DORA: Friend or Foe

Abstract

The rapid development of technology gives many opportunities but brings threats as well. The digitization of the financial sector has made the threat for cyber attacks significant. Cyber attacks such as the Petya virus or the Wannacry attack have exposed the vulnerability of the critical infrastructure. The financial sector is especially prone to cyber attacks within the critical infrastructure. The financial sector must be available at all times. Even a minor disruption could cause wrongful or unexecuted transactions leading to cascading effects on careers, organizations, or entire industries. The way to cope with disruptive cyber events is through digital operational resilience. In order to ensure this the European Commission has proposed the Digital Operational Resilience Act. A regulation that harmonizes existing guidelines aimed at ensuring resilience against cyber attacks for the financial sector in the EU. To estimate the regulatory performance of the DORA, insight is to be created into the perceptions of the stakeholders. Therefore, the research question of this thesis is: What is the perception of the financial sector towards the expectation of the Digital Operational Resilience Act? In order to answer this research question, interviews were conducted with high-level security managers of financial service organizations (FSOs) in the Netherlands, ICT providers and supervisory authorities. From insights gathered through the interviews, it can be concluded that the participants share a predominantly positive perception of the DORA. They were confident about there ability to be compliant within the given 24 months. The DORA is also seen as a step in the right direction towards a digital operational resilient financial sector. Recommendations are made for supervisory authorities regarding the implementation and supervision of the DORA and for the FSOs on the implementation and compliance with the DORA.