Navigating Towards DORA and PS21/3 Compliance: Utilizing Technology for Risk Mitigation
In a bid to bolster cybersecurity and mitigate operational risks within the financial sector, two significant pieces of legislation have been introduced: the Digital Operational Resilience Act (DORA) by the European Union and the Prudential Standard PS21/3 by the United Kingdom.
The UK's PS21/3, which came into force on 31 March 2022, applies to banks, building societies, and designated investment firms in the UK. Its purpose is to ensure operational resilience in financial institutions. On the other hand, DORA, which was proposed by the European Commission in September 2020 and formally adopted in November 2022, is binding in all EU member states since January 17, 2025.
The implementation of DORA and PS21/3 presents challenges in terms of cyber risk management, particularly in adapting to a rapidly evolving threat landscape. To meet these challenges, businesses must assess the resilience of their critical systems and ensure that appropriate safeguards are in place across the entire supply chain.
This entails conducting regular risk assessments, implementing necessary security controls, and maintaining an effective incident response capability. By March 31, 2025, firms must have performed mapping and testing to operate within impact tolerances for each important business service.
Organisations must also establish a robust governance structure and allocate adequate resources to comply with the regulations effectively. This includes identifying any vulnerabilities in their operational resilience and keeping up with evolving risks through continuous monitoring, analysis, and mitigation efforts.
DORA covers five pillars: ICT risk management, ICT incident reporting, digital operational resilience testing, information and intelligence sharing, and ICT third-party risk management. Compliance with the regulations requires a comprehensive understanding of the organisation's technology infrastructure and attack surface, including third-party dependencies.
The European Supervisory Authorities (ESAs) are drafting regulatory technical standards (RTS) and implementing technical standards (ITS) for DORA, with an anticipated definitive form in 2024. Meanwhile, the Cyber Resilience Act complements DORA with phased implementation from June 2026, full enforcement by December 11, 2027, and includes conformity assessments and mandatory incident reporting.
In the quest for compliance, leveraging services such as Bitsight can enhance cyber risk management capabilities, support DORA and PS21/3 requirements, and facilitate the journey towards compliance. Non-compliance with these regulations can result in significant fines, sanctions, and even criminal penalties.
In conclusion, the financial sector is undergoing a significant transformation as it strives to meet the operational resilience requirements set by DORA and PS21/3. By adhering to these regulations, organisations can build a more secure and resilient digital infrastructure, safeguarding their operations and customer trust.
Read also:
- Industrial robots in China are being installed at a faster rate than in both the United States and the European Union, as the global market for these robots faces a downturn.
- Hyundai N affirms transition to hybrid performance-centric models, initiating with Tucson N
- EAFO Research Uncovers Crucial Elements in Electric Vehicle Adoption within the EU
- Stock markets in India anticipated a moderate opening, influenced by mixed signals from global markets.
