In today's interconnected and digital world, businesses face increasing risks, particularly in the realm of cybersecurity. To address these risks and ensure the operational resilience of financial institutions, industries and governments push for regulatory frameworks. Two prominent examples are the EU's Digital Operational Resilience Act (“DORA”) and the UK's Prudential Standard PS21/3 (“PS21/3”).
These regulations aim to safeguard the financial system by mitigating cyberattacks and other risks. In this article, we will delve into the purpose of these regulations, the challenges they present, the timeframe for adoption, the organizations obliged to comply, and the keys for compliance.
An overview of DORA and PS21/3
DORA, established by the European Union, and PS21/3, introduced by the United Kingdom, serve as comprehensive regulatory frameworks for operational resilience. They aim to enhance the stability and security of financial institutions—including banks, insurance companies, and investment firms—by addressing evolving threats posed by cyber risks. With a set of guidelines and requirements for organizations to follow, they promote a proactive and robust approach to cyber risk management.
In particular, DORA consolidates and upgrades Information and Communications Technology (“ICT”) risk requirements throughout the financial sector, after years of inconsistent, individual regulations pushed by EU member states. With this approach, all participants of the financial system are subject to a common set of standards to mitigate ICT risks across five pillars—which we’ll cover in depth below:
- ICT risk management
- ICT incident reporting
- Digital operational resilience testing
- Information and intelligence sharing
- ICT third party risk management
Meanwhile, PS21/3 addresses the need for organisations to:
- Identify important business services and determine appropriate impact tolerances.
- Document the people, processes, technology, facilities, and resources needed to deliver important business services.
- Use learning scenarios to determine if the services are resilient against defined impact tolerances.
What is the purpose of these regulations?
The primary purpose of DORA and PS21/3 is to ensure the operational resilience of financial institutions and protect the stability of the financial system. These regulations recognize that cyberattacks and other operational disruptions can have severe consequences, including financial losses and compromised customer trust. By establishing comprehensive frameworks, regulators aim to minimize these risks and maintain the smooth functioning of financial services.
What is the timeline for adoption and enforcement?
Financial entities and their ICT-related third-party service providers must adopt DORA standards in their ICT systems by January 17, 2025. This includes all financial institutions operating within the EU, including banks, insurance companies, and other entities engaged in financial services.
The European Commission proposed DORA in September 2020 and was formally adopted by the Council of the European Union and the European Parliament in November 2022. The European Supervisory Authorities (ESAs) are drafting the regulatory technical standards (RTS) and implementing technical standards (ITS) that will pave the way for compliance. These standards, as well as an oversight framework for critical ICT providers, are anticipated to reach their definitive form in 2024.
Meanwhile, the UK's Prudential Standard PS21/3 came into force on 31 March 2022. It applies to banks, building societies, and designated investment firms in the United Kingdom.
According to the Financial Conduct Authority (FCA): “As soon as possible after 31 March 2022, and by no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.”
By now, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so. Organisations must also have identified any vulnerabilities in their operational resilience.
What are the current cyber risk management challenges?
The implementation of DORA and PS21/3 introduces challenges for companies in terms of cyber risk management. Firstly, businesses must adapt to a rapidly evolving threat landscape, characterized by sophisticated cyberattacks and emerging vulnerabilities. Keeping up with these evolving risks demands continuous monitoring, analysis, and mitigation efforts.
Secondly, organizations must establish a robust governance structure and allocate adequate resources to comply with the regulations effectively. This entails conducting regular risk assessments, implementing necessary security controls, and maintaining an effective incident response capability.
Thirdly, complying with the regulations requires a comprehensive understanding of the organization's technology infrastructure and attack surface, including third-party dependencies. Businesses must assess the resilience of their critical systems and ensure that appropriate safeguards are in place across the entire supply chain.
What are the penalties for non-compliance?
Non-compliance with DORA and PS21/3 can have serious consequences for financial institutions. The exact penalties may vary depending on the jurisdiction and the severity of the violation. However, regulators are likely to impose significant fines and sanctions for non-compliance. It is also open to EU member states to provide for criminal sanctions for breaches of DORA. Therefore, organizations must prioritize compliance with these regulations to avoid severe penalties.
How can Bitsight help enable DORA and PS21/3 compliance?
The implementation of regulatory frameworks such as DORA and PS21/3 underscores the importance of operational resilience in the face of evolving cyber risks. By leveraging Bitsight’s services as part of their compliance efforts, entities governed by these frameworks can enhance their cyber risk management capabilities, support the requirements outlined in DORA and PS21/3, and avoid severe penalties for non-compliance.
Bitsight enables organisations to systematically lower cyber risk by supporting critical workflows across risk, performance, and exposure. Security leaders can continuously measure the effectiveness of controls recommended by best practice frameworks, and leverage Bitsight data and analytics to make faster, more strategic cyber risk management decisions with confidence. Thus facilitating the journey towards compliance by assessing current readiness and detecting areas of improvement to meet regulatory requirements.
In an increasingly interconnected world, the combination of regulatory compliance and technology becomes crucial in reducing risks and fostering a resilient financial system.
Check our solution brief to explore how Bitsight features and solutions map to DORA compliance requirements.