DORA: A harmonized framework to strengthen the digital operational resilience of the EU financial sector
Context and background
On 27 December 2022, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector1 was officially published in the EU Official Journal (the Digital Operational Resilience Act or DORA).
DORA was first introduced as part of the EU Digital Finance Package in September 2020. The package aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to DORA, the EU Digital Finance Package also contained a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal for a pilot regime for market infrastructures based on distributed ledger technology (DLT Pilot Regime, adopted in June 2022).
What is DORA?
As a milestone of the EU Digital Finance Package, DORA is intended to contribute to the risk-adequate cyber and IT security of financial service providers and to strengthen their resilience against threats posed by information and communication technologies. It aims to prevent and mitigate cyber threats in the EU financial sector by harmonizing and upgrading the various legislative (national and international) initiatives and establishing a consolidated digital operational framework across the EU financial sector. This will create uniform requirements for the security of network and information systems of both financial entities and critical information and communication technology (ICT) third-party service providers.
DORA meets the existing regulatory framework for risk management of cyber and IT risks already apply in the finance and insurance sector. The regulation also builds on the European legislation on network and information security (NIS) whose enhancement by the NIS-2 Directive was also recently adopted by the EU Parliament in November 2022 and published in the EU Official Journal2. In this overall regulatory environment, DORA is designed as specific, prevailing legislation within its scope of application.
DORA aims for a proper management of ICT risks, i.e. as defined in the act, of “any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment“.
In practice, DORA will:
- require EU financial entities to adopt comprehensive capabilities to enable strong and effective ICT risk management, and specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents to competent authorities. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, and for managing ICT third-party risk. Financial entities must implement these requirements in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. DORA allows for a proportionate application of requirements for certain financial entities, particularly microenterprises, and financial entities subject to a simplified ICT risk management framework; and
- subject critical ICT third-party service providers that provide ICT services to EU financial institutions to a strict oversight framework, managed by the European Supervisory Authorities (ESAs).
A consolidated digital operational framework for EU financial sector
DORA introduces a streamlined digital operational framework across the EU financial sector.
The regulation basically addresses all financial service providers. Financial entities subject to this new Regulation include credit, payment and e-money institutions, investment firms, crypto-asset service providers, fund managers, insurance and reinsurance undertakings, credit rating agencies and crowdfunding service providers.
ICT providers are not only regulated indirectly, but also directly under certain conditions. According to DORA, ICT providers are those that continuously provide digital services and data services, such as cloud computing services, as well as certain hardware-related services. Compared to the previous legal framework, DORA represents a paradigm shift for the ICT sector.
ICT risk management requirements
DORA requires financial entities to have an internal governance and control framework in place that ensures an effective and prudent management of ICT risk. The management body of the financial entity must define, approve, oversee and is responsible for implementing all arrangements related to the ICT risk management framework.
As part of the ICT risk management framework, financial entities will have to implement a sound, comprehensive and well-documented ICT risk management framework (including strategies, policies, procedures, ICT protocols), to deploy systems to detect anomalous activities and potential material single points of failure and to develop appropriate response and recovery strategies. The ICT risk management framework has to be reviewed on a yearly basis as a general rule, is subject to internal audit and needs to be submitted to the financial services supervising authority upon request.
The information and communication technology of the financial entities must always be updated and, among other things, be reliable, appropriately designed, sufficiently dimensioned and technically stable.
DORA also requires financial entities to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Appropriate procedures and processes must be implemented to ensure consistent and integrated monitoring, handling and follow-up of ICT related incidents, to ensure that root causes are identified, documented and addressed to prevent incidents occurring.
Subsequently, ICT-related incidents must be comprehensively documented, as any incidents deemed as ‘major’ must be reported to the relevant competent authority (of the respective financial entity). If a major ICT-related incident affects the financial interests of clients, financial entities also have to inform their clients about the incident and about the measures taken to mitigate the adverse effects. Deadlines for timely reporting be determined by the ESAs.
Financial entities may also, voluntarily, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients.
Digital operational resilience testing
DORA introduces a mandatory digital operational resilience testing programme for financial entities as an integral part of the ICT risk-management framework.
The testing must be undertaken by independent parties, whether internal or external. Financial entities must establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and must establish internal validation methodologies to ensure all identified weaknesses, deficiencies or gaps are fully addressed. Appropriate tests must be conducted on all ICT systems and applications supporting critical or important functions at least every year.
Financial entities identified as system relevant have to perform advanced testing of underlying ICT systems, processes and technologies supporting critical or important functions and ICT services. This includes those supporting the critical or important functions that have been outsourced or contracted to ICT third-party service providers. As a general rule, testing should take place every three years using threat-led penetration testing (TLPT).
Management of ICT third-party risk
ICT third-party risk must be managed by financial entities as an integral component of ICT risk in their ICT risk management framework. DORA requires financial entities to:
- have in place contractual arrangements for the use of ICT services to run their business operations, including arrangements for reasonable IT security standards in general and up to best industry IT security standards for important or critical functions, and to remain fully responsible for compliance with all obligations under DORA and applicable financial services law at all times;
- maintain and update at entity level, and at (sub-)consolidated levels, an information register in relation to all contractual arrangements on the use of ICT services provided by third-party service providers, distinguishing between ICT services supporting critical or important functions and those that do not. This register must be made available to the competent authority upon request;
- report at least every year to the respective competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the provided ICT services and functions;
- inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important; and
- make specific risk-management related assessments before entering into new contractual arrangements, including whether it covers the use of ICT services supporting a critical or important function and all relevant risks relating to the contractual arrangement.
Key contractual provisions
With regard to the contractual arrangements, DORA takes a similar approach to that in pre-existing regulatory guidelines on European level like the EBA Guidelines on outsourcing arrangements or the EIOPA Guidelines on outsourcing to cloud service providers. DORA requires a written contract clearly allocating specific rights and obligations of both parties, including the following elements:
- a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- full service level descriptions;
- the obligation of the ICT third-party service provider to provide assistance when an ICT incident that’s related to the ICT service provided to the financial entity occurs;
- the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity; and
- termination rights and related minimum notice periods for the termination of the contractual arrangements.
Additional mandatory contractual provisions apply for contractual arrangements supporting critical or important functions, including appropriate exit strategies and the right to monitor entailing unrestricted rights of access, inspection and audit.
Information sharing arrangements on cyber threat information and intelligence
Lastly, DORA allows financial entities to exchange, among themselves, cyber threat information and intelligence. The information and intelligence should:
- enhance the digital operational resilience of financial entities;
- take place within trusted communities of financial entities; and
- be implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.
An oversight framework for ICT third-party service providers
DORA establishes an immediate oversight framework for “critical” ICT third-party service providers. This oversight framework will apply to ICT third-party service providers irrespective whether they’re based in a EU Member State or abroad, but not for intra-group service providers.
The ESAs will designate the “critical” ICT third-party service providers and appoint a “Lead Overseer” for each critical ICT third-party service provider. The Lead Overseer will be the ESA responsible for the financial entities with the largest share of total assets out of the value of total assets of all financial entities using the services of the relevant critical ICT third-party service provider.
The designation of critical ICT third-party service providers will be based on criteria including:
- the potential systemic impact on the stability, continuity or quality of the provision of financial services in the event of a large scale operational failure;
- the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider;
- the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of financial entities that ultimately involve the same ICT third-party service provider; and
- the degree of substitutability of the ICT third-party service provider.
The Lead Overseer will oversee the assigned critical ICT third-party service providers and assess whether each critical ICT third-party service provider has comprehensive, sound and effective rules, procedures, mechanisms and arrangements in place to manage the ICT risk. The ESA will be able to request all relevant information and documentation from the assigned critical ICT third-party service providers, to conduct general investigations and offsite and onsite inspections, issue recommendations and requests, and impose fines in certain circumstances.
General enforcement of DORA
Beyond the allocation of supervisory responsibilities on the supervision of critical ICT third-party service providers, DORA establishes a differentiated system of responsibilities of the supervisory authorities on an institution-by-institution basis to ensure compliance with the Regulation. The supervisory authorities are requested to cooperate among each other and with the lead supervisory authority. The Regulation then establishes broad supervisory, investigatory and sanctioning powers for the benefit of these authorities to ensure performance of their duties. The minimum list of powers includes access to documents or data in any form, the conduct of onsite inspections or investigations, including rights of subpoena and questioning, and the request for corrective and remedial action in the event of breaches of the Regulation.
DORA requires EU Member States to lay down appropriate administrative sanctions and remedies for breaches of the DORA regulation and must ensure that they are effectively implemented.
DORA does not provide for fines or other criminal sanctions for non-compliance with the Regulation. The regulation departs from the approach of the General Data Protection Regulation (GDPR) or the amended Network and Information Security 2 (NIS-2) regulation. However, EU Member States are free to provide for criminal sanctions for breaches of DORA in their national law, which remains to be seen.
DORA enters into force on 16 January 2023 but will be effective from 17 January 2025. EU financial entities should act now and start preparing to meet the 2025 deadline.
Any financial entity in scope of DORA, ie almost any financial services operation, should immediately start with the implementation of DORA and identify a respective project involving the internal stakeholder to be involved and external experts and resources needed to support. On the basis of the existing information security management framework and a related due diligence process, a GAP analysis should be conducted to identify the specific tasks and targets to be implemented afterwards according to a specific roadmap. In preparation for DORA’s application date of 17 January 2025, supervisory authorities have already begun preparing for implementation, particularly as, according to DORA, ESAs have to draw up standards that financial service providers and critical ITC third-party providers must observe. Financial entities will only have limited time to implement. In view of the regular technical and operational complexity, this is likely to be challenging.
ICT services providers should immediately familiarise themselves with the specific contractual requirements of DORA on services agreements with financial entities and specifically identify and consider the operational and legal consequences compared to their standard operating mode to date. Those ICT services providers potentially or actually critical for financial entities and therefore being in focus of a future immediate regulation should get acquainted with the ICT service provider specific regulatory framework. They should also carefully identify and analyse the operational and legal consequences, management options and approaches and potential operational change requirements.
For more information regarding DORA and how it will affect your business, contact your usual DLA Piper advisor.
1Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) PE/41/2022/INIT, OJ L 333, 27 December 2022.
2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).