The EU regulation on digital operational resilience for the financial sector poses new obligations for boards of financial entities

The Digital Operational Resilience Act DORA governing both digital operational resilience and the use of information and communication technology (ICT) in the financial sector entered into force in the European Union in January. The regulation is part a larger digital finance package and will apply to EU Member States from January 2025 onwards.

Regulated industries and operators

DORA applies to various financial entities, including banks, insurance companies and investment firms. The regulation also applies to service providers that provide financial entities with critical ICT services, such as cloud computing services and data analytics services.

New obligations for boards of financial entities

One of the aims of the regulation is to ensure that the boards of financial entities take on a pivotal and active role in steering and adapting the overall strategy concerning ICT risk management and operational resilience. Under DORA, the board is ultimately responsible for the entity’s ICT risk management.

First, the board must define, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. DORA lays down the concrete minimum requirements for risk management frameworks in more detail, but they must include at least strategies, policies, procedures, protocols and tools that are necessary to protect all ICT assets (such as computer software, hardware and servers) and infrastructures (such as premises and data centres) against ICT risks including damage and unauthorised access or usage. In practice, this includes the following:

As part of their ICT risk management framework, financial entities must also define a strategy for the risks related to the use of third-party ICT services. This requires that the board members of financial entities regularly review the risks concerning contractual arrangements on the use of ICT services supporting critical or important functions.

Board members of financial entities are also required to keep up to date with sufficient knowledge and skills to understand and assess the entity’s ICT risk. Under the regulation, maintaining sufficient knowledge requires, among other things, regular participation in specific training on ICT risks and their effects.

Liability for non-compliance

Under DORA, Member States must ensure that the national authorities have the power to apply different administrative penalties and remedial measures in case the obligations are breached. It must be possible to direct these administrative penalties and remedial measures at board members of financial entities and other natural persons who are responsible for the breach of DORA under national law. However, the final form of these sanctions will not be known before the national law is amended as required by the regulation. Authority initiative on this matter has not yet begun in Finland.

Preparing for the future

All in all, DORA creates a comprehensive and detailed framework for the management of risks related to digitalisation in financial entities. DORA includes new requirements with respect to cyber security and operational resilience. The regulation also lays down new obligations for boards of financial entities. Failure to comply with these obligations could even result in administrative penalties to board members on an individual level. The sanctions for breach in Finnish legislation will likely be specified in the coming years. However, it is advisable that financial entities start to evaluate their ICT risks and practices in good time, also with respect to their ICT service providers.