The EU Digital Operational Resilience Act Adopted How Will It Affect Swiss Companies?
The Regulation on digital operational resilience for the financial sector (DORA) went into effect on January 16, 2023. A 24-month implementation period will be in effect, and as a result, DORA will be implemented in all EU Member States starting on January 17, 2025. ICT providers, both in Switzerland and internationally, that provide services to financial entities within the EU will likely be affected, regardless of whether they are independent third parties or companies affiliated with an EU financial entity.
The purpose of the regulation is to improve the cybersecurity of financial institutions, including banks, insurance companies, and investment firms. This is deemed crucial by the EU because of the growing threat of disruptions and cyberattacks on ICT-related services. DORA, a significant piece of legislation, imposes strong additional responsibilities on both financial institutions and critical third-party providers. It necessitates the incorporation of policies, new systems and controls, contractual provisions, and risk management frameworks in ICT-centered outsourcing agreements. DORA addresses the following:
- ICT risk management
- Cyber incident reporting
- Digital operational resilience testing
- ICT third-party risk management
DORA Scope of Application
To maintain uniformity in the regulations for managing ICT risks within the financial industry, DORA applies to various financial entities that are regulated at the EU level. This encompasses a majority of credit institutions, electronic money institutions, payment institutions, investment firms, and alternative investment fund managers and management companies, as well as the majority of insurance and reinsurance companies and intermediaries. Special provisions are planned for microenterprises, which are also covered by DORA.
Financial institutions are required to have a process in place for managing ICT incidents, which includes monitoring and documenting incidents, classifying them according to established criteria, and notifying the appropriate national regulatory authorities and affected clients in the event of a significant incident.
Given the extensive range of operational resilience topics covered by DORA, companies should start evaluating the effect of DORA on their operations and agreements for using ICT services by conducting a comprehensive gap analysis provision by provision. With this gap analysis, companies should effectively plan and prepare for the implementation of DORA in January 2025.
DORA requires financial institutions to frequently assess their operational resilience through a risk-based method, as opposed to a standardized approach. The institutions will be expected to evaluate the risks that are most pertinent to their investment services and business activities. This approach aims to guarantee that the cyber risk controls of the firms are tailored to their specific business operations and that they do not resort to a generic "one size fits all" strategy.