The most recent information and communication technology (ICT) outages in companies around the world over the past year have also shown how reliant the economy is on reliable ICT for smooth business operations. In July 2024, a fault update of the security software Crowdstrike Falcon led to ICT outages in companies around the globe in the infrastructure, healthcare, transport and financial services sectors. In recent months, there have been outages and disruptions in individual banks’ ICT infrastructure in Austria that have led to incorrect account information or automatic teller machines being out of service. The European Union (EU) has created a legal framework so that the financial system that is particularly dependent on ICT can prepare itself.
Strengthening the Financial Sector’s Digital Resilience
Regulation (EU) 2022/2554 on the digital operational resilience in the financial sector (Digital Operational Resilience Act or DORA) is a significant step towards strengthening the digital resilience of banks, insurance companies and markets. The Regulation entered into force on 16 January 2023 and will apply throughout the entire European Union from tomorrow, 17 January 2025. The material regulatory areas of DORA are ICT risk management; the management, classification and reporting of ICT-related incidents; the testing of the ability to stave off cyber-attacks – also by means of simulated attacks by white hat hackers or red teams (threat-led penetration testing); the management of ICT third-party risk; the Oversight Framework of critical ICT third-party service providers as well as the arrangements on exchanging cyber threat information and intelligence.
The FMA as the competent authority for DORA
DORA also places a wide range of requirements on the supervisory authorities in the financial sector. In Austria, the Austrian Financial Market Authority (FMA) is the competent authority for the monitoring of compliance with DORA rules, and in this capacity cooperates closely with the Oesterreichische Nationalbank (OeNB). For the FMA, this means implementing processes to efficiently fulfil DORA rules, and to improve them on a continuous basis. In particular, new ICT systems have been established for processing reports about major ICT-related incidents and the registers of information to be submitted by financial entities about the ICT third-party service providers used.
New Oversight Framework for Criticial ICT Third-Party Service Providers
Under DORA a European Oversight Framework has also been established, that focuses on effectively monitoring and minimising the risks that arise from the concentration of dependencies on ICT third-party service providers. In this case there is a focus for the European financial sector on particularly important critical ICT third-party service providers such as large globally active cloud service providers. The three European Supervisory Authorities (EBA, ESMA and EIOPA) are taking over operational oversight activities.
DORA is not an end in itself, but services the purpose of financial stability
“These comprehensive regulations are intended to ensure that financial entities are also able to continue operations even in the event of major disruptions to cyber security or to ICT systems”, commented the FMA’s Executive Directors, Helmut Ettl and Eduard Müller. “The introduction of DORA is a decisive step in guaranteeing the stability and security of the European financial market and to strengthen consumers’ confidence in digital financial services. DORA sets a new cyber security standard in the financial sector.”
Further Information:
Answers to questions about DORA can be found on our website: DORA – Digital Operational Resilience in the Financial Sector.
Journalists may address further enquiries to:
Boris Gröndahl (FMA Media Spokesperson)
Telephone: +43 (1) 249 59-6010
Mobile: +43 676 8824 9995
E-Mail: [email protected]