What is ‘digital’ resilience?

European law (effective from January 2025) has been officialised, and will involve member State implementation also in 2025:

  • Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA).
  • Directive (EU) 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector (DORA Amending Directive).

Resilience of digital operations is aimed at Financial Services firms:

  • so they can do their utmost to manage the risk of information technology threat,
  • and keep financial markets stable.

The legislation applies to entities including banks, credit institutions and crowd funding platforms, as well as critical ICT providers.  However there an even longer list of parties it applies to.

While this is EU legislation, it is thought to apply to ICT providers who supply EU firms.

Overall, this is an effort to harmonise in Europe, to bring standards up.

New obligations will include:

  • Reporting to materiality thresholds
  • A focus on cyber threat
  • Gap analysis of information technology governance
  • Firms will be expected to test their ‘operational resilience’ every 3 years or so
  • Firms will be expected to train their company boards in resilience testing methodology
  • Annual reporting of information technology incidents
  •  “effective and prudent” management of ICT risk

Smaller firms, outside these Regulations, should nonetheless plan (in a proportionate way) to cover off ICT risk, for sustainability of the business.  This might include:

  • Due diligence over third party suppliers of ICT
  • Business continuity plan
  • Disaster recovery plan
  • Scenario testing
  • Use of ICT Policy for employees
  • Artificial Intelligence Usage policy
  • Have an incidents register
  • Check you have the right Insurance
  • Review and lessons learned from mistakes

SEEIO helps you manage ICT risk – because the power tools in the platform include a Risk Management tool, and task-tracker that automatically Tracks achievement of your Objectives (no matter how detailed or specific).

Disclaimer

The blogs of Board Originator Ltd / SEEIO and any of its contractors, agents or employees are for the general interest of the readership only.  We do not endorse any news or information we may publish in our blog.  Our blog is not intended to and does not constitute legal or professional advice to any person or business.  Our posts are general news items or updates that may interest our followers and consist of a brief overview therefore are incomplete on information and may contain errors at any time.  Readers are not to rely on our blog content and those that do rely, do so at their own risk.  We accept no responsibility to readers for our blog and we will not be held liable for statements in or third party links within our blogs.  Any common law liability is also excluded as permitted by law.  We do not accept any liability for damages whether direct, indirect, special, consequential or otherwise under any circumstances, whether foreseeable or otherwise.  Please also see our extensive website terms and conditions in the footer of our website.