The Digital Operational Resilience Act (Dora) is a regulatory framework designed to ensure the operational resilience of the financial sector. It entered into force on 16 January 2023 and will apply as of 17 January 2025.
Dora will affect all firms operating in the EU and their critical third-party suppliers. It aims to enhance the security and resilience of the financial sector against ICT-related incidents and threats, given the rapid digital transformation and the increasing cyber threats facing the financial. By establishing clear requirements and obligations, Dora aims to minimise the impact of ICT-related incidents on financial institutions and the wider economy, thereby protecting consumers and ensuring the smooth functioning of financial markets.
Companies that fall under the Dora regime are subject to a range of obligations designed to enhance the cybersecurity and overall resilience of the EU’s financial sector. These obligations aim to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. Furthermore, companies must conduct regular testing to assess the effectiveness of measures, controls and strategies in place to ensure digital resilience. Particular emphasis should be placed on testing the resilience of critical functions that could impact the financial markets or the entity itself if disrupted.
Dora expect companies to participate in information-sharing networks or arrangements to share insights, threats, vulnerabilities and best practices related to ICT risks. The management body of each entity is responsible for overseeing the effective management of ICT risks, ensuring the implementation of the ICT risk management framework. Entities must comply with the regulatory standards set forth in Dora and be prepared to demonstrate compliance through documentation, reporting and cooperation with regulatory audits and inspections.
Compliance with these obligations will not only ensure regulatory alignment but also contribute to the stability and integrity of the financial system as a whole. The European Union’s push towards establishing a unified approach to digital finance, is a critical component of the EU’s broader Digital Finance Package. Let us examine briefly how Europe is gearing up for Dora and the broader implications of the EU’s Digital Finance Package.
One of the primary goals is to harmonise regulations across the EU. This harmonisation aims to remove cross-border regulatory discrepancies, making it easier for financial entities to operate across the continent. By establishing a unified regulatory framework, the EU seeks to create a more integrated, efficient and competitive financial market. Compare this to the biblical Moses opening a safety passage for his people to safely cross the Red Sea to the promised land.
Dora’s focus on improving the digital operational resilience of the financial sector is crucial against the backdrop of increasing cyber threats. European entities are emphasising the importance of robust ICT risk management, incident reporting mechanisms, digital operational resilience testing and third-party risk management. These preparations involve significant and high value investments in technology, training and processes to meet the stringent requirements.
The implementation of Dora requires financial institutions across Europe to invest in advanced cybersecurity technologies and to foster digital skills among their workforce. This investment is not just in terms of financial resources but also involves up-skilling employees to deal with the sophisticated cyber landscape effectively. Malta’s own path looking forward can be measured by its readiness as can also be seen in the growing cybersecurity and fintech ecosystems, which are pivotal in supporting financial entities through innovative solutions and skilled talent. This collaborative approach is vital for a unified response to cyber threats and incidents. Malta’s own financial and banking community has to gear up and be seen to be participating in information-sharing networks, such as Information Sharing and Analysis Centres (ISACs), which play a crucial role in enhancing collective digital resilience. In Malta, it is the remit of the MFSA as a regulator and supervisory authority, which is actively gearing up for the implementation of Dora by developing guidelines, technical standards and supervisory frameworks. This preparation includes training for its own supervisory staff, development of reporting templates and mechanisms for effective oversight and enforcement.
While Europe is making significant strides towards the implementation of Dora, in Malta there are challenges to consider, such as the varying levels of digital maturity across financial institutions, the need for clarity on certain regulatory expectations and the costs associated with compliance. Will the state subsidise SMEs to cover part of the implementation costs?
As a conclusion, Malta’s own preparation for Dora and the broader Digital Finance Package reflects a strategic commitment to fostering a resilient, competitive and innovative digital finance ecosystem. By addressing the challenges of digital transformation and cybersecurity in Malta, one welcomes the mechanism of Dora, when in full force. This project aims to ensure the long-term stability and integrity of Malta’s fragile financial system following its recent lifting from the Grey list. When operational, it benefits consumers, investors, fintech and the economy at large. Thanks to the EU’s proactive approach, it sets a higher benchmark for digital financial regulation globally, promoting a balance between innovation and security for both retail and professional investors.