Australia's Interaction with Dora's Effects

The Digital Operational Resilience Act (DORA), a new European Union regulation, is set to revolutionise the financial sector's IT security. Scheduled to take effect from 17th January 2025, DORA aims to strengthen operational resilience and enhance cybersecurity measures across the industry.

DORA is now live and operational within the European Union, focusing on digital operational resilience and offering a comprehensive framework that could serve as a model for other sectors. The Act targets critical third-party providers, primarily Information and Communication Technology (ICT) service providers offering digital and data services, such as cloud computing providers, software vendors, data analytics services, and data center operators. Providers with at least 250 employees and significant financial thresholds will come under regulatory supervision.

The criticality assessment under DORA considers the specific risks posed by each third-party provider to the financial entities they serve, including factors like concentration risk. DORA includes a comprehensive and specific set of requirements for managing risks associated with third-party tech service providers.

Advanced red team resilience testing, including threat-led penetration testing, will be necessary for third-party suppliers to identify and address vulnerabilities. Each third-party provider must undergo continuous monitoring of their performance and risks, including regular assessments and audits. Contracts with third-party providers must also include exit strategies and provisions for smooth transitions in case of termination or service disruption.

David J. Gee, the Global Head of Technology, Cyber, and Data Risk at Macquarie Group, has over 20 years of experience as a CIO and CISO. He joined Macquarie Group in early 2021 and has served as CISO for HSBC Asia Pacific, leading the cybersecurity transformation and all aspects of cybersecurity for HSBC in 19 countries.

The requirements of DORA are likely to spread geographically and to other sectors beyond the financial industry. The purpose of DORA is to provide guidelines for operational risk in Financial Institutions, ensuring a robust and resilient digital infrastructure that can withstand cyber threats and maintain business continuity.

The providers in scope for DORA's criticality assessment include Cloud Service Infrastructure providers, Data Centre Providers, Network and Telecommunications Providers, Cybersecurity Providers, Core Banking & Payment Processing Providers, and Financial Data Providers. As the implementation date approaches, it is crucial for financial institutions and third-party providers to prepare and adapt to these new requirements to maintain operational resilience and ensure digital security.