Only a few weeks ago, a faulty update of the software “Crowdstrike” triggered a global crisis. Hospitals were forced to go into emergency operating mode, planes were unable to take off, grocery stores were forced to close and ATMs didn’t work. It was an incident that dramatically showed that it is not only malicious hacker attacks or dangerous computer viruses that may present a severe IT and system risk, but also simple deficiencies in a product. The EU Regulation on the Digital Operational Resilience in the Financial Sector (Digital Operational Resilience Act[1] or DORA for short), which applies from 17 January 2025, addresses precisely such kinds of risks, moves information and communication technologies (ICT) into the regulatory focus, and strengthened the resilience of European financial undertakings and the financial market as a whole towards cyber-risks and ICT-related business disruptions. Furthermore, for the first time critical third-party ICT providers are also included in the new Oversight Framework.
“DORA is an ambitious regulatory framework that heralds in fundamental and far-reaching innovations. In the coming weeks and months, the relevant financial services providers and third-party providers will need to conclude their preparations for the new supervisory regime, as DORA applies in a fully-fledged manner without any transition periods,” remarked the FMA’s Executive Directors, Helmut Ettl and Eduard Müller. Today, the FMA launched a dedicated DORA section on its website that summarises all the relevant regulations and requirements and displaying all material information in an easy to understand manner. It also presents and provides detailed explanations about the regulatory and implementing technical standards, which to a large extent have already been drawn up. In addition, frequently asked questions are answered and explained in an easy to understand manner in a Q&A format.
DORA – new and strict rules and new monitored undertakings
The comprehensive DORA regulatory package closes existing gaps in the legislation for financial services providers, and consolidates previously sectoral framework, and implements far-reaching reporting, information and monitoring requirements. In this way, DORA obliges financial undertakings and third-party providers to take a large number of measures and to observe procedures:
- to implement an ICT risk management framework as well as business continuity management;
- to observe numerous reporting obligations, especially regarding agreements with third party ICT service providers as well as regarding ICT incidents;
- to regularly test digital operational stability (also by means of centrally controlled thread-led penetrations tests);
- to manage and monitor third-party provider ICT risks, as well as
- to institutionalise a regular exchange of information between the affected undertakings.
All contracts with third-party ICT providers are required to conform with the new regulatory requirements by the date on which the application of DORA becomes mandatory under law. An information register about all contracts with third-party ICT providers must be submitted to the FMA without delay. Major cyber incidents and ICT-related business disruptions must also be reported to the FMA within the stipulated timeframe.
DORA by and large relates to all financial market sectors, although the respective risk profile is to be considered in its application. In order to efficiently include the broad spectrum of interdependencies with providers of technological solutions (data centres, cloud service providers, software developers, data analysts etc.) in supervision in an efficient manner, a European monitoring programme has been created for critical ICT service providers. This necessitates new structures in and communications interfaces between the numerous players involved (e.g. supervised entities, national and European authorities).
FMA cooperating closely with entities over implementation
“Some time ago, the FMA already set one of its priorities for supervision on the challenges presented by this new regulation, and has been closely assisting supervised entities and third-party providers in this regard,” the FMA Executive Directors remarked. In recent years, the FMA has developed a large number of innovative supervisory tools, that are contained in the “FMA Cyber Security Toolbox”. In its analysis of the “Austrian Digital Landscape” the FMA evaluates and checks the level of digitalisation of business operations as well as operational resilience (in relation to IT infrastructure, ICT interdependencies, measures for the prevention and detection of cyber incidents and business disruptions) of the undertakings in the Austrian financial market. In addition, the FMA is offering supervised entities and stakeholders a structured dialogue about all issues surrounding DORA in numerous events.
The link to the new section of the FMA website about comprehensive information on DORA can be found here: https://www.fma.gv.at/en/cross-sectoral-topics/dora/
Journalists may address further enquiries to:
Boris Gröndahl (FMA Media Spokesperson)
Telephone: +43 (1) 249 59-6010
Mobile: +43 676 8824 9995
E-Mail: [email protected]
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 and (EU) 2016/1011