The EU’s Digital Operational Resilience Act (DORA) is a regulation that establishes a comprehensive regulatory framework for EU financial entities to enhance their operational resilience in the digital era. DORA aims to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats, including cyber threats. It also introduces a direct oversight framework for critical ICT third-party service providers.
It was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 16 January 2023. Its provisions will apply from 17 January 2025. The European Supervisory Authorities (ESAs) are mandated to develop delegated acts and technical standards that complement DORA.
The regulation will affect the following entities:
- Banking and payments sector: Credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (as authorized under MiCA), and issuers of asset-referenced tokens.
- Markets infrastructure: Central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, and data reporting service providers.
- Investment funds sector: Alternative Investment Fund Managers (AIFMs) and UCITS (Undertakings for the Collective Investment in Transferable Securities) management companies.
- Insurance sector: Insurance and reinsurance undertakings, institutions for occupational retirement pensions, and insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries.
- Miscellaneous: Credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitization repositories.
- ICT Third-Party Service Providers.
For financial entities, DORA requires them to establish effective ICT risk management frameworks, report ICT-related incidents promptly, conduct digital operational resilience testing, manage ICT third-party risks, and participate in information-sharing arrangements related to cyber threats.
For critical ICT third-party service providers, DORA grants ESAs (European Supervisory Authorities) direct oversight, and the providers may be required to establish a subsidiary within the EU for proper implementation of oversight.
It is important to be aware of DORA’s requirements and prepare for compliance to ensure operational resilience and adhere to the established timeline for implementation.
How common are ICT security incidents
According to EUROSTAT in 2021 in the EU, 22.2% of enterprises (with 10 or more employees and self-employed persons) experienced ICT security incidents resulting in different types of consequences such as unavailability of ICT services, destruction or corruption of data or disclosure of confidential data.
The most frequent consequence reported was the unavailability of ICT services due to hardware or software failures (18.7%). Unavailability of ICT services due to attacks from the outside (e.g. ransomware attacks, denial of service attacks) was far less common (3.5%).
The least frequent consequence of ICT security incidents was the disclosure of confidential data, related to two different reasons: intrusion, pharming, phishing attack, intentional actions by own employees (1.1%) and unintentional actions by own employees (1.0%).
The spring 2021 EBA RAQ shows that for 88% of respondents, cyber risk and data security is the most important driver of operational risk, with an increasing relevance compared to previous iterations of the RAQ.
Simplify reporting and meeting DORA regulatory obligations with AI automation
The DORA mandates organizations to report digital resilience and risk management activities to an independent authority. They use a common template and harmonized procedure by ESAs, submitting initial, intermediate, and final reports.
AI can assist organizations in complying with the reporting requirements of the DORA. It automates data extraction from diverse documents, streamlines gap analysis for compliance by automating document analysis, establishes regulatory mappings, identifies gaps, and offers actionable recommendations. Additionally, AI enables user interaction through Q&A features, allowing quick access to relevant information.
- Data Extraction
AI plays a crucial role in data extraction, enabling the extraction of relevant information from various types of documents such as financial reports, risk assessments, and operational plans. AI models, including machine learning algorithms and deep learning models, are trained to understand the structure and content of these documents. AI models can handle different document formats and use techniques like Optical Character Recognition (OCR) to convert text into machine-readable format. With predefined rules and patterns, AI models extract specific data elements, such as financial figures, identified risks, or action items, from the documents.
In conjunction with AI models, Natural Language Processing (NLP) models further process and analyze the extracted data. NLP helps AI understand the context, relationships, and meaning behind the information. It categorizes and classifies data, assigns labels or tags to sections, and identifies key entities mentioned in the documents.
By utilizing AI models and NLP techniques, organizations can align their processes with the regulatory framework of the DORA. The extracted data can be used for reporting purposes, ensuring compliance with the required disclosures and documentation. AI streamlines the data extraction process, saving time and effort compared to manual data entry, while ensuring accuracy and consistency.
- Gap Analysis
AI tools equipped with NLP capabilities can analyze DORA-related documents, such as policies, procedures, or risk assessments. NLP allows AI models to understand the content and context of the documents, extract relevant information, and identify key elements associated with compliance.
By establishing a mapping between the regulatory requirements specified in DORA and the analyzed documents, AI models can effectively identify gaps. This mapping involves training the AI models to recognize and align specific provisions, guidelines, or standards outlined in DORA with their corresponding sections in the analyzed documents.
Once the regulatory requirements have been mapped, AI tools flag potential areas of non-compliance by identifying discrepancies, inconsistencies, or omissions within the documents. The severity and impact of each identified gap are assessed to prioritize actions for addressing deficiencies based on factors such as regulatory importance, potential risks, or operational impact.
AI-powered tools provide actionable recommendations tailored to the organization’s context to guide the addressing of identified gaps. Leveraging knowledge of regulatory requirements, industry standards, and best practices, AI models generate specific steps, improvements, or suggested measures that organizations can implement to achieve compliance with DORA.
- Q&A Document Analysis
AI platforms and tools can be trained to understand specific questions related to the DORA and provide accurate responses by analyzing the content of relevant documents.
When a user asks a DORA-related question, the AI model analyzes the question, identifies key elements, and searches for the pertinent information within its trained DORA documents. Leveraging its knowledge of the regulatory framework, the AI model delivers accurate and contextually appropriate responses.
The Q&A Document Analysis feature offers several significant benefits. It saves time by providing quick access to relevant information within DORA documents, eliminating the need for manual search. Users can efficiently gather information, make informed decisions, or seek clarification on specific DORA-related topics.
Additionally, this feature improves accessibility to DORA-related knowledge. Users, regardless of their familiarity with DORA, can easily interact with the AI model, ask questions using natural language, and receive clear and understandable responses. It removes barriers to accessing and understanding complex regulatory information, making it more accessible to a broader audience.
Empowering Digital Operational Resilience
The Digital Operational Resilience Act is an important step in addressing the challenges posed by digital transformation. Leveraging AI-driven solutions can help organizations reduce costs, improve their operational efficiency, detect threats quickly, and create more accurate risk models.
However, organizations must consider any potential regulations and compliance considerations, as well as any potential ethical considerations, when using AI for digital operational resilience. Organizations must also ensure that their AI-powered systems are properly configured and deployed and that they are regularly updated to prevent potential security risks.
By following best practices and leveraging AI-driven solutions, organizations can ensure that they are taking full advantage of the benefits of the DORA and achieving greater operational resilience in their digital operations.