Ana Martínez-Pina, in her latest article, analyses the challenges of the DORA Regulation for the management of technological risk in financial institutions.

In the 69th edition of Capital & Corporate magazine, Ana Martínez-Pina, Director and partner of Gómez-Acebo y Pombo’s Financial Regulatory Practice, discusses how the DORA Regulation will boost digital resilience in the financial sector.

The DORA Regulation, which will enter into force on 17 January 2025, responds to the growing importance of information and communication technologies (ICT) in the sector’s essential operations by establishing a uniform regulatory framework to mitigate cyber threats and other disruptions.

These risks are in addition to others already covered by previous regulations, such as the CRD IV directive for credit institutions, MIFID II for markets in financial instruments or Solvency II for insurers, which regulate aspects such as credit, market, liquidity, conduct and sustainability risk, among others.

These directives were the starting point for the creation of a single legal framework that strengthened the authorisation, governance, solvency and general operating regime for financial institutions.

To provide financial institutions with this common level of digital operational resilience, a number of measures are articulated, such as: defining, approving and monitoring the ICT-related risk management framework; conducting threat penetration tests; having an incident log, early warning indicators or communication plans; or having a contract information register and a policy on the use of ICT services, among many others.

However, implementing rules are needed to specify and detail certain issues, which are not covered by the new legal framework. Some of them have already been included in the Delegated Regulations, such as the criteria for the designation of third party ICT service providers or the content of the policy regarding contractual agreements with such providers.

At GA_P we are advising financial institutions in the process of adapting to the upcoming implementation of DORA, adopting and adapting policies, incorporating new tools and reviewing contracts with third party providers.

Download full article here

View document