Digital Operational Resilience Act: In the Shadow of MiCA Regulation
Regulation at the EU level is one of the most discussed topics among the European crypto community in 2022. Most of the discussions are revolving around the regulation of MiCA, i.e. Markets in Crypto Assets, which is tasked with regulating the very functioning of the cryptocurrency industry.
The debates were so lively that MiCA essentially overshadowed other regulations discussed, including the Regulation on Digital Operational Resilience, which in the public domain can be found under the abbreviation DORA or Digital Operational Resilience Act.
DORA is being prepared in accordance with the strategy called Europe Fit for Digital Age, which should accordingly respond to the ongoing transformation of Europe into the new age of digital technologies.
What is DORA?
DORA refers to the Digital Operational Resilience. Its main task is to unify the standards and norms governing the selected entities. Specifically, these are entities that conduct business in the field of finance or are in some way subject to the financial supervision of individual regulators. On top of that, this regulation defines precisely the subjects that fall into this area.
What exactly does DORA order these entities to do?
Information and communication technology risk management requirements
In this area, the European supervisory authorities are about to play an important role. In cooperation with EU experts from the IT field, regulators will prepare subsequent technical standards (so-called RTS). These will establish clear boundaries by which the subjects will be guided. For example, regulation on the publication of records of security incidents, etc.
ICT incident reporting requirements
Even in this case, a follow-up RTS will be drawn up. Threshold values will be laid out with the help of companies able to identify how potentially serious a security incident is and whether it is necessary to report it to the relevant authorities.
Durability testing requirements
Companies will be tasked with ensuring sufficient strength of the security of systems, which will need to be verified on regular basis. Various testing methods will be applied, such as so-called penetration tests. In these cases, companies essentially pay experts to simulate a hacker attack, during which the level of security measures will be monitored and subsequently reported.
With the help of European technology experts, follow-up RTS should again provide greater details.
Third Party Risk Management
When companies choose to use the services of third parties, they should also be subject to the obligations set by DORA as well. In this regard, the European Parliament requires third parties to follow the law of the given European state where business is conducted, however, there are obvious concerns that the consequence will require a more rigorous choice of a suitable partner for cooperation and as well more difficult negotiating position for both contracting parties.
Third Party Supervision
The consensus in this area so far is that all third parties deemed critical should be subject to regulatory oversight. One of the main requirements is that all these third parties should have a subsidiary in the EU in order to offer services to entities in the financial sector.
Who should be concerned about DORA?
This regulation also redefines the subjects it concerns. Therefore, the largest institutions are definitely included on the list, such as banks or stock exchanges. These entities are already investing heavily in the security of their systems and the adoption of the regulation should not have that much of an impact on them. Companies operating in the cryptocurrency industry or in the fintech sector are about to be much more affected by all this. For some of them, the regulation could become a problem, since high-security requirements will surely result in an increase in operating expenses.