News Update IT & Cybersecurity
16 January 2023
The Digital Operational Resilience Act ("DORA") entered into force on 16 January 2023. Financial Enterprises now have 24 months to become fully compliant. On 28 November 2022, the Council of the EU adopted this new EU regulation, as part of the Digital Finance Package ("DFP").
DORA is designed to consolidate and upgrade ICT risk management requirements throughout the financial services sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA will, for the first time, bring rules addressing ICT risk in finance together into one single legislative act.
In this News Update, we discuss the impact of DORA and consider its implications for organisations in the financial services sector.
What is DORA?DORA creates a regulatory framework around operational resilience and cybersecurity for organisations operating in the financial services sector across the EU. It aims to establish uniform requirements for the security of network and information systems of organisations operating in the financial sector and of critical third parties that provide ICT-related services, such as cloud platforms or data analytics services. The definition of 'ICT' under DORA is rather broad, so it includes digital and data services provided through ICT systems. DORA is therefore a significant regulatory development for a broad range of financial services companies, as well as for ICT service providers providing services to the financial services sector.
DORA is part of the DFP, which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. Besides DORA, the DFP includes legislative proposals on markets in crypto-assets (MiCA), distributed ledger technology and a digital finance strategy.
Who needs to comply with DORA?DORA will apply to financial entities including insurance and reinsurance companies, pension funds (IORPS), credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, UCITS and AIF fund managers and insurance intermediaries ("Financial Entities"). DORA also applies to ICT third-party service providers providing services to Financial Entities.
Furthermore, ICT third-party service providers that are designated as "critical" for Financial Entities are subject to oversight from the Joint Committee (i.e. the European Banking Authority ("EBA"), the European Securities and Markets Authority ("ESMA") and the European Insurance and Occupational Pensions Authority ("EIOPA") (EBA, ESMA and EIOPA together referred to as, "ESA's"). Whether an ICT third-party service provider is in fact "critical", depends on all of the following criteria:
- the systematic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider would face a large scale operational failure to provide its services;
- the systemic character or importance of the Financial Entities that rely on the relevant ICT third-party service provider;
- the reliance of Financial Entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of Financial Entities that ultimately involve the same ICT third-party service provider; and
- the degree of substitutability of the ICT third-party service provider.
Key obligationsDORA contains obligations relating to the following five key pillars:
- ICT risk management requirements: Financial Entities must have a resilient ICT risk management system in place, including a business continuity policy and a disaster recovery procedure, in order to keep pace with a quickly evolving cyber threat landscape and to better align Financial Entities' business strategies and the conduct of ICT risk management. At the same time, the Financial Entities' management bodies have an ultimate responsibility in managing the Financial Entity's ICT risk, resulting in the continuous engagement of the management body in the control of the monitoring of the ICT risk management;
- ICT-related incident management, classification and reporting: Financial Entities must implement an ICT-related incident management process, including early warning indicators, to detect, manage and notify ICT-related incidents creating a consistent incident reporting mechanism;
- Digital operational resilience testing: Financial Entities must establish a comprehensive digital operational resilience testing programme. This programme should be proportional to the institutions’ size, business, and risk profile. Furthermore, some Financial Entities are required to test their ICT tools, systems and processes at least every three years using penetration tests;
- Managing of ICT third-party risk: Financial Entities must manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. This entails that, among other things, the contracts governing the relationship will be required to contain certain contractual elements, such as: an indication of locations where data is to be processed and a description of services and guarantees for access, recovery and return in case of failures. The contractual requirements in DORA are closely aligned to the EBA guidelines on outsourcing arrangements, but include some additions. ICT third-party service providers must meet minimum requirements and adhere to additional requirements when providing certain outsourcing services; and
- Information sharing arrangements: DORA contains provisions which facilitate the information sharing by Financial Entities of cyber threat information and intelligence, including tactics, techniques, procedures and cyber security alerts to enhance the digital operational resilience across the sector. All voluntary information sharing arrangements between Financial Entities promoted by DORA would be conducted in trusted environments in full respect of EU data protection rules, such as the GDPR.
Relationship with NIS2The Network Information Security Directive 2 ("NIS2 Directive") aims to strengthen security requirements and provide further harmonisation of Member States' security laws. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing. There is therefore an overlap in coverage with DORA, as DORA stipulates such obligations as well. NIS2 specifically states that NIS2 continues to apply to Financial Entities and ICT third-party providers, with DORA building thereon and addressing certain overlaps via the lex specialis exemption.
More information on the new NIS2 Directive, can be found in our News Update here.
Following the formal approval by the Council of the EU, DORA was published on 27 december 2022 and entered into force on 16 January 2023. DORA Financial Entities need to comply with DORA from 16 January 2025, leaving them with a 2 year period to become fully compliant.