Cybercrime

EU’s DORA regulation explained: New risk management requirements for financial firms

Anton Konopliov, founder and CEO of Palma Violets Loans, however, warns that while the proposed rules are beneficial for reducing risk they could “cause chaos” for many firms both on the customer and vendor side around budgets and contractual obligations. “Financial firms will also no longer have the freedom to curate their own contractual terms with IT third-party service providers. These stricter changes are expected to cause a surge in the prices of availing ICT third-party service providers. It will dismantle financial entities’ budgets.”

Incident reporting and threat sharing

As part of the incident reporting requirements, firms will have to provide root-cause analysis reports no later than one month after a major ICT incident occurs. As well as aiming to provide a standardized template for incident reporting across the financial sector in Europe, the act also potentially lays the groundwork for the establishment of a single hub for incident reporting by financial firms.

“The focus to harmonize ICT incident classification and reporting, resiliency testing and risk management rules is a welcome next step as we strengthen the operational resilience of the financial sector and of the individual firms within it,” says Chaudhry. “DORA builds on the TIBER-EU (European framework for threat intelligence-based ethical red-teaming), which is inspired from CBEST and other initiatives and further drives guidance on digital operational resilience testing. Coupled with NIST, firms have a clear set of standards, and threats to drive capabilities and consider from a cyber, technology and operational resiliency perspective.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button