Why was DORA adopted?
In recent years, we have witnessed significant advancements in technology and rapid increase in the use of information communication technologies (“ ICT ”). The trend was further accelerated by the Covid-19 pandemic through the shift to remote working and digitalization of a wide range of services. As a result, the use of ICT third-party service providers, broader interconnectedness and higher interdependencies between systems in the financial sector made financial entities vulnerable to cyber-attacks and economic disruption. Furthermore, the legal framework covering digital operational resilience across the financial sector has been fragmented across the European Union (“EU”). To illustrate, under the Directive (EU) 2015/2366 (“PSD2”) and Regulation (EU) No 909/2014 (“ CSDR ”), payment service providers and central securities depositories are subject to specific provisions on digital operational resilience. For other financial entities, the rules on digital operational resilience have been limited to generic provisions such as Directive (EU) 2016/1148 (“NIS”). In addition, there is no EU-wide direct oversight framework to enable financial supervisors to effectively monitor critical ICT third-party service providers offering services to financial entities. The lack of harmonized rules on digital operational resilience left the financial sector susceptible to ICT risks in the face of increasing interconnectedness of financial systems across the EU.
What is DORA?
To address the above issue, the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“ DORA ” or “Regulation”) was proposed by the European Commission on September 24, 2020 (See Table 1). The Regulation is part of the European Commission’s Digital Finance Package, adopted on September 24, 2020, for a competitive EU financial sector that enables access to innovative financial products and services while ensuring consumer protection and financial stability. DORA is an EU regulatory framework that establishes uniform requirements for the security of network and information systems of financial entities and ICT third-party service providers which provide services to financial entities with limited exceptions. The general objectives of DORA are as follows:
- Reduce the risk of financial disruption and instability;
- Reduce the administrative burden and increase supervisory effectiveness;
- Increase consumer and investor protection.
| Table 1. Legislative Timelines | |
| September 24th, 2020 | The draft of DORA was proposed by the European Commission. |
| November 28th, 2022 | DORA was adopted by the Council of the European Union and the European Parliament. |
| January 16th, 2023 | DORA enters into force. |
| January 17th, 2024 | The draft Regulatory Technical Standards (RTS) for implementation of DORA was issued by the European Supervisory Authorities (EBA, EIOPA and ESMA). The final draft RTS will be submitted to the European Commission for adoption. |
| January 17th, 2025 | DORA and its RTS will apply to financial entities and ICT third-party service providers. |
In terms of the scope of DORA , it covers a wide-range of financial entities including entities that have not been subject to extensive requirements on ICT risk management such as credit institutions, e-money institutions, investment firms, crypto-asset service providers, intermediaries managing alternative investment funds, crowdfunding service providers, cloud service providers and ICT third-party service providers. It is expected to cover more than 22,000 financial entities and ICT third-party service providers within the EU. The entities that fall under the scope of DORA must comply with the requirements from January 17, 2025. Furthermore, the Regulatory Technical Standards (“ RTS ”) will provide financial entities with detailed guidance on implementation of DORA requirements. Although it may take time for the European Commission to adopt the final draft of RTS, financial entities should already be considering implementation of DORA and conducting gap analysis to evaluate their current ICT risk management policies, procedures, protocols and tools in relation to DORA. It is important to identify in time any areas that require additional investment and prioritization. In the next section, we will dig deeper into the key four areas of DORA to simplify compliance with DORA for financial entities.
How to apply DORA?
To begin with, DORA requirements will be applied according to the principle of proportionality, meaning the size, nature and scale of their operations, and overall risk profile must be considered. In other words, the proportionate application of the requirements ensures that higher digital operational resilience does not come with disproportionate economic costs. For instance, micro-enterprises will benefit from the proportionate application of requirements on ICT risk management, digital resilience testing, reporting of major ICT-related incidents and oversight of critical ICT third-party service providers. Secondly, the draft RTS issued by the European Supervisory Authorities (“ ESA ”) – the European Banking Authority (“ EBA ”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ ESMA ”) – considered the leading industry practices and standards. Moreover, the ESA takes a technology-neutral approach and does not make specific reference to products or technologies in the draft RTS.
Compliance with DORA can be divided into four main pillars: (1) ICT risk management framework and governance (2) ICT-related incidents, (3) digital operational resilience testing, and (4) ICT third-party risk management.
(1) ICT risk management framework and governance
According to DORA, the management body will bear ultimate responsibility for managing ICT risks, approving ICT risk management framework, ICT business continuity policy, and policy on arrangements regarding the use of ICT services provided by ICT third-party service providers. Financial entities will be required to adopt a comprehensive and well-documented ICT risk management framework which must contain at least strategies, policies, procedures, ICT protocols and tools that are necessary to adequately protect all information assets and ICT assets. Fortunately, financial entities have the possibility to use and align their existing documentation to that required by DORA and its RTS. Furthermore, when drafting the RTS, the ESA have considered existing international and European standards on ICT risk management, such as EBA Guidelines on ICT and security risk management, EIOPA Guidelines on ICT security and governance and NIS2 Directive . Moreover, the existing sectoral EU regulatory framework will be assessed and amended to align with DORA and its respective RTS. For the purpose of learning and reflecting, financial entities must put in place ICT security awareness programs and training that are applicable to all employees including the members of the management body.
(2) ICT-related incidents
D ORA requires financial entities to create a consistent incident reporting mechanism that includes classification, detection, management and notification of ICT-related incidents in accordance with respective RTS. Furthermore, financial entities will be required to report major incidents to competent authorities and submit:
– an initial notification;
-an intermediate report as soon as the status of the original incident has changed significantly;
-a final report when the root cause analysis has been completed.
This means that financial entities need to improve their ability to collect, analyze and communicate information concerning ICT-related incidents and threats. It is important to bear in mind that to eliminate potentially duplicative reporting obligations, the Directive (EU) 2015/2366 (“ PSD2 ”) ceases to apply to payment service providers regarding all operational or security payment-related incident reporting. That means payment service providers will report incidents pursuant to DORA not PSD2.
(3) Digital operational resilience testing
Under D ORA , financial entities must adopt a robust and comprehensive digital operational resilience testing program for the purpose of identifying weaknesses, deficiencies and gaps in their digital operational resilience. When considering the type and frequency of testing to be performed, financial entities should properly balance the objective of maintaining a high digital operational resilience, the available resources and their overall risk profile. Certain financial entities which will be identified by the competent authorities must carry out advanced testing using threat-led penetration tests at least every three years. DORA also requires financial entities to include all ICT third-party providers supporting their critical or important functions in advanced testing exercises. All the issues revealed throughout the performance of the above tests must be addressed in accordance with the financial entity’s procedures and policies.
(4) ICT third-party risk management
DORA states that financial entities must remain fully responsible for compliance with DORA and financial services law regarding contractual arrangements for the use of ICT services. Also, DORA sets out specific requirements that must be incorporated into the contractual arrangements with ICT third-party service providers. In addition to that financial entities must adopt a policy on ICT third-party risk and maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
Compared to the EBA Guidelines on outsourcing arrangements, the scope of DORA is broader than outsourcing as it refers to all third-party arrangements that include outsourcing arrangements. The EBA already communicated that the EBA guidelines on outsourcing will be updated to consider DORA. Despite the current compliance with existing guidelines on outsourcing, financial entities must assess all third-party arrangements including the contracts that were not considered to be outsourcing to ensure compliance with DORA.
Final remarks
The purpose of D ORA is to establish a harmonized regulatory framework for digital operational resilience for financial entities operating in the EU. The Regulation fills in the gaps and remedies inconsistencies in some of the prior legal acts, including rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring. Furthermore, DORA is expected to contribute to the stability of the financial sector, increase supervisory effectiveness and improve consumer protection. As DORA applies to all authorized and registered financial entities, with limited exceptions, those entities must comply with DORA by January 17, 2024. To assist you in your compliance journey, we attempted to provide an overview of the four pillars of DORA in the previous section. Hence, we would recommend financial entities to start their gap analysis of existing ICT risk management practices in relation to DORA to identify and develop detailed implementation plans. If your organization requires further guidance on DORA, Eris Law Advokatbyr å AB offers legal advisory services for compliance with DORA and other EU regulations in the financial sector.
Sources:
ESMA (2024) ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification. Available at https://www.esma.europa.eu/press-news/esma-news/esas-publish-first-set-rules-under-dora-ict-and-third-party-risk-management
European Commission (2020) Digital finance package. Available at https://finance.ec.europa.eu/publications/digital-finance-package_en#_blank
European Commission (2022) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. Available at https://eur-lex.europa.eu/eli/reg/2022/2554/oj
European Commission (2023) DORA – safeguarding the resilience of finance. Available at https://www.eiopa.europa.eu/document/download/e64b56d7-f02f-443f-9dcc-92b207d8a9a2_en?filename=joint_esas_dora_event-european_commission_slides.pdf
European Commission (2014) Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52020PC0595
European Commission (2020) Commission Staff Working Document Impact Assessment Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020SC0198
EY (2023) Digital Operational Resilience Act (DORA): Are you prepared for application from 2025? Available at https://www.ey.com/en_lu/digital/digital-operational-resilience-act–dora-
EY (2023) How will DORA impact the financial sector? Available at https://www.ey.com/en_lu/wealth-asset-management/luxembourg-market-pulse/how-will-dora-impact-the-financial-sector-
FI (2023) Report: Control over outsourced operations of financial companies. Available at https://www.fi.se/sv/publicerat/rapporter/rapporter/2023/kontroll-over-finansiella-foretags-utlagda-verkehsamt/
IBM (2023) What is the Digital Operational Resilience Act (DORA)? Available at https://www.ibm.com/topics/digital-operational-resilience-act
Deloitte (2023) What can we expect from the Digital Operational Resilience Act? Available at https://www2.deloitte.com/nl/nl/pages/risk/articles/digital-operational-resilience-act.html