Facts:
· On the 28 November 2022 the Council of the EU confirmed the adoption of Digital Operational Resilience Act (DORA)
· DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them. The core aim is to prevent and mitigate cyber threats.
· The new rules shall be applied to all companies, providing financial services, including credit institutions, payment institutions, investment firms, management companies, insurance and reinsurance companies, ICT third-party service providers (hereinafter “financial entities”)
· Тhe relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial entities to abide by, from banking to insurance to asset management.
What are the DORA novelties?
1. Risk management
Financial entities are required to have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk. DORA explicitly states that the management body of the financial entity shall bear the ultimate responsibility for managing the financial entity’s ICT risk. The management body shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. In this regard the financial entities are required to set in place a sound, comprehensive and well–documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
2. ICT security
Security requirements form the bulk of the requirements introduced by DORA. Financial entities are required to establish policies, procedures and protocols to ensure the security, resilience and continuity of their IT systems.
3. Learning and evolving (through mandatory trainings)
Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff and shall have a level of complexity commensurate to the remit of their functions. There are further specific requirements for the members of the management bodies, who need to l actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis.
4. Incident reporting
Financial entities are required to report major ICT related incidents to their designated authority. The reporting requirements include an initial notification and reports in extremely short terms through standardized templates.
5. Testing
For the purpose of assessing preparedness for handling ICT–related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, are required to establish, maintain and review a sound and comprehensive digital operational resilience testing programme. The tests must be done by independent parties, whether internal or external.
6. ICT third–party service providers
Financial entities may only enter into contractual arrangements with ICT third–party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third–party service providers, of the most up–to–date and highest quality information security standards. What this means in practice is that the financial entities must carefully consider the ICT third-party service provider and cautiously enter into relations, as the DORA introduces significant new requirements. For example, DORA introduces new key contractual provisions, which must be included in the contracts with ICT third-party service providers. As a further step, the financial entities are required to adopt a dedicated ICT third–party risk strategy.
7. Sharing information about cyberthreats
Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools. This can be achieved through the conclusion of information-sharing arrangements. Although sharing information about cyberthreats seems useful, it needs to be done cautiously as the information sharing must be done in a way compliant with the data protection framework, which may lead to additional complications.
How to prepare for DORA?
It will be crucial for all financial entities to adopt a proactive and informed approach by carrying out preparatory activities that will enable them to determine the actual impact of DORA on their organization and thus not be vulnerable when DORA enters into force. As a starting point, those activities may include:
- Gap analysis of the ICT risk management framework
- Review of the incident reporting mechanisms
- Evaluation of ICT third party service providers the procedures for conclusion of agreements with ICT third-party service providers
- Evaluation the knowledge of your management and employees of DORA and how well prepared is the personnel for a cybersecurity incident
How long does my business have to prepare for DORA?
After its entry into force of DORA, financial entities shall have 24 months to comply with the new rules and requirements of DORA. Realistically, this means that in the beginning of 2025 DORA shall be applied in full force.
Don’t delay action
The time frame seems deceptively long, but given the large array of legal, organizational and technological measures, as well as the possible significant changes in internal systems, processes, rules and procedures, two years may turn out to be woefully insufficient if timely actions are not taken.
What are the possible consequences if my business does not take actions for compliance with DORA?
The competent authorities shall have all required supervisory, investigative and sanctioning powers to ensure the proper compliance with the DORA requirements. Member States shall lay the specific sanctions on national level, including monetary, for any breaches of DORA. The administrative penalties and remedial measures may lead to serious legal, monetary and reputation consequences, not mentioning the distrusts of clients and/or partners. However, it would be better for any business to take appropriate measures ahead of time instead of first-handedly finding out what the breaches would cost.