The road to digital resilience… Where is Cyprus at with DORA?

Financial institutions in Cyprus are not 100% compliant with the new Digital Operational Resilience Act (DORA) but they are well on their way, the process has started and they are seeing what needs fixing or adjusting, according to Demetris Taxitaris, CEO of MAP S.Platis.

Taxitaris was speaking to InBusinessNews along with Reg4Tech CEO Demos Demou, who stressed how vital it was for financial institutions to ensure their resilience against cyber threats.

All financial institutions – including banks, fintech companies and crypto asset providers – must comply with DORA by 17 January 2025 when it comes into effect.

According to Taxitaris, the supervisory authorities – including the Cyprus Securities and Exchange Commission and Central Bank of Cyprus – have been monitoring the situation for a few years now and have issued circulars urging regulated entities to comply with the new EU Act.

“An adjustment has already started due to pressure from the regulators, especially for those supervised by CySEC and CBC,” he explained.

Likewise, the entities themselves have been taking measures to protect against cyber threats regardless of DORA.

“They are not 100% compliant but they are well on their way, the process has started and they are seeing what needs fixing or adjusting,” said Taxitaris. “The sector has a lot of momentum, cybersecurity services are in high demand, and everyone is ready. Beyond the pressure from the regulators, the businesses are already proceeding with their own initiatives.”

Besides, he added, there is already a certain structure in place which they keep building on what with the continuous stream of new developments.

“The risks are not fixed but instead keep changing, thus forcing businesses to monitor and alter their defences and measures on an ongoing basis,” he added.

Furthermore, Taxitaris pointed out that, drawing on the lessons learned from a similar data protection regulation introduced a few years ago, the GDPR, compliance with regulatory requirements also has a regulatory aspect that is established through policies and procedures.

“At the same time, the objectives of the regulation are real protection and resilience, which pass through specific mechanisms such as, for example, risk assessments, stress tests, uninterrupted monitoring and the methods and procedures to react and deal with specific cases,” he said.

The DORA act, its significance and its implementation

Demou told InBusinessNews that DORA aims to effectively and comprehensively manage digital risks in the financial industry to address the ever-increasing exposure to ICT risks and cyber threats as a result of increasing reliance on technology.

"DORA shifts the focus from the financial soundness of financial institutions to ensuring that they can also maintain resilient operations in cyberspace," said Demou.

The regulation's requirements are broken down and categorised into five key pillars, providing affected businesses with a step-by-step guide to achieving their digital resilience:

1) ICT Risk Management

2) Incident Management, Classification, and Reporting

3) Resiliency Testing

4) Information Sharing

5) Third-party Risk Management

Dubbed the EU’s most ambitious attempt to regulate cyberattacks to date, the aim of DORA is to ensure the safety and resilience of the entire European financial sector in conditions of rapid digital transformation.