For Lumera, information security has always been a top priority. Our customers operate in a highly regulated environment, supervised by financial authorities. Information security is a central element for their review of operational risks in the financial sector.
This is why Lumera recognizes information security – protecting digital assets – as fundamental to responsible, sustainable digitalization. Our products and services must be fundamentally reliable while supporting customers’ digitalization and compliance efforts, today and in the future.
We welcome the European Union’s initiative for DORA (Digital Operational Resilience Act), a regulation that defines detailed requirements for financial firms' resilience to disruptions and ICT-related (Information and Communication Technology) threats. We do this because it means a big step towards harmonized financial regulation, while raising the bar for resilience in our industry.
Two-year implementation period
Most organizations within the financial sector, and businesses serving them, are subject to the DORA framework, including ICT providers such as Lumera. The regulation became effective in January 2023 with a two-year period reserved for adoption, meaning that affected organizations should achieve compliance by early 2025.
DORA formalizes key requirements on the following procedures:
- Risk management. Principles and requirements for ICT risk management.
- Incident reporting. Harmonized and streamlined reporting. Extended reporting obligations for all financial entities.
- Digital operational resilience testing. Basic and advanced testing requirements.
- Third-party risk management. Principles-based rules for monitoring third-party risks, key contractual provisions, and oversight framework for critical third-party ICT providers.
Regulatory overlap
From our initial analysis, we observe that several DORA requirements overlap with existing ICT provisions specified by the EBA (European Banking Authority) and EIOPA (European Insurance and Occupational Pensions Authority). We concluded that Lumera’s observation of these industry guidelines implies compliance with most DORA requirements, as implemented by our information security management system and following from ISO 27001 certification.
Next, a full assessment will be conducted within the DORA framework to determine whether Lumera should be identified as a critical third-party supplier, and to learn which Lumera-powered systems will be categorized as critical in customers’ risk assessments.
Business outcomes
By establishing a standardized regulatory framework, DORA facilitates our close collaboration with customers to provide effective solutions for addressing future requirements on resilience. And aside from compliance, we expect substantial business outcomes from enhanced digital resilience, achieved at a reduced cost for everyone involved.
With Lumera, DORA implementation will not require costly customizations or additional module expenses – just automatic, elevated compliance and resilience.
