6th Oct 2023
Regulation (EU) 2022/2554 on digital operational resilience (‘DORA’) entered into force on 16 January 2023 and it shall apply as from 17 January 2025.
The DORA is backed by the Amending Directive (EU) 2022/2556 which aligns certain current EU financial services Directives, including the UCITS IV Directive (2009/65/EC), the Solvency II Directive (2009/138/EC), the Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD), the CRD IV Directive (2013/36/EU), the Bank Recovery and Resolution Directive (2014/59/EU) (BRRD), the MiFID II Directive (2014/65/EU), and the Second Payment Services Directive ((EU) 2015/2366) (PSD2), with the DORA by clarifying and amending them. The Amending Directive (EU) 2022/2556 entered into force on the same day as DORA, and EU member states shall apply national measures to implement it as from 17 January 2025.
The DORA and the Amending Directive (EU) 2022/2556, form part of the Commission’s broader package of reforms on digital finance, the Digital Finance Strategy. In addition to the DORA, the package contained a digital finance strategy, a proposal on markets in crypto-assets (MiCA), and a proposal on distributed ledger technology (DLT).
1. What is the DORA?
The DORA is an EU Regulation, whose core aim is to prevent and/or mitigate cyber threats. To achieve this, DORA sets uniform requirements concerning the security of network and information systems supporting the business process of financial entities (as this term is defined below), as well as those of critical third parties which provide Information Communication Technologies (‘ICT’) related services to the financial entities, such as cloud platforms or data analytics services.
2. Why was the DORA enacted?
The Union financial sector is regulated by a Single Rulebook and governed by a European system of financial supervision. Despite the above, there is one gap. Provisions tackling digital operational resilience and ICT security are not yet fully or consistently harmonised. Disparities resulting from developments envisaged at national level, may create further barriers to the functioning of the internal market to the detriment of market participants and financial stability.
Therefore, the aim of the DORA is to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have been addressed separately in various Union legal acts. Although major types of financial risk such as credit risk, market risk, counterparty credit and liquidity risk, and market conduct risk were dealt with by previous Union acts, nonetheless, these did not fully address all aspects of operational resilience at the time of their implementation. As a result, the DORA aspires to fill in the gaps or remedy inconsistencies in some of the prior legal acts, including in relation to the terminology used. The DORA explicitly refers to ICT risk and introduces rules on ICT risk-management capabilities, ICT-related incident reporting, operational resilience testing and ICT third-party risk monitoring.
3. Relationship between the DORA and the NIS 2 Directive
The NIS 2 Directive, which replaced the original NIS 1 Directive, aims to increase security requirements, and further harmonise member states’ cybersecurity regulations. The NIS 2 Directive applies to some financial entities and, to avoid any overlaps with the NIS 2 Directive, the DORA is regarded as lex specialis, i.e. in the case of a disagreement, the more specific requirements of the DORA will take precedence over the more general provisions of the NIS 2 Directive. However, this does not mean that the NIS 2 Directive obligations are no longer applicable to entities affected by both Directives.
4. To which entities does the DORA apply?
The DORA applies, inter alia, to the following entities collectively referred to as ‘financial entities’:
a) credit institutions
b) payment institutions
c) account information service providers
d) electronic money institutions
e) investment firms
f) crypto asset service providers and issuers of tokens
g) central securities depositories
h) trading venues
i) trade repositories
j) managers of alternative investment funds
k) management companies
l) insurance and reinsurance undertakings
m) insurance intermediaries
n) credit rating agencies
o) crowdfunding service providers
p) securitisation repositories
q) ICT third-party service providers
A variety of smaller entities are exempt from the DORA, such as managers of alternative investment funds whose assets under management do not exceed certain thresholds, insurance undertakings with annual gross written premium income below EUR 5 million, and insurance intermediaries that are micro-enterprises or SMEs.
The proportionality principle requires financial entities to implement the DORA proportionately based on their size, overall risk profile, and the type, scope, and complexity of their services and operations.
6. DORA’s key provisions
a) Governance and Organisation (Article 5)
In order to achieve a high level of digital operational resilience, financial entities must have in place an internal governance and control framework that provides an efficient and sensible management of ICT risk.
All arrangements related to the ICT risk management framework must be defined, approved, monitored, and implemented by the financial entity’s management body.
b) Risk management requirements (Articles 6-16)
As part of their overall risk management system, financial entities must have a solid, thorough, and well-documented ICT risk management framework that enables them to address ICT risk swiftly and efficiently, while ensuring a high level of operational resilience in the digital sphere.
The ICT risk management framework must include at least the strategies, policies, procedures, ICT protocols, and tools required to properly and adequately protect all information assets and ICT assets, including computer software, hardware, and servers, as well as all relevant physical components and infrastructure, such as premises and data centres, from risks including damage and unauthorised access or usage. In addition, financial entities must implement a thorough ICT business continuity plan, backup policies, restoration and recovery procedures.
Furthermore, financial entities must continuously monitor and control the security and functioning of ICT systems and tools and implement the necessary ICT security tools, policies, and procedures so as to minimise the impact of ICT risk on such systems. Additionally, financial entities must have mechanisms in place to promptly detect anomalous activities, including but not limited to ICT network performance issues and ICT-related incidents.
c) Incident management, classification and reporting (Articles 17-23)
Financial entities must define, establish, and implement an ICT-related incident management process to detect, manage, classify and notify relevant incidents. Major ICT-related occurrences and significant cyber threats should be reported to the appropriate responsible authorities within the stipulated time frame.
The requirements outlined in articles 17- 23 of the DORA must also be followed when credit institutions, payment institutions, account information service providers, and electronic money institutions are involved in operational or security payment-related incidents, as well as major operational or security payment-related incidents.
d) Digital operational resilience testing (Articles 24-27)
Detailed requirements for the testing of financial firms’ digital operational resilience are included in articles 24 to 27.
e) Managing of ICT third-party risk (Articles 28-30)
The requirements laid down in articles 28 to 30, ensure that financial entities address ICT third-party risk. The general principles set out in article 28, can be summarised as follows:
1) Financial entities are obliged to handle ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in compliance with the following principles:
2) Financial entities must adopt and regularly review a strategy on ICT third-party risk.
3) Financial entities must maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
4) Financial entities, before entering into a contract for the use of ICT services, must:
5) Only third-party ICT service providers who adhere to the necessary information security requirements may enter into contracts with financial entities.
6) Financial entities must adhere to generally accepted audit standards and any supervisory instructions on the use and incorporation of such standards when exercising access, inspection, and audit rights over an ICT third-party service provider. This is done on the basis of a risk-based approach. Additionally, the financial entity must ensure that auditors, have the necessary skills and knowledge to successfully complete the relevant audits and assessments, where contractual agreements reached with ICT third-party service providers on the use of ICT services involve high technical complexity.
7) Financial entities must make sure that agreements for the use of ICT services may be terminated under any of the following conditions:
8) Financial entities must implement an exit strategy for ICT services supporting critical or significant strategies.
Article 30 states the minimum terms which must be included in the contract between the parties (i.e., between the ICT third-party service provider and the financial entity).
f) Oversight framework of critical ICT third-party risk providers (Articles 31-44)
The DORA aims to advance the convergence of regulatory approaches to ICT third-party risk in the financial sector. Therefore, the DORA establishes: (1) an Oversight Framework for the ICT third-party service providers that are critical for financial entities and (2) the position of Lead Overseer to conduct the oversight of such critical third parties.
g) Information- sharing arrangement (Article 45)
Financial entities are permitted to exchange, among themselves, information and intelligence about cyber threats, but they must notify the competent authorities for their participation in such information sharing arrangements.
7. What will be the consequences of non-compliance?
The form and/or the size of sanctions/penalties in case of non-compliance, are not anticipated by the DORA, but at the same time, the DORA specifies that the competent authorities must have the necessary supervisory, investigatory and sanctioning powers necessary to fulfil their duties. Therefore, member states must establish rules concerning administrative penalties and remedial measures for breaches of the DORA.
8. What should be the next steps for financial entities?
It is essential that financial entities and ICT service providers begin becoming familiar with the large array of potential new requirements. They should understand the new requirements of the DORA and where each financial entity stands in relation to these changes by conducting a gap analysis of their current ICT infrastructure, policies, and organisational frameworks.
While some of DORAS’ requirements will not significantly alter the frameworks and procedures currently in place, others will demand a significant amount of time, coordination, and input from a variety of experts.
Our team is available to assist financial entities to fully understand the implications of the DORA and to fully comply with the provisions of this Regulation.