Digital Operational Resilience Act (DORA) is changing the rules
Financial companies have greatly accelerated their digitalisation in recent years, particularly due to the pandemic. With the increasing dependence on IT systems, the financial sector has become an attractive target for cyber attacks. This was recently highlighted by the war in Ukraine. As a result, strengthening the IT security of financial companies such as banks, insurance companies and investment firms is increasingly becoming the focus of the regulatory authorities.
To counter the growing threats, the Council and the European Parliament have reached an agreement on the Digital Operational Resilience Act (DORA), which is expected to be formally adopted in November 2022.
DORA sets out uniform requirements for companies in the financial sector and third-party providers with regard to the digital operational resilience and security of networks and information systems. This article provides a concise summary of all the main DORA requirements.
Background
As part of the ‘Digital Finance Strategy’ package of measures presented in September 2020, the Commission issued a proposal for a regulation on the operational resilience of digital systems in the financial sector (Digital Operational Resilience Act - DORA). The Council and the European Parliament reached a political agreement on the proposal for the DORA regulation in May 2022. The final compromise text was published on 23 June 2022 and is available here.
The response to the war in Ukraine is still unclear and could lead to some tightened requirements. The next step is approval by the European Parliament and the Council before the formal adoption procedure begins, which is expected to take place in November 2022.
What does DORA essentially regulate?
DORA sets out harmonised requirements across the EU for the information and communication technology (ICT) systems of financial services providers and third-party providers working with them to prevent cyber-attacks and other risks.
Furthermore, it aims to enable the European financial sector to maintain operational stability in the event of a major disruption. This should increase IT security in the financial sector.
DORA also aims to promote innovation and the adoption of new financial technologies, while ensuring adequate consumer and investor protection.
DORA scope of application: financial undertakings and third-party ICT providers
DORA covers almost all financial undertakings and will apply to credit and payment institutions, investment firms, crypto-service providers, insurance undertakings, insurance intermediaries and numerous other financial services providers. Third-party ICT providers that provide digital (data) services are also covered by the new rules. Conversely, auditors and providers of hardware components and mere electronic communication services are exempt from DORA.
Most requirements will apply to financial institutions of all sizes. Only microenterprises (companies that employ fewer than 10 people and whose annual turnover does not exceed EUR 2 million) are to be exempted.
Outlook on the substantive requirements
The above-mentioned companies will have to ensure that they are able to withstand, respond to and recover from all types of ICT-related disruptions and threats. The efforts to be made by financial companies will be proportionate to the potential risks.
The European Supervisory Authorities (EBA, ESMA and EIOPA) will further specify the requirements in technical guidelines.
New requirements for ICT risk management
The affected companies must first set up stable ICT systems and tools and continuously improve them in order to keep pace with various threats. A separate responsible body must be set up within the company.
With DORA, the implementation of protective and preventive measures as well as the development of emergency and recovery plans becomes mandatory. The specific requirements will be based on European and internationally recognised technical standards. To this end, the DORA framework will be supported by delegated regulations and guidelines to be drawn up by the relevant supervisory authorities, regulatory technical standards and implementing technical standards.
Management, classification and reporting of ICT incidents
Financial companies should implement a management process for monitoring and logging ICT-related incidents. Incidents are to be classified according to the criteria set out in the DORA using materiality thresholds (how many people affected, in which area, which data is affected, etc.), and serious ICT-related incidents must be reported in the future according to predefined standards.
ICT incidents categorised as critical must be reported to both the supervisory authority and customers whose interests may be affected.
New rules for testing ICT systems
The capacities and functions provided for ICT risk management must be tested regularly, at least once a year, in functional mode, using simulated threat scenarios to test preparedness (so-called penetration tests). The tests carried out must be recorded and, if vulnerabilities are identified, the implementation of corrective measures should be checked. The use of in-house auditors will only be possible under strictly limited circumstances and subject to protective conditions.
Managing the risk posed by third-party ICT providers
Financial institutions must evaluate, proactively manage and monitor the risk posed by third-party ICT providers on an ongoing basis. DORA harmonises the components of contracts with third-party providers and encourages the voluntary use of standard contractual clauses. It is to be expected that even when using the prescribed model contracts, a detailed internal overall risk assessment must be carried out.
DORA also creates a European supervisory framework for critical third-party ICT providers (big techs) that provide digital services such as cloud computing to financial institutions. In the future, critical providers from third countries that provide ICT services to financial companies in the EU will have to establish a subsidiary in the EU to ensure proper supervision.
Responsibility of the supervisory authorities
According to the current version, the FMA and the trade authorities are to be responsible for enforcement. A representative of the European Supervisory Authorities EBA, ESMA and EIOPA is to be appointed as the lead supervisor for critical ICT third-party providers.
To facilitate cooperation and, in particular, (crisis) communication between authorities, DORA provides for opportunities for cross-sector simulation exercises. It is not yet possible to say how well the necessary coordination will work in practice in the short time available for cyber attacks in an emergency.
Financial companies should act now
DORA is expected to come into force in January 2023. From then on, companies will have 24 months to implement the new requirements. It is advisable to address the new DORA requirements at an early stage, as experience with the European General Data Protection Regulation (GDPR) has shown. Here, companies suppressed the need for action for a long time and were then overwhelmed when the enactment approached.
In our view, financial companies with a low level of resilience maturity and those that have so far paid little attention to the operational stability of their digital systems and the resilience of their service providers are most challenged. These companies should start identifying where their resilience is weak and develop strategies for implementing the future requirements.
How can we support you?
We would be happy to support you with our extensive expertise in information and communication technology risk management in implementing the new requirements. We look forward to receiving your enquiry.
