DORA: Count down to compliance date

The EU Digital Operational Resilience Act (DORA) entered into force on 16 January 2023, marking the beginning of a 24-month period in which financial entities must adapt their operations to meet DORA's detailed requirements. As we are halfway through this 24-month period, it is good to focus on several of DORA's key requirements which have raised several important questions. In general, a financial entity will use somewhere between a dozen and several hundreds or even more ICT services, depending on its activities, size and complexity. Therefore, DORA is highly relevant for financial entities.

DORA's key obligations for financial entities can be divided into five categories: (i) ICT risk management framework, (ii) ICT incident management, classification and reporting, (iii) digital operational resilience testing, (iv) managing of ICT third-party risk and (v) information sharing arrangements.

We will discuss DORA's scope, addressing which parties are included and which are exempt (for now). Are any parties subject to a substantially lighter regime? What does proportionality entail in DORA? What are the core obligations causing the most material impact? We will also address the limited use of proportionality. Subsequently, we will delve into the requirements relating to the ICT risk management framework and ICT third-party risk management. We will not address the topics ICT incident management, classification and reporting; digital operational resilience testing; and information sharing arrangements.

As DORA is not the first legislation addressing third-party risk management for financial entities, we will specifically address to which extent compliance with adjacent legislation mitigates its impact.  This includes the EBA outsourcing guidelines, EIOPA guidelines on outsourcing to cloud service providers, BRRD/IRRD and SRB Expectations for Banks.

DORA's Scope

DORA governs the prevention and management of ICT risks by financial entities.  These risks arise from ICT services provided by ICT third-party and in-house service providers. DORA defines ICT services as "digital and data services provided through the ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which include the provision of technical support via software and firmware updates by the hardware provider, excluding traditional analogue telephone services."

Financial entities

DORA defines financial entities as EU regulated financial entities, such as credit institutions, payment institutions, electronic money institutions, investment firms, insurers and reinsurers, pension funds, crypto-asset service providers, fund managers and insurance intermediaries. Under specific circumstances, DORA also applies to third parties providing critical ICT services to financial entities, such as cloud service providers.

Exemptions

Only one category of financial entities benefits from a broader exemption under DORA: insurance intermediaries and reinsurance intermediaries qualifying as micro, small or medium-sized enterprises. This category includes all such intermediaries with fewer than 250 employees. They must also have an annual turnover below EUR 50 million or a balance sheet below EUR 43 million or both. In addition, alternative investment funds operating under the registration regime, investment firms not licensed under MiFID II, and certain smaller insurers and occupational pension funds with fewer than 15 members, do not fall within DORA's scope.

Currently not within DORA's scope

Licensed entities whose licences are solely based on national Member State legislation do not fall within DORA's scope. For the Netherlands this includes entities such as consumer credit companies, and advisors and intermediaries in financial products and services, other than insurance and reinsurance products. These licensees do not have a legal basis in EU legislation. Such Dutch national licensed entities should monitor whether they will become subject to equivalent future national legislation or guidance issued by the national regulator. The Dutch Authority for the Financial Markets recently hinted in this direction (AFM report).

Proportionality

DORA's Article 4 provides financial entities with a legal basis to implement DORA's requirements according to the principle of proportionality, considering the financial entities' size, risk profile, nature, scale and complexity of their activities. However, it does not clarify what this entails and how financial entities can apply proportionality while being compliant with the requirements applicable to them.

In addition, micro enterprises (i.e. fewer than ten employees; and a balance sheet or annual turnover below EUR two million or both) are exempt from some of the specific requirements. Nevertheless, such micro enterprises must still comply with DORA.

One of the key areas in which DORA applies proportionality in a meaningful manner is in Article 16 (Simplified ICT risk management framework). Small non-interconnected investment firms, electronic money institutions and payment institutions operating under an exemption do not need to comply with the detailed requirements on ICT risk management set out in Articles 5 to 15 of DORA. They also do not require an elaborate ICT third-party risk management policy and strategy (Article 28). Instead, these companies need to comply with the limited requirements set out in Article 16. However, we conclude that most EU financial entities will need to fully comply with DORA.

Another aspect relating to proportionality is that several of DORA's requirements are subject to delegated legislation, covering topics such as risk management, contractual clauses, reporting requirements on ICT incidents and the ICT third-party risk policy. With respect to several of these topics, DORA instructed the European Supervisory Authorities (ESAs) to apply proportionality when drafting these technical standards, considering aspects such as the financial enterprise's size and overall risk profile, and the nature, scale and complexity of its services. However, in the final draft technical standards published by the ESAs on 17 January 2024 (EBA Press Release January), the level of proportionality appears to be limited. The same applies to the second batch of regulatory technical standard published as first drafts on 8 December 2023 (EBA Press Release December).

ICT risk management framework

All financial entities need to have in place an elaborate system of processes, controls, digital operational resilience strategies, policies and procedures, ICT protocols and tools to manage their ICT risks. These measures, which together form the DORA risk management framework, need to address aspects such as governance and organisation; ICT risk management framework; ICT systems, protocols and tools; identification; protection and prevention; detection; response and recovery; backup policies, restoration and recovery; learning and evolving; and crisis communication plans (Articles 5 to 14 of DORA). Detailed rules on this framework will be laid down in Regulatory Technical Standards. From a high-level perspective, this framework envisages the following four objectives.

Governance

Financial entities have to ensure ICT risk management is embedded in their internal governance and control framework. Ownership and active involvement at board level is required, particularly when implementing all arrangements related to the ICT risk management framework.

Oversight on own ICT landscape

A financial entity must ensure its ICT landscape and the individual elements it consists of are identified and mapped against the organisation's business functions and critical functions. DORA defines critical functions as: "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law". The following aspects should be identified, classified, described and documented in sufficient detail:

• all ICT supported business functions, roles and responsibilities (Article 8(1) DORA);
• all information assets and all ICT assets supporting those business functions and their roles and dependencies in relation to ICT risk (Article 8(1));
• all information assets (i.e. sets of information) and ICT assets (i.e. software or hardware assets that are part of its information system) used to support critical or important functions (Article 8(4) DORA);
• all business functions dependent on ICT third-party service providers, particularly services providers supporting critical or important business functions (Article 8(5) DORA);
• a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers (Article 28(3) DORA).
  
  

Identifying and detecting ICT risk

Financial entities must identify ICT risk they are exposed to. To do so, financial entities need to comply with the following requirements on an ongoing basis and periodically update and, where required, test the effectiveness of these measures.

• Catalogue all sources of ICT risk, cyber threats and ICT vulnerabilities relevant to those business functions, information assets and ICT assets (Article 8(2) DORA).
• Conduct annual or more frequent ICT risk assessments on all legacy ICT systems (Article 8(7) DORA).
• Monitor and control the security and functioning of ICT systems continuously and apply adequate ICT security measures, policies and procedures (Article 9(1) DORA).
• Set up mechanisms capable of promptly detecting anomalous activities, including performance issues and ICT incidents, and where possible, identifying potential single points of failure (Article 10(1) DORA).
• Conduct a business impact analysis (BIA) of their exposures to severe business disruptions. A BIA needs to assess the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate (Article 11(5) DORA).
  
  

ICT incident response

Financial entities have to ensure they are positioned to respond immediate and effectively to any ICT incidents they may face. This requires the following to be in place:

• A comprehensive ICT business continuity policy and associated ICT response and recovery plans, duly implemented in the organisation, aimed at ensuring the continuity of the financial entity's critical or important functions and ensuring a quick, appropriate and effective response to resolve all ICT-related incidents (Article 11 (1 and 4) DORA);
• A network connections infrastructure designed in a way that allows it to be instantaneously severed or segmented to minimise and prevent contagion (Article 9(4) DORA).
• A crisis management function in charge of managing internal and external crisis communication (Article 11 (7) DORA).
  
  

ICT third-party risk management and contractual requirements

DORA impacts all contractual relationships a financial entity has with its ICT service providers: irrespective of whether such a contractual relationship qualifies as outsourcing or whether such relationship concerns a critical or important function. DORA also covers all intra group ICT arrangements. Financial entities need to designate a person, such as a member of senior management, to monitor the ICT contracts with ICT third-party services providers, particularly the related risk exposure and relevant documentation (Article 5(3) DORA).

Moreover, financial entities need to adopt, and regularly review, a strategy to adequately manage ICT third-party risk. The strategy on ICT third-party risk must include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. Financial entities also need to keep an up-to-date and detailed register of all ICT third-party contractual arrangements. Such contractual arrangements need to be appropriately documented and must specify whether the ICT service supports critical or important functions. The register has to be shared with regulators upon their request (Article 28(3) DORA).

More detailed requirements on the contents of the policy on the use of ICT services and on the register of ICT third-party contracts, including templates for the register, will be laid down in Regulatory Technical Standards and Implementing Technical Standards. The draft Implementing Technical Standards, specifying the requirements on the ICT contract Register, require up to 100 or more data points for each ICT contract, substantially more than required for the register under EBA outsourcing guidelines.

In addition, financial entities should ensure that each of their ICT contracts includes the detailed contractual minimum provisions required by Article 30 of DORA (Key contractual provisions). These include provisions such as termination rights, designation of data processing locations, requirements on detailed description of services and guarantees relating to access to business premises by regulators, and requirements on recovery in case of failures in service provision.

With respect to ICT contracts supporting critical or important functions, additional contractual requirements need to be in place. Financial entities need to ensure that each ICT contract contains adequate and detailed audit rights and termination rights. They also need to ensure exit arrangements are established. Also, before entering into an ICT contract supporting critical or important functions, financial entities need to successfully complete a risk assessment and inform their regulator (Article 28(4) DORA).

Each of the above aspects has to be sufficiently addressed, not only in the existing outsourcing policies, but also in procurement policies and procedures. As mentioned, DORA is not limited to ICT outsourcing agreements but concerns all ICT contracts.

Overlap with existing outsourcing legislation

Existing EU legislation and national legislation already requires several categories of financial entities, such as banks, payment institutions, insurers, pension funds, fund managers and investment firms, to include specific minimum contractual provisions in their material outsourcing agreements including material ICT outsourcing agreements. Such institutions need to be aware that the requirements DORA sets out for ICT contracts are not merely additions or enhancements to already existing requirements.

Existing regulations on outsourcing only create obligations applicable to a part of an institution's ICT contract portfolio. Even when an institution correctly and fully complies with those existing requirements, it still needs to close a very wide gap to become compliant with DORA. In other words, the impression that financial entities already complying with existing regulations on outsourcing will only need to take limited action to become fully compliant with DORA is incorrect.

There are two reasons for this. First, DORA's scope is much broader than that of existing sectoral requirements for outsourcing, such as the EBA outsourcing guidelines. These existing regulations apply to outsourcing arrangements only or may even be limited to outsourcing arrangements qualifying as critical or important outsourcing arrangements. The DORA requirements apply to all ICT contracts, regardless of whether these qualify as outsourcing or the generic provision of ICT services. Second, although there is some overlap in the mandatory contractual requirements in topics covered, DORA has several requirements not covered by other existing legislation. In addition, even where there is an overlap, in several cases DORA sets out more detailed or stricter requirements than the equivalent requirements in other legislation. An important point of attention are the detailed contractual requirements governing subcontracting by ICT service providers.

In other words, existing legislation only covers a small set of the ICT contract portfolio of a financial entity. ICT contracts not qualifying as outsourcing are generally not in the scope of existing legislation. Only part of the key requirements addressed by DORA will be covered if a financial entity has fully implemented the EBA outsourcing guidelines or equivalent existing legislation. Even then, existing ICT outsourcing arrangements will not contain all mandatory clauses required by DORA. Financial entities, not already in the scope of the EBA outsourcing guidelines or equivalent existing legislation, will need to remediate their entire ICT contract portfolio.

Key actions and recommendations

To be compliant with DORA requirements discussed in this update, financial entities need to take the following steps as a minimum. The condensed version of these steps are for this high-level overview and by no means constitute a complete checklist. Each of these requirements is subject to more detailed guidance and sub-requirements. We would be glad to help you navigate these requirements and prepare for DORA.

Identification of ICT services and business functions

• Identify all internal and external ICT services supporting the business and keep track of them in an up-to-date inventory or database.
• Identify all ICT information assets and ICT business assets in the organisation and keep track of them in an up-to-date inventory or database.
• Compose a database, containing all ICT services, taking into account the minimum data requirements under DORA.
• Identify all business functions with sufficient level of granularity and keep record of them, e.g. by maintaining an up-to-date inventory or database.
• Implement a definition of critical or important (business) functions, suitable for the business and complying with the DORA definition and, based on this, identify which of their business functions constitute "critical or important functions".
  
  

  Contract remediation

• Centralise all IT contracts and determine which of these support critical or important functions.
• Analyse all IT contracts and identify gaps against the DORA requirements for ICT contracts.
• Compose a sufficiently detailed action plan, including timelines for remediation of identified gaps in ICT contracts.
  
  

  Governance and risk management

• Compose an ICT risk strategy or update existing ICT risk strategy, considering the minimum requirements of DORA, including ownership of ICT risk at board level and substantial involvement of the board in the set up, implementation, monitoring and updating of this ICT risk strategy and ICT risk management framework.
• Compose and update existing IT policies, including ICT business continuity policies, ICT response and recovery policies, outsourcing and procurement policies to adequately cover the relevant key requirements of DORA.
• Compose an ICT risk catalogue.
• Implement all the required operational safeguards required by DORA such as detection mechanisms for the early detection of ICT anomalous activities, such as network performance issues and ICT-related incidents.

DORA and the various related regulatory and implementing technical standards are highly technical and layered legislation; interpreting and implementing DORA is a challenging exercise. We would be glad to support you in this challenge.

For more information on DORA, please do not hesitate to contact Berry van Wijk, Thomas de Weerd or Juan Vervuurt.