identifying and classifying ICT-related risks and developing incident management processes.
Moreover, supervisory authorities will carry out checks on ICT compliance with risk management measures. Sanctions may be imposed in the event of non-compliance.
Choose ANSSI-qualified service providers
The French National Agency for Information Systems Security (ANSSI) recommends highly secure products and service providers, thanks to its security visa. It helps organisations in sensitive sectors, such as finance, to assess the reliability of communications solutions.
In the event of a cybersecurity incident, teams need to be able to continue exchanging information in a highly secure environment. This will guarantee business continuity and ensure operational resilience.
ANSSI has published a guide to the operational and strategic management of a cyber crisis.
ANSSI security approval: a guarantee of reliability
For over 5 years, Tixeo has been the only secure videoconferencing solution in France to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.
When will the DORA regulation come into force?
DORA regulation came into force in the European Union on 16 January 2023. Implementation of the regulation is therefore already underway. The deadline for transposing the regulation in all Member States is 17 January 2025.
“Cyber stress test” campaigns in the pipeline
Banking system regularly undergoes stress tests linked to social and economic conditions. Soon, it may also have to undergo cyber stress tests. The ECB (European Central Bank) has announced plans to test the cyber resilience of financial institutions from 2024. This will be done through cyber security stress tests. Increasing cyberthreats, teleworking and the use of the cloud are increasing the severity of cyberattacks and have therefore motivated this initiative.
A good way for organisations in the finance sector to put their DORA preparations to the test.