The Council of Europe has adopted the Digital Operational Resilience Act ("DORA") whereby all financial entities in the EU need to ensure that they can manage, withstand, respond to, and recover from all types of Information Communication Technologies (ICT)-related disruptions and threats. In order to do so, DORA introduces management, reporting, and testing requirements for the security of network and information systems of companies and organisations in the financial sector in addition to contracting requirements. Third parties providing ICT-related services to financial entities, such as cloud platforms or data analytics services, will further be impacted by the requirements imposed on the financial industry for two reasons. Firstly, because ICT services must comply with new and stricter standards. Secondly, because the most important providers may be designated as "critical services provides" and they will be subject to direct supervision from financial authorities.

Background

Today's use of ICT and ever-increasing digitalization is core to the activities of financial entities in the European Union. This leads to a severe dependency on third parties providing ICT services. Therefore increased digitalisation and interconnectedness also amplify ICT risk, making the financial system more vulnerable to cyber threats or ICT disruptions. The significance of digital resiliency has therefore become an important topic. In order to mitigate these risks and strengthening the IT security of financial entities, the Council of EU adopted the Digital Operational Resilience Act ("DORA") on 28 November 2022.

Objective and scope of DORA

DORA is part of the broader "Digital Finance Package" that further enables and supports the potential of digital finance in terms of innovation and completion while mitigating the risks arising from it.

'Digital operational resilience' refers to the ability of a financial entity to build, assure, manage, and review its operational integrity and reliability by (i) ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems used by the financial entity, and (ii)supporting the continued provision of financial services and their quality, including throughout planned or unplanned disruptions.

Accordingly, DORA creates a regulatory framework for IT and cyber security requirements in respect of companies and organizations in the financial sector as well as critical third parties providing services to such entities.

DORA consists of the Regulation on digital operational resilience for the financial sector ("DORA Regulation") and the Directive on digital operational resilience for the financial sector. In addition, it is intended that various delegated acts (technical standards, etc.) will be adopted for the purpose of setting out further detailed requirements.

Almost all financial entities will be subject to the new rules under DORA, including the following entities:

  • Credit institutions, payment institutions, electronic money institutions, account information service providers, and investment firms.
  • Insurance and reinsurance undertakings, insurance and reinsurance intermediaries, ancillary insurance intermediaries, and institutions for occupational retirement provision.
  • Crypto-asset service providers as authorized under MiCA and issuers of asset-referenced tokens.
  • Central securities depositories, central counterparties, credit rating agencies, trading venues, trade repositories, and data reporting service providers.
  • Managers of alternative investment funds and management companies.
  • Administrators of critical benchmarks, crowdfunding service providers, securitization repositories and credit rating agencies.
  • ICT third-party service providers directly as appointed critical providers or indirectly due to their provision of services to the financial entities under DORA.

The adoption of DORA entails that a number of financial entities operating within the insurance sector and capital market together with small and medium-sized banks will be subject to a more comprehensive scope of requirements than today.

The requirements of DORA

The requirements introduced by DORA can be divided into the following five core pillars addressing various aspects and elements within ICT and cyber security:

  1. ICT risk management;
  2. Incident reporting;
  3. Digital operational resilience testing;
  4. Information and intelligence sharing; and
  5. ICT third-party risk management.

1. ICT risk management: Financial entities are required to have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk. The ICT risk management framework shall consist of policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets such as computer software, hardware, as well as to protect all other relevant physical components and infrastructures, such as premises, data centres and areas designated as sensitive.

The ICT risk management framework shall be documented and reviewed at least once a year as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes.

2. Incident reporting: DORA provides that financial entities must establish and implement procedures to monitor and record ICT-related incidents. This entails that financial entities must have in place early warning indicators, procedures to properly identify and handle ICT-related incidents and an organization with assigned roles and responsibilities and plans for communication that can be activated for the respective ICT-related incidents.

3. Digital operational resilience testing: An integral part of DORA is to establish, maintain and review a sound and comprehensive digital operational resilience testing programme. These programs shall ensure that elements within the ICT risk management will be periodically tested for preparedness. Any weaknesses, deficiencies or gaps must be identified and promptly eliminated and mitigated with the implementation of counteractive measures.

4. Information and intelligence sharing: DORA provides key principles for a sound management of ICT third-party risks by setting out requirements to the relationship in respect of contract arrangements, technical requirements, reporting and governance between financial entities and ICT third-party providers, including cloud providers. The financial entities relying on ICT third-party providers shall ensure that risks related thereto are properly assessed and monitored. Consequently, contracts between a financial entity and an ICT third-party must specify all the necessary monitoring and accessibility details such as a full service level description, indication of locations where data is being processed, etc.

DORA encourages a collaboration between financial entities with the aim of raising awareness on specific ICT risks. Thus, financial entities may arrange agreements that ensures sharing of information and intelligence on such threats to minimize ICT threats' ability to spread. Importantly, these types of sharing must be through secure arrangements that protects potentially sensitive information.

5. ICT third-party risk management: Finally, DORA introduces new and supplementary governmental bodies that will supervise and coordinate efforts across local authorities. Following from this, there will be authority to appoint ICT service providers which are deemed to be particularly important to the financial sector as "critical third-party service providers", which will then become subject to direct supervision and reporting requirements.

NIS2 and EBA Guidelines on outsourcing

In principle DORA will live in parallel with both NIS2 and the EBA Guidelines on outsourcing and those rules are certainly not redundant but only overlapping in parts. The Commission, EIOPA, and EBA clearly stated in a joint public introduction session on 6 February 2023 that DORA in respect of the relationship to NIS2 is the lex specialis and that DORA in respect of ICT requirements will replace NIS2.

Next steps for financial entities regulated by DORA

Be clear about that DORA is a "Regulation" meaning that implementation legislation will not be necessary. DORA is in force and must be complied with by 16 January 2025. Following the adoption of DORA, the European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority) will develop technical standards for all financial entities to abide by. These technical standards are set to supplement and specify the rules of DORA. Consultation processes in this respect will take place over the coming 12-18 month. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

In light of DORA's impactful provisions, we recommend that the financial entities subject to DORA initiate processes with the purpose of analyzing their current ICT risk framework and governance to ensure its conformity with DORA. This includes the financial entity's current IT risk-management policies, procedures, training programs, systems and other tools that identify and minimize potential cyber-attacks. Furthermore, the financial entities should be looking at its current agreements with critical ICT third-parties and ensure that they adequately regulate monitoring and accessibility details. In reality, this is a repetition of the review and re-negotiation processes and projects that many financial entities have conducted over the last couple of years in order to comply with the EBA Guidelines on outsourcing and the EIOPA Guidelines on cloud services. This time around the technical standards will take a greater role and the number of contracts that will be subject to DORA is much bigger. Now will also be the time to make certain that new contracts comply with DORA or at least agree the process and the cost and risk allocation towards later updates to become compliant.

DORA was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 16 January 2023. The entities subject to DORA will be bound after a two-year implementation period on 16 January 2025.

For more information on DORA, please se more here.

Originally published 13 February 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.