Cyber Horizons

DORA: soon a new regulation for the European financial sector on cybersecurity

Published on 24 May 2022

Digital banking uses have developed strongly since the early 2000s and the appearance of online banks and then neobanks. The rise of mobile payment is an illustration of this.

While making life easier for consumers, these services rely on many interconnections that represent an increased cyber risk. Whether it is identity verification or securing transactions, the financial sector must therefore strengthen its cybersecurity.

Harmonizing cybersecurity practices in a highly regulated ecosystem

After the 2008 financial crisis, the European Union restructured the sector and standardised its practices to avoid further bankruptcies. At the time, IT risk was little taken into account in the reforms adopted, compared to other types of risks. By focusing on digital-related operational resilience, DORA is a logical continuation of these regulations.

Of course, some players in this financial sector, which is also highly regulated, were already affected by other regulatory frameworks such as the NIS Directive at European level or by national legislation on cybersecurity (e.g. Military Programming Law in France).

However, the risk associated with digital technologies is increasing without the cyber maturity of the actors gaining in homogeneity. This is especially true as new entrants like crypto start-ups proliferate in the market. Hence the need for new regulations that take into account all types of attacks, harmonize reactions, etc.  

In the spring of 2021, for example, the European Banking Authority suffered a cyberattack on its Microsoft Exchange servers that forced it to take its messaging system offline. But cyber risk doesn’t just concern large companies or institutions.

At the end of 2016, security researcher Vincent Haupert had exposed several flaws, since corrected, in the mobile application of the German neobank N26. These vulnerabilities had allowed him to carry out a “man-in-th-middle” attack, open to various operations including the modification of transfer recipient!

This is why DORA provides for adaptations for micro-enterprises and integrates the systemic dimension of cyber risk: service providers are thus an integral part of the repository, like what has been done with the GDPR.

What is DORA?

DORA aims to strengthen the resilience of the financial sector to incidents related to digital technologies. Unlike a European directive that each country transposes into national law, this law with a very broad vision will apply in the same way to the entire European financial sector.

 It is based on 5 pillars that are:

  • Risk management related to digital technologies
  • Incident reports related to these technologies
  • Digital Operational Resilience Testing
  • Risk management related to digital technologies by third parties
  • Sharing information and intelligence

“Notification in the event of an incident will perhaps be the most destabilizing point for the actors involved. Indeed, risk is an intrinsic part of the sector, there is a real culture of compliance. On the other hand, sharing this information is not yet part of the codes for everyone. ”

Aurélia Delfosse
Aurélia Delfosse • Compliance Manager, Advens

What impact for companies in the sector?

Such regulation, which is binding on all structures in the sector in a uniform manner, represents an advantage for multinational actors operating in different European countries since its adoption presupposes the harmonisation of practices.

At Advens, we approach this new regulation by remaining faithful to our principle of multi-referential operation. This global approach to compliance makes it possible to identify synergies and capitalize on the existing.

For example, in the event of a data breach at a customer, it is possible to design a common process to notify the CNIL (NIS) and the competent authority vis-à-vis dora.

On the contrary, the unitary application of each regulation creates disadvantages at the operational level (redundancy, inefficiency, etc.).

“With the DORA regulation almost finalized, we have already integrated its requirements into our resilience efforts to operational and cyber risks. With a view to pooling, we are working with CIOs, CISOs but also operational and financial risk departments to include this regulation in existing compliance processes. ”

Aurélia Delfosse
Aurélia Delfosse • Compliance Manager, Advens

By involving third-party service providers, DORA introduces a real ecosystem logic into the cybersecurity of the European financial sector.

The goal? Harmonize practices and improve operational resilience. Its application is therefore an important step that can nevertheless be part of an existing compliance approach thanks to the expertise of a specialist like Advens.