Micro and small enterprises are targeted by cybercriminals as much as their larger counterparts, yet many remain unprepared due to a lack of resources, budgets, and skills. The use of ICT third-party service providers, broader interconnectedness, and higher interdependencies between systems in the financial sector make micro and small enterprises more vulnerable to cyberattacks. Hence, compliance with the Digital Operational Resilience Act (DORA) is critical for micro and small enterprises, as it presents an opportunity to enhance their operational resilience, build trust, and navigate the digital landscape with greater confidence. The requirements of DORA are based on the principle of proportionality, meaning micro and small-sized enterprises are subject to fewer obligations than larger enterprises but must still comply with key elements of DORA.
In this article, we will provide key articles that apply to micro and small enterprises in each pillar of DORA, including exemptions.
Scope of exemptions
According to DORA, the following financial entities are subject to lighter requirements or exemptions for reasons associated with their size or the services they provide:
(1) Microenterprises defined as financial entities, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employ fewer than 10 persons and have an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million
(2) Small and non-interconnected investment firms defined in Article 12(1) of the Investment Firms Regulation;
(3) Payment institutions exempted pursuant to Article 32 and 33 of the second Payment Services Directive;
(4) Institutions exempted pursuant to Article 129 and 130 of the Capital Requirements Directive;
(5) Electronic money institutions exempted pursuant to Article 9 of the Electronic Money Directive;
(6) Small institutions for occupational retirement provision exempted pursuant to Article 5 of the Institutions for Occupational Retirement Provision Directive.
Pillar 1: ICT risk management framework
All financial entities listed from (2) to (6) are subject to a simplified ICT risk management framework, meaning Articles 5 to 15 of DORA do not apply. The simplified framework focuses on essential areas necessary to ensure the confidentiality, integrity, availability, and authenticity of their data and services, as detailed in the Draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework.
However, microenterprises are subject to the comprehensive ICT risk management framework and are exempted only from certain requirements. Firstly, microenterprises are not obligated to assign a role to monitor arrangements with ICT third-party service providers or to assign responsibility for managing and overseeing ICT risk to a control function. They are also not required to have a crisis management function in the event of ICT business continuity, response, and recovery plan activation. In terms of auditing, microenterprises are exempt from internal audits of the ICT risk management framework and ICT response and recovery plans.
Furthermore, microenterprises are exempt from conducting risk assessments upon major changes in the network and information system infrastructure and from risk assessments on legacy systems. Lastly, they are not required to notify competent authorities about changes made following post-ICT incident reviews or to estimate aggregated annual costs and losses caused by major ICT incidents.
Pillar 2: ICT-related incident management, classification and reporting
All financial entities, regardless of size, are required to adopt ICT-related incident management processes to detect, manage, and notify ICT-related incidents. All such incidents and significant cyber threats must be recorded, monitored, and followed up on to prevent their recurrence.
Moreover, financial entities must classify ICT-related incidents and determine their impact based on the following criteria:
- the number and/or relevance of clients or financial counterparts affected;
- the amount or number of transactions affected;
- the reputational impact;
- the duration of the ICT-related incident, including the service downtime;
- the geographical spread;
- the data losses in relation to availability, authenticity, integrity or confidentiality of data;
- the criticality of the services affected;
- the economic impact.
Fortunately, the principle of proportionality is embedded in the threshold for each criterion set out in the Draft RTS on classification of major incidents and significant cyber threats. The thresholds are set in a way that makes them difficult for smaller enterprises to meet. Additionally, all financial entities listed from (1) to (6) are exempt from reporting recurring incidents to the competent authorities.
Pillar 3: Digital operational resilience testing
The financial entities listed from (1) to (6) benefit from a flexible regime in relation to digital operational resilience testing programmes. The type and frequency of testing must balance the objective of maintaining high resilience with available resources. Furthermore, these entities are exempt from the requirement to perform advanced testing based on threat-led penetration testing.
Pillar 4: Third-party risk management
The requirement to maintain a register of information on all contractual arrangements with ICT third-party service providers applies to all financial entities regardless of their size. The register of information must be maintained in accordance with templates and instructions set out under the Draft ITS on Register of Information. Legislators note that micro and small enterprises are likely to rely on fewer ICT third-party service providers, thus having less information to report compared to larger entities. The register must be submitted annually to the relevant authorities.
In relation to contractual arrangements, financial entities, taking into account the principle of proportionality, must include key contractual provisions pursuant to Article 30 of DORA. With regard to subcontracting, financial entities must assess whether and how long and complex chains of subcontracting may impact their ability to fully monitor the contracted functions and set out conditions for subcontracting.
Regarding the strategy on ICT third-party risk, financial entities listed from (1) to (6) are exempt. Additionally, they are allowed to delegate their rights of access, inspection, and audit to an independent third-party while ensuring they can request relevant information and assurance on the service provider’s performance from the third party at any time.
Final remarks
The EU DORA is essential for micro and small enterprises in enhancing their cybersecurity posture, operational resilience and consumer trust. The proportionality embedded in DORA allows smaller enterprises to comply with the regulatory framework without overwhelming their resources, while still maintaining critical safeguards. If your organization requires any assistance in your compliance journey, Eris Law Advokatbyrå AB specializes in guiding micro and small enterprises through hands-on support in interpreting the legal obligations, drafting policies, simplifying reporting processes and managing third-party risks, including exercising your rights to access, inspect and audit third-party service providers.