He number of cyber attacks It hasn’t stopped growing for years. However, the main problem is not in the quantity, but, above all, in their sophistication. Cybercriminals target both users and organizations. In this sense, companies that make up the financial sector which include banks, insurers, insurance brokers, investment funds or the digital service providers that work with them, are some of the favorites to receive cyberattacks, either to obtain economic resources or compromised data.
Faced with this situation, last November the European Council launched the so-called Regulation on digital operational resilience, also know as DORA Regulationwhich aims to enable the financial sector and ICT providers to continue to operate resiliently in the event of a severe operational disruption.
Europe is aware that the financial sector is one of those that invest the most in cybersecurity, but it is also one of the most sensitive for the overall functioning of the economy in the event of a successful cyberattack. For this reason, the DORA Regulation provides a series of uniform requirements in order to strengthen the security of networks and of the systems of the organizations of the sector, in addition to those companies that provide them with technological services. In this way, as of January 17, 2025, all of them must certify that they are capable of resisting and responding to any type of cyberattack and recovering if it is successful.
In other words, DORA aims to prevent and mitigate the threats that companies in the financial sector may suffer, improving the existing regulations up to now and, what is more important, making the incident notification model more standardized.
How to implement DORA
Despite the concern of having to incorporate a new regulation into the operations of an organization, in this case it is a regulation that it is easy to implement. And it is that, as stated by Antonio Quevedo, CEO of GlobalSuite Solutions, “complying with the DORA provision should not pose any problem for companies in the financial sector if they already employ the framework of the three lines of defense. It is an approach that is already widely used by a large part of the organizations in the sector and is based on the division of responsibilities and functions between different areas of the company”.
DORA affects a total of 20 types of companies that make up the financial sector. Among other payment and loan entities, companies that offer investment services, management companies, insurers, credit rating agencies and also those organizations that provide crypto assets. Likewise, DORA also affects companies in the ICT sector such as cloud providers, payment method solution providers or companies that offer data services. All of them will have to implement DORA before January 2025, It is not necessary for it to go through any parliamentary procedure as DORA is a regulation.
For most of them, DORA will not have a major impact, due to the fact that they already use security protocols to improve the management of the risks to which they are exposed. However, they will have to carry out new resilience tests with an increase in the number of evaluations they carry out, improve the methodologies and incorporate good practices in terms of control and monitoring of the systems.
And it is that DORA requires that operational resilience tests be carried out, so that the recovery capacity of the affected entities is ensured and deficiencies can be corrected on time. In the case of not being corrected, the companies that incur in the breach will be exposed to sanctions similar to those of not complying with the GDPR: they will be fined with a percentage of the billing.
On the other hand, companies will have to start incorporating a new figure into their organization chart since DORA goes beyond the work carried out by CIOs, CISOs, technology managers or CDOs. Its about Chief Technology Risk Officer (CTRO), who will be the person to monitor compliance with the technological risks that an organization faces. This new figure can be an internal employee or an external company
