McFadyen said that DORA will have a “widespread” impact on firms and that the legislation “continues a regulatory trend of expecting stronger controls across all technology services, not only those provided on an outsourced basis which is where regulation has focused in the past”. He said this had been “triggered by repeat examples of technology outages and degradation directly harming consumers”.
“There is a huge emphasis on board and senior management up-skilling and responsibility,” McFadyen said. “From investigations conducted on major incidents, evidence has shown that there has been poor engagement on technology resilience and change at the most senior levels within regulated firms – and this must change.”
The DORA text that the European Parliament and Council of Ministers have provisionally agreed on has not yet been made public. However, a statement issued by the Council provided some high-level detail of what has been agreed.
“DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats,” the Council said. “These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.”
“Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks,” it said.
“Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented,” it said.
Both the Council and the Parliament will need to formally adopt the finalised text for DORA to become law.