DORA: The New Paradigm in ICT Incident Reporting for Financial Entities

The Digital Operational Resilience Act (DORA) is transforming the landscape of technological risk management in the European financial sector. In this article, we will analyze how DORA sets a new standard for reporting incidents related to Information and Communication Technologies (ICT) and what this implies for Spanish financial entities.

The Importance of Comprehensive ICT Risk Management

DORA recognizes that in the current digital environment, financial entities need global capabilities to effectively manage ICT-related risks. This includes:

1. Specific mechanisms and policies to manage all ICT incidents.
2. Procedures for reporting serious incidents.
3. Policies for testing ICT systems, controls, and processes.
4. Strategies for managing ICT risk derived from third parties.

The goal is to raise the level of digital operational resilience across the sector, applying requirements proportionately according to the size and risk profile of each entity.

A Proportionate Approach for Occupational Pension Funds

DORA introduces a flexible approach for occupational pension funds, recognizing the need to reduce administrative burdens. Competent authorities should consider:

• The size and overall risk profile of the entity.
• The nature, scale, and complexity of its services and operations.

This approach allows for more efficient supervision, focusing on serious risks associated with the ICT management of each specific entity.

Towards Harmonization in Incident Reporting

One of the current challenges is the divergence in reporting thresholds and taxonomies of ICT incidents among Member States. DORA seeks to establish a common basis, relying on the work of the European Union Agency for Cybersecurity (ENISA) and the Cooperation Group.

This harmonization is crucial for:

• Simplifying compliance for entities operating in multiple countries.
• Facilitating the creation of uniform EU-level reporting mechanisms.
• Improving information exchange between competent authorities, especially in case of large-scale attacks.

Si te ha interesado este artículo no dudes en leer:

DORA: Compliance and risk management for cryptoasset service providers

The DORA Regulation imposes new obligations on cryptoasset service providers. At ILP Abogados, we have a specialized cryptoassets team to help you comply with these obligations and manage your risks

Simplification of Reporting Obligations

To avoid duplication, DORA modifies existing reporting obligations. From its application:

1. Payment service providers will report all operational or security incidents related to payments under DORA, regardless of whether they are ICT-related.
2. This affects credit institutions, electronic money institutions, payment institutions, and account information service providers.

Conclusion

DORA represents a significant step towards a unified and robust framework for ICT incident management and reporting in the European financial sector. Spanish financial entities must prepare to adapt their systems and processes to these new requirements, which promise to improve the sector’s resilience as a whole against digital threats.

The effective implementation of DORA will require close collaboration between financial entities, regulators, and cybersecurity experts. Only in this way can we ensure a more secure and resilient financial system in the digital age.

If you liked this article, you may also find it interesting to read the following one:

DORA: The new regulatory regime for crypto-asset markets