A year from now, on 17 January 2025, the new EU Regulation on digital operational resilience in the financial sector, the Digital Operational Resilience Act[1] (DORA), will apply in Austria. It closes legislative gaps for financial services, since digital operational resilience has only been addressed in a fragmented manner, and the risks arising from information and communications technology (ICT) only handled in a peripheral manner. DORA will create a harmonised and comprehensive legal framework that will strengthen the resilience of European financial undertakings and the financial market as a whole against cyber threats and ICT-related business disruptions. Third-party ICT providers that are classified as critical will be included in the scope of application of supervision of the financial markets.
DORA brings in a swathe of very fundamental and far-reaching regulatory changes. It is therefore absolutely essential, that the affected financial service providers and third-party providers prepare for this new supervisory regime in good time,” remarked the FMA’s Executive Directors, Helmut Ettl and Eduard Müller: “One of the FMA’s priorities for supervision is therefore in preparing the market for the challenges posed by this new regulation, and it will closely shadow supervised entities as well as third-party providers along the way.“
DORA – strict new rules and new supervised entities
To make the financial market more resilient against cyber attacks as well as to mitigate against other risks from using digital information and communications technologies, DORA obliges the addressed financial undertakings and third-party ICT providers to take a raft of measures and to observe various procedures: such as implementing an ICT risk management framework as well business continuity management arrangements; as well as complying with a large number of reporting obligations, especially in relation to ICT-related incidents; regular checking of digital operational stability (also by means of centrally managed resilience and penetration tests); managing and monitoring third-party ICT provider risks as well institutionalising a regular exchange of information between the undertakings in question.
DORA by and large relates to all financial market sectors, although the respective risk profile is to be considered in its application. In order to efficient include the broad spectrum of interdependencies with providers of technological solutions (data centres, cloud service providers, software developers, data analysts etc.) in supervision in an efficient manner, a European monitoring programme has been created for critical ICT service providers. This requires new structures in as well as communications intergaces between the many players involved (supervised entities, national and European authorities).
FMA cooperating closely with entities over implementation
The entities in questions are therefore required in the next twelve months to conduct comprehensive checks about their digital operation resilience as well as their ICT interdependencies and contractual clauses with a view towards the entry into force of DORA, and to identify areas requiring action and to initiate the necessary implementation measures in good time.
To provide assistance on this challenging path for strengthen digital operational resilience in the financial sector, in recent years, the FMA has developed a range of innovative supervisory tools, to collectively form the “FMA Cyber Security Toolbox”. Furthermore, it is currently conducting an analysis about the “Austrian Digital Landscape”. In this priority for supervision, the FMA is evaluating and reviewing the level of digitalisation of business operations as well as operational resilience (IT infrastructure, ICT interdependencies, measures for preventing and detecting cyber incidents and operational disruptions) of entities in the Austrian financial market. The standards from DORA are already applied as a starting point. Entities will have the opportunity to make any necessary improvements in implementing the new regulatory standards, before the rules are required to be observed at the start of 2025. In additional, this priority for supervision will enable the FMA to identifiy which ICT service providers are relevant for the Austrian financial market.
More detailed information can be found on the FMA website at: Digital Operational Resilience Act (DORA)
Journalists may address further enquiries to:
Klaus Grubelnik (FMA Media Spokesperson)
+43 (0)1 24959 6006
+43 (0)676 88 249 516
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 and (EU) 2016/1011