The 2020s have been a whirlwind of disruption and accelerated digitalization.
In the context of increased cyber risks, heavy dependence on technologies and accelerated advancement of digital tools and assets, the final approval of DORA has been welcomed by financial services players.
A refresher on DORA’s back story
In the aftermath of the financial crisis, the European Commission has been strengthening the financial resilience of the EU financial sector, adopting measures aimed at increasing capital resources and liquidity of financial entities, as well as reducing market and credit risks. For over a decade, Information and Communication Technologies (ICT) risks were indirectly or partially addressed in an uncoordinated way from the different financial supervisors in Members States. Inconsistency in approaches not only led to the proliferation of diverging regulatory initiatives but also to duplicated rules set out in the 2016 Network and Information Systems (NIS) Directive1, in particular for incident notification, security requirements and testing. In response and after consultation, the digital finance package2 was adopted on 24 September 2020 by the European Commission, containing within it a digital finance strategy and legislative proposals on crypto-assets3 and digital resilience.
What is DORA and to whom is it relevant?
The Digital Operational Resilience Act (DORA4), formed one element of this package, and is the latest addition coming out of the pipeline of regulations. Published on 27 December 2022, it provides consistent rules addressing digital operational resilience needs of all regulated financial entities and establishes an oversight framework for critical ICT third-party providers (CCTPs). The main pillars are:
- ICT risk management
- ICT related incident reporting
- Resilience testing
- ICT third-party risk
- Information sharing
A set of rules has been defined and they are spread over six sections:
- Covering existing typical requirements on ICT governance and ICT risk management (Chapter II) and ICT-related incident reporting (Chapter III)
- Introducing new requirements for digital testing (Chapter IV), information sharing (Chapter VI) and management of ICT third-party risks (Chapter V)
- Providing financial supervisors with the tools to fulfill their mandate to contain financial instability stemming from those ICT vulnerabilities (Chapter VII)
DORA rules are based on the principle of proportionality
Many market participants will be impacted by DORA, including traditional financial sector entities such as credit institutions, trading venues and clearing houses, investment firms, UCITS management companies, alternative fund managers (AIFMs), insurance companies, payment institutions, electronic money institutions, as well as crypto-asset service providers (CASPs), issuers of crypto-assets and issuers of asset-referenced tokens5.
While the rules cover all financial entities, their applicability will depend on the size of the entity, its activity and the overall risk to which it is subjected. Micro-enterprises will benefit from this flexibility and will be subject to proportionate application of requirements on ICT risk management, digital resilience testing, reporting of major ICT-related incidents and oversight of critical ICT third-party service providers.
Key takeaways of the DORA Regulation
Emphasizing the importance of full responsibility management and accountability (Chapter II - Art. 5)
The management body is responsible for setting the tone and enforcing the definition and implementation of organizational and technical measures which enable and ensure effective and prudent management of all ICT risks. At the same time, they should play an active role in steering the ICT risk management framework, assigning roles and responsibilities. The management body should be continuously engaged in the control of monitoring ICT risk management as well as in the full range of approval and control processes and the appropriate allocation of ICT investments and training. The members of the management body themselves should, on a regular basis, follow specific training to gain and maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.
ICT risk management requirements to be fully enforced (Chapter II - Art. 6 - 16)
A key principle is to align financial entities’ business strategy with ICT risk management. Entities should be aligned with the joint European Supervisory Authorities (ESAs) technical advice or other industry standards, such as NIST6 or best practices.
Improving and streamlining ICT-related incident reporting (Chapter III - Art. 17 - 23)
Financial entities shall establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. While incidents should be classified, assessed, and root causes identified, documented and addressed, only – at least – major incidents should be reported to senior management and imperatively to the competent authority. It must be noted that draft regulatory technical standards (RTS) will be developed in order to:
- Establish the content of the reports for major ICT-related incidents in order to reflect the criteria laid down in Article 18(1) and incorporate further elements, such as details for establishing the relevance of the reporting for other Member States and whether it constitutes a major operational or security payment-related incident or not
- Determine the time limits for the initial notification and for each report referred to in Article 19(4)
- Establish the content of the notification for significant cyber threats
Perform digital operational resilience testing at least annually (Chapter IV - Art. 24 - 27)
DORA defines common standards for digital operational resilience testing with the objective to ensure firms are prepared when ICT related incidents happen. Beyond the traditional ICT testing techniques, the testing program should include a full range of appropriate tests, including vulnerability assessments and scans, open-source analyses, network security assessments, penetration testing, and even source code reviews (where feasible).
The DORA suggests and strongly recommends advanced testing of ICT tools, systems and processes based on threat led penetration testing (TLPT), carried out at least every three years. The technical standards to apply, when conducting intelligence-based penetration testing, should be developed by the joint ESAs and are likely to be aligned with the voluntary TIBER-EU7 developed by the ECB.
At the end of the tests, financial entities should communicate agreed reports and remediation plans to the competent authority and should confirm that penetration tests have been performed in accordance with the requirements. The competent authority, in this case, will review, validate and issue an attestation.
Finally, the competent authority should consider proportionate application of this requirement: TLPT will be carried out in a manner proportionate to the size, scale, activity, and overall risk of the financial entity.
Bringing the CCTPs into the game (Chapter V - Art. 28 - 39)
As the overall objective of DORA is to have streamlined and effective governance, CCTPs will become subject to oversight to ensure they do not pose undue operational risks for the financial sector. While recommendations will be issued by the ESAs’ Lead Overseer to the CCTP, national competent authorities (NCAs) will be responsible for following up and taking actions against their supervised financial entities when the recommendations are not addressed by the CCTP. In such cases, the Regulation also gives the competent authorities the right to require the supervised financial entities to temporarily suspend their CCTPs services or to terminate their contracts with that CCTP. Either EBA, ESMA, or EIOPA will be then appointed as Lead Overseer for each identified CCTP. The goal is to ensure that an adequate monitoring of the CCTP is performed but also to avoid a domino effect of the heavily interconnected financial sector. The Lead Overseer will be empowered to request all documentation, conduct inspection and obtain reports and may impose penalty payment (up to 1% of the average daily worldwide turnover of the CCTP in the preceding business year) to compel the CCTP to comply with the before mentioned points.
Aligning with the EBA, ESMA or EIOPA guidelines on outsourcing, DORA requires harmonization of contractual arrangements in terms of establishment (e.g., audit clause, defined roles), maintenance (e.g., reporting, review) and termination (e.g., exit plan, data retention).