Filenews 5 December 2024
Banks and IT businesses will face another challenge in the near future, as they will soon face tougher scrutiny by the European Union (EU) through DORA, which comes into effect on January 17, 2025.
The Central Bank of Cyprus reminds all financial entities falling within the scope of Regulation (EU) 2022/2554 (Digital Operational Resilience Regulation "DORA") that the implementation date is 17 January 2025. From this date, such financial entities must comply with the provisions of the DORA Regulation and the relevant technical standards published in the Official Journal of the European Union.
DORA is essentially nothing more than Digital Operational Resilience (DORA), a law passed last year, but all indications are that it will be implemented by January 2025. Essentially, DORA requires banks, insurance and investment firms, and businesses in the IT industry to strengthen their security. The EU regulation also seeks to ensure that the financial services industry is resilient in the event of severe disruption.
Such outages could include a ransomware attack that causes a financial company's computers to shut down, or a DDOS (distributed denial of service) attack that forces a company's website offline. The regulation also seeks to help companies avoid major outage events, such as last month's historic system crash caused by cyber firm CrowdStrike. The EU regulation also seeks to ensure that the financial services industry is resilient in the event of severe disruption. Such outages could include a ransomware attack that causes a financial company's computers to shut down, or a DDOS (distributed denial of service) attack that forces a company's website offline.
The regulation also seeks to help companies avoid major outage events, such as last month's historic system crash caused by cyber firm CrowdStrike. In the future, such an event would fall under the kind of service disruption that would face scrutiny under the new EU rules.
DORA essentially requires banks to conduct more rigorous risk management related to their IT operations, digital operational resilience testing, information sharing on cyber threats and vulnerabilities, and take steps to manage risks for third parties.
