On 16 January 2023, the Digital Operational Resilience Act (Regulation (EU) 2022/2554, "DORA") entered into force. This EU legislation sets out requirements for ICT security systems that support business processes of financial entities. DORA consolidates existing legislation and introduces new obligations in the digital operational resilience sector. This means that the requirements laid down in DORA are likely to substantially impact how financial entities arrange the governance of their ICT risks. The financial sector has been given two years to prepare and implement the necessary changes, as DORA will apply from 17 January 2025.
In the run up to the DORA implementation deadline, the European Supervisory Authorities (ESAs) launched the first batch of policy products for public consultation in June 2023 (which ran until 11 September 2023). This first batch consists of several regulatory technical standards (RTS) and an implementing technical standard (ITS), finalisation of which is expected on 17 January 2024. A second batch of policy products is expected to be published for consultation in November or December 2023, after which finalisation is expected to follow on 17 July 2024.
Entities in scope of DORA
Financial entities and exemptions
As DORA centralises legislation related to ICT compliance, it applies to almost all types of regulated financial entities recognised by EU law, including credit institutions, payment institutions, investment firms, investment managers and insurance undertakings. However, financial entities with specific characteristics, such as microenterprises, small and non-interconnected firms, and certain entities which benefit from exemptions or are subject to a very light regulatory framework under relevant sector-specific EU law, may be exempt from DORA requirements.
Undertakings providing ICT services in the financial sector
To ensure that counterparties of regulated financial entities in ICT-related contracts are covered, DORA also introduces obligations for undertakings providing ICT services to the financial sector. Furthermore, the ESAs will have to designate certain ICT third‑party service providers as critical based on the service providers' systemic relevance to the financial sector. Critical ICT third-party service providers are subject to an oversight framework of the ESAs.
DORA Rules
Core topics
The purpose of DORA is to establish a high common level of ICT risk requirements to improve the digital operational resilience of the financial sector by establishing uniform and EU-wide requirements. DORA primarily contains rules for financial entities on the following topics:
- ICT risk management;
- reporting and notification of major ICT incidents, significant cyber threats, and major operational or security payment-related incidents;
- digital operational resilience testing;
- information and intelligence sharing; and
- Management of ICT third-party risk.
Furthermore, DORA sets out requirements for contractual arrangements between ICT third‑party service providers and financial entities, regardless of whether these arrangements qualify as outsourcing. This means that outsourcing relationships, policies relating to outsourcing and third-party contracting frameworks will need to be revisited to see if they are DORA-compliant.
Proportionality
Proportionality is a central principle to the implementation of rules laid down in DORA. In determining the extent to which certain requirements apply, financial entities are expected to take into account their size, overall risk profile, and the nature, scale and complexity of their services, activities and operations when addressing ICT risk.
For an earlier article on DORA, see this article on De Brauw's website.
New draft ITS and RTS
On 19 June 2023, the ESAs published consultation papers on the first batch of policy documents, which includes the following standards:
These RTS are complementary to the requirements for the ICT risk management framework already set out in Articles 5 to 16 DORA. The RTS set out requirements on: (i) ICT security, policies, procedures, protocols and tools, (ii) human resources policy and access control, (iii) ICT-related incident detection and response, (iv) ICT business continuity management, (v) reporting on the ICT risk management framework review, and (vi) proportionality. Although still a consultation draft, we believe that these draft RTS can significantly assist financial undertakings in taking their preparations for DORA to a next, more detailed level.
2. RTS on criteria for the classification of ICT related incidents (Article 18(3))
Chapter III of DORA requires financial entities to report major ICT-related incidents to the relevant competent authority. They may also, on a voluntary basis, notify significant cyber threats when they deem the threat to be of relevance to the financial system, service users or clients. The RTS further outline the classification of ICT-related incidents and cyber threats by financial entities, and the classification approach and materiality thresholds for determining which ICT-related incident must be reported to the relevant competent authorities.
3. ITS to establish the templates for the register of information (Article 28(9))
As part of their ICT risk management framework, financial entities must maintain and update an information register regarding all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The draft ITS propose the establishment of harmonised templates for this information register to be maintained at the individual, consolidated and sub-consolidated level. This will facilitate compliance with the register requirements and the sharing of information with the relevant supervisors.
4. RTS to specify the policy on ICT services performed by ICT third-party providers (Article 28(10))
Financial entities must adopt and review a strategy on ICT third-party risk. The proposed RTS lays down requirements for all phases that financial entities should undertake on the management of the lifecycle of ICT third-party arrangements (pre-contractual phase, implementation, monitoring, management and exit strategies).
Consultation on further policy products
Besides this first batch of policy products, the ESAs are expected to publish consultation papers on a second batch of policy products by the end of 2023, with finalisation scheduled for 17 July 2024. This second batch is expected to include the following documents:
- Guidelines on the estimation of aggregated costs/losses caused by major ICT related incidents (Article 11(1));
- RTS to specify the reporting of major ICT related incidents (Article 20(a));
- ITS to establish the reporting details for major ICT related incidents (Article 20(b));
- RTS to specify threat led penetration testing (Article 26(1));
- RTS to specify the elements to determine and assess when sub-contracting ICT services supporting a critical or important function (Article 30(5));
- Guidelines on cooperation ESAs – CAs (Competent Authorities) regarding DORA oversight (Article 32(7); and
- RTS on harmonisation of oversight conditions (Article 41).
Relationship with broader EU framework
DORA is part of a larger European digital finance package that aims to ensure financial stability and consumer protection through technological development. This digital finance package also includes a European digital finance strategy, regulation on markets in crypto-assets (MiCA) and regulation concerning market infrastructures based on distributed ledger technology.
Due to previous policy and legislative initiatives by the EU and national member state governments, DORA provisions overlap with existing regulation. For example, at the European level, material overlap is expected with the provisions of the Network and Information Security Directive (NIS2), the EBA Guidelines on Outsourcing Arrangements, and the EBA Guidelines on ICT and Security Risk Management.
Concluding remarks
It will be good for relevant firms to be aware of this potential regulatory overlap, keep on top of the progress in relation to the policy products referred to above and be well prepared to navigate this rapidly expanding regulatory landscape in the run-up to DORA's applicability date of 17 January 2025, now only 16 months away.
It will be good for relevant firms to be aware of this potential regulatory overlap, keep on top of the progress in relation to the policy products referred to above and be well prepared to navigate this rapidly expanding regulatory landscape in the run-up to DORA's applicability date of 17 January 2025, now only 16 months away.
unknownx500
