In its advice to ESMA, the SMSG identified a number of key practical challenges as to the implementation of the DORA, which should really be considered as lex specialis to NIS 2 (Directive (EU) 2022/2555) and CER (Directive (EU) 2022/2557) namely a sector-specific Union act in with regard to the financial sector entities. These practical challenges can be categorised as follows:
Need for clear and consistent definitions of operational resilience
The SMSG notes that there is currently no common definition of operational resilience across the financial industry, and different firms may have different interpretations of what it means. This may lead to inconsistencies as to how the requirements of the DORA are implemented. Alignment or making clear distinction between NIS2, CER and other standards is signalled to be important.
Need for effective coordination and communication
The DORA requires financial firms to coordinate and cooperate with each other, as well as with authorities and third-party providers. This could be particularly challenging for smaller firms or those with limited resources, which may struggle to establish effective communication channels and engage in meaningful cooperation. The SMSG encourages processes to promote information sharing and alignment of notification procedures. For example, to align and integrate the process for issuing notifications under Art. 19(3) DORA and Art. 34 GDPR in all cases when both provisions apply.
Need for a risk-based approach
DORA sets out requirements for firms to assess the risks posed by different types of operational disruptions and to prioritize their resilience efforts accordingly. This requires a deep understanding of the risks faced by each firm while at the same time recognizing proportionality considerations in the implementation of the DORA framework. With regard to operational resilience testing and management of ICT third-party risk, there should be a clear minimum base line.
Overall, the SMSG’s advice provides valuable insights into the potential practical challenges that may arise in the implementation of the DORA. The SMSG’s recommendations highlight the need for clear and consistent definitions of operational resilience, effective coordination and communication between stakeholders, and a risk-based approach to implementation. These insights will be valuable for financial firms and regulators as they work to ensure the effective implementation of the DORA.
The DORA is a Regulation that was proposed by the European Commission in 2021 in order to prevent and mitigate cyber threats is the EU financial sector. The DORA entered into force on 16 January 2023, but will be effective from 17 January 2025. We refer to our earlier blog to read more about the scope and obligations created under the DORA.