Navigating compliance waters – How will DORA affect insurance and financial companies?
What is DORA?
On 17 January 2025, Regulation (EU) 2022/2554, commonly referred to as DORA (Digital Operational Resilience Act), will finally come into effect.
DORA is a cornerstone of the EU's digital finance legislative package. It stands alongside MiCAR, which focuses on markets in crypto-assets, and the DLT pilot regime, a regulation on distributed ledger technology.
DORA focuses on cybersecurity. It aims to enhance “operational resilience” in the European financial sector.
It’s a groundbreaking regulation in the financial landscape, aiming to harmonize and standardize cybersecurity requirements for financial entities operating across Europe.
The overarching objective is to strengthen these entities against cyber threats, fostering a capacity to prevent, withstand, and respond effectively to such challenges. These requirements are currently fragmented across various European and national provisions (eg NIS1 Directive, PSD2, Italian Cybersecurity Perimeter, scattered provisions from IVASS and Bank of Italy), resulting in inconsistent application and compliance challenges. By consolidating and streamlining these requirements, DORA seeks to enhance the overall cybersecurity posture of the financial industry while facilitating greater regulatory clarity and compliance efficiency.
This industry-specific regulation primarily targets financial entities and takes precedence (lex specialis) over concurrent and broader cybersecurity regulations, like the NIS2 Directive, which have been implemented concurrently.
Which financial entities does DORA cover?
DORA has an exceptionally broad scope, applying to virtually all operators in the financial sector, with few exceptions. The detailed list of entities subject to DORA’s provisions is provided in Article 3 of the regulation, and it’s crucial for the relevant operators to determine their category of operation. Essentially, DORA will affect:
- Traditional financial entities (banks, investment firms, and insurance companies); and
- Emerging market players (electronic money institutions and crypto-asset services).
DORA also introduces specific monitoring obligations directly targeting critical providers of ICT services (eg cloud service providers), who offer their services to financial entities.
The key pillars of DORA
The DORA provisions can be condensed into four fundamental pillars, each representing a cornerstone of the regulation's framework. These pillars, when applied together, are designed to give financial entities the tools to recognize and manage ICT risks, whether inherent or stemming from third parties:
- Governance and internal organization – Financial entities have to establish an internal cybersecurity governance and control framework to effectively and prudently manage all ICT risks. DORA aims to elevate ICT risks as a significant component of the operational and financial risks already addressed by financial entities. Consequently, a defined set of responsibilities must be delegated to the financial entity's management body, which has primary accountability for the overall ICT risk management.
- Risk management framework – Financial entities have to maintain a robust, comprehensive, and well-documented cyber risk management framework as part of their overall risk management system. Operators must:
- identify all sources of ICT risk and implement mechanisms for detecting abnormal activities;
- deploy strategies, policies, procedures and ICT protocols to ensure continuous monitoring and prevention of ICT related risks, as well as prompt response and recovery from incidents; and
- deploy resilient ICT tools and systems to minimize the impact of related risks, and to adequately protect all information and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructure.
DORA introduces some simplifications for companies exempt from enhanced obligations (eg small non-interconnected investment firms), but this does not exclude the implementation of basic ICT risk mapping and management measures.
- Incident management and reporting – DORA introduces several provisions regarding the management of incidents related to ICT services. Financial entities will have to:
- establish and implement operational continuity policies and disaster recovery plans in the event of ICT-related disasters, such as cyberattacks;
- acquire the necessary capabilities and personnel to detect vulnerabilities, threats, incidents, and cyberattacks, and assess their potential impact on digital operational resilience; and
- develop communication plans for various stakeholders.
When it comes to incident reporting, financial entities have to establish and implement a management process for monitoring and documenting ICT-related incidents. This includes classifying incidents, evaluating their impact, and reporting serious incidents to the relevant authorities.
- ICT third-party management – To mitigate risks arising from financial entities' reliance on third-party service providers, specific provisions have been introduced to ensure the proper assessment of third-party providers of ICT services and the inclusion of mandatory clauses in service agreements, to manage the impacts of their operations.
As part of this effort, the regulation establishes a European-level oversight framework for critical third-party ICT service providers. Each critical third-party ICT service provider will be subject to oversight by a designated lead supervisory authority.
Regulatory technical and implementing technical standards specifying DORA
In addition to the regulatory framework of DORA, the regulation provides that certain provisions will be further detailed through regulatory technical and implementing standards (RTS and ITS) by European supervisory authorities, namely the EBA, EIOPA, ESMA, and the ESAs.
To date, two different sets of RTS and ITS have been released (see first batch RTS and second batch RTS), delving into topics such as classification, timelines and contents of ICT incidents notification; details on the ICT risk management framework; subcontracting of critical functions and threat-led penetration testing (TLPT).
These RTS and ITS are expected to complement the framework for ICT risk management for financial entities.
The practical impact of DORA on financial entities
The ramifications of DORA on financial institutions will be profound. While it's likely that many larger and well-established entities already comply with several of DORA’s requirements and technical measures, the regulation sets forth a new standard of awareness and standardization for all operators, unprecedented in previous regulatory framework.
It’s essential for financial entities to adopt a proactive and informed approach by engaging in preparatory activities to assess the true impact of DORA on their operations.
Operators should:
- Conduct a gap analysis of their ICT risk management framework, reviewing the internal governance structure and existing ICT risk and incident management protocols. This assessment aims to gauge organizational awareness of the new regulatory framework and determine whether current resources, strategies, and response plans align with regulatory expectations. If shortcomings are identified, updating and adjusting plans will be necessary.
- Assessing critical ICT service providers, namely mapping contracts with third-party providers and assessing their criticality to business operations. Identifying vulnerabilities and documenting them facilitates risk containment strategy planning. Lastly, renegotiating party obligations aims to align contracts with regulatory requirements.
- Revising incident reporting mechanisms, which entails assessing the company's capabilities and responsiveness in terms of reporting. Subsequently, implementing new procedures or adjusting existing ones ensures alignment with the new regulatory requirements.
While 17 January may appear to be in the distant future, all financial entities have to begin preparing now to ensure they can comply with DORA within the planned deadline.