DORA: The Digital Operational Resilience ActWhat the insurance market needs to know about the harmonized framework to strengthen the digital operational resilience of the EU financial sector
Context and background
On 27 December 2022, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector,1 was officially published in the EU Official Journal (the Digital Operational Resilience Act or DORA).
DORA was first introduced as part of the EU Digital Finance Package in September 2020, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection.
DORA will apply to (re)insurance undertakings within the scope of Solvency II and larger (re)insurance intermediaries.2 It will also apply to third parties who provide critical information and communication technology (ICT) services to the insurance industry, such as providers of cloud computing services, software (for example underwriting platforms for e-trade business), data analytics services, and data centres.
In practice, DORA is likely to impact many UK-based firms in addition to those headquartered in the EEA. Where a UK-based (re)insurer or intermediary has EEA entities within its group, it will need to consider the extent to which DORA may indirectly affect its non-EEA operations, for example where contracts for the provision of ICT services are negotiated on a group level.
What is DORA?
As a milestone of the EU Digital Finance Package, the DORA is intended to contribute to the risk-adequate cyber and IT security of financial service providers and to strengthen their resilience against threats posed by information and communication technologies. It aims to prevent and mitigate cyber threats in the EU financial sector by harmonizing and upgrading the various legislative (national and international) initiatives and establishing a consolidated digital operational framework across the EU financial sector. This will create uniform requirements for the security of network and information systems of both financial entities and critical ICT third-party service providers.
DORA works in conjunction with the existing regulatory framework for risk management of cyber and IT risks for the insurance sector. The regulation also builds on the European legislation on network and information security (NIS) whose enhancement by the NIS-2 Directive was also most recently adopted by the EU Parliament in November 2022. In this overall regulatory environment, DORA is designed as specific, prevailing legislation within its scope of application. DORA aims for a proper management of ICT risks, i.e. as defined in the act, of “any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment".
In practice, DORA will:
- require in-scope (re)insurers and intermediaries to adopt comprehensive capabilities to enable strong and effective ICT risk management, and specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents to competent authorities. Likewise, they should have policies in place for the testing of ICT systems, controls and processes, and for managing ICT third-party risk. Firms must implement these requirements in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. DORA allows for a proportionate application of requirements for certain firms, particularly microenterprises, and those subject to a simplified ICT risk management framework; and
- subject critical ICT third-party service providers that provide ICT services to in-scope (re)insurance undertakings and intermediaries to a strict oversight framework, managed by the European Supervisory Authorities (ESAs).
A consolidated digital operational framework
DORA introduces a streamlined digital operational framework across the EU financial sector.
The regulation is broad in scope, applying to many financial service providers beyond the insurance sector, such as credit, payment and e-money institutions, investment firms, crypto-asset service providers, fund managers, credit rating agencies and crowdfunding service providers.
In addition, ICT providers are not only regulated indirectly, but also directly under certain conditions. Under DORA, ICT providers are those who continuously provide digital services and data services, such as cloud computing services, as well as certain hardware-related services. Compared to the previous legal framework, DORA represents a paradigm shift for the ICT sector.
ICT risk management requirements
DORA requires in-scope entities to have an internal governance and control framework in place that ensures an effective and prudent management of ICT risk. The management body of the firm must define, approve, oversee and is responsible for implementing all arrangements related to the ICT risk management framework.
As part of the ICT risk management framework, firms will have to implement a sound, comprehensive and well-documented ICT risk management framework (including strategies, policies, procedures, ICT protocols), to deploy systems to detect anomalous activities and potential material single points of failure and to develop appropriate response and recovery strategies. The ICT risk management framework has to be reviewed on a yearly basis as a general rule, is subject to internal audit and needs to be submitted to the supervising authority upon request.
Firms must ensure that their information and communication technology is kept updated and, among other things, is reliable, appropriately designed, sufficiently dimensioned and technically stable.
DORA also requires firms to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Appropriate procedures and processes must be implemented to ensure consistent and integrated monitoring, handling and follow-up of ICT related incidents, to ensure that root causes are identified, documented and addressed to prevent incidents occurring.
Subsequently, ICT-related incidents must be comprehensively documented, as any incidents deemed as ‘major’ must be reported to the relevant competent authority (of the respective financial entity).If a major ICT-related incident affects the financial interests of clients, firms also have an obligation to inform their clients about the incident and about the measures taken to mitigate the adverse effects. Deadlines for a timely reporting are to be determined by the ESAs. Firms may also, voluntarily, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients.
Digital operational resilience testing
DORA introduces a mandatory digital operational resilience testing programme as an integral part of the ICT risk-management framework.
The testing must be undertaken by independent parties, whether internal or external. Firms must establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and must establish internal validation methodologies to ensure all identified weaknesses, deficiencies or gaps are fully addressed. Appropriate tests must be conducted on all ICT systems and applications supporting critical or important functions at least every year.
Firms identified as being of particular systemic importance (in accordance with a framework to be developed by the ESAs) will also have to perform an advanced testing of underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers, as a general rule every three years using threat-led penetration testing (TLPT).
Management of ICT third-party risk
ICT third-party risk must be managed by firms as an integral component of ICT risk in their ICT risk management framework. DORA requires firms to:
- have in place contractual arrangements for the use of ICT services to run their business operations, including arrangements for reasonable IT security standards in general and up to best industry IT security standards for important or critical functions, and to remain fully responsible for compliance with all obligations under DORA and applicable financial services law at all times;
- maintain and update at entity level, and at (sub-)consolidated levels, an information register in relation to all contractual arrangements on the use of ICT services provided by third-party service providers, distinguishing between ICT services supporting critical or important functions and those that do not. This register must be made available to the competent authority upon request;
- report at least every year to the respective competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the provided ICT services and functions;
- inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important; and
- make specific risk-management related assessments before entering into new contractual arrangements, including whether it covers the use of ICT services supporting a critical or important function and all relevant risks relating to the contractual arrangement.
Key contractual provisions
Similar to the approach under the EIOPA Guidelines on outsourcing to cloud service providers, DORA requires a written contract clearly allocating specific rights and obligations of both parties, including:
- a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- full service level descriptions;
- the obligation of the ICT third-party service provider to provide assistance when an ICT incident that is related to the ICT service provided to the firm occurs;
- the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the firm; and
- termination rights and related minimum notice periods for the termination of the contractual arrangements.
Additional mandatory contractual provisions apply for contractual arrangements supporting critical or important functions, including appropriate exit strategies and the right to monitor entailing unrestricted rights of access, inspection and audit.
Information sharing arrangements on cyber threat information and intelligence
DORA also allows financial entities to exchange, among themselves, cyber threat information and intelligence. The information and intelligence exchange should:
- enhance the digital operational resilience of financial entities;
- take place within trusted communities of financial entities; and
- be implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.
This information exchange is intended to assist with risk management across the broader financial sector, which obviously will be of benefit to (re)insurers who face cyber risks themselves. However, an extra benefit to the insurance market is that this will increase understanding of the cyber threat landscape generally which will be of interest to those underwriting cyber risks.
To ensure compliance with DORA, competent authorities will have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties. They will have access to any document and data considered relevant for the performance of their duties. And they will carry out onsite inspections or investigations and require corrective and remedial measures for breaches of the requirements of DORA.
An oversight framework for ICT third-party service providers
DORA establishes an immediate oversight framework for “critical” ICT third-party service providers. This oversight framework will apply on ICT third-party service providers irrespective whether these are based in a European Union member state or abroad, but not for intra-group service providers.
The ESA’s will designate the “critical” ICT third-party service providers and appoint a “Lead Overseer” for each critical ICT third-party service provider. The Lead Overseer will be the ESA responsible for the financial entities with the largest share of total assets out of the value of total assets of all financial entities using the services of the relevant critical ICT third-party service provider.
The designation of critical ICT third-party service providers will be based on criteria including:
- the potential systemic impact on the stability, continuity or quality of the provision of financial services in the event of a large scale operational failure;
- the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider;
- the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of financial entities that ultimately involve the same ICT third-party service provider; and
- the degree of substitutability of the ICT third-party service provider.
The Lead Overseer will oversee the assigned critical ICT third-party service providers and assess whether each critical ICT third-party service provider has comprehensive, sound and effective rules, procedures, mechanisms and arrangements in place to manage the ICT risk. The ESA will be able to request all relevant information and documentation from the assigned critical ICT third-party service providers, to conduct general investigations and offsite and onsite inspections, issue recommendations and requests, and impose fines in certain circumstances.
The introduction of these regulatory obligations on ICT third-party service providers should increase the ICT sector’s engagement with these issues and make it easier for the insurance market to negotiate appropriate contractual terms to ensure compliance with its own obligations.
General enforcement of DORA
Beyond the allocation of supervisory responsibilities on the supervision of critical ICT third-party service providers, DORA establishes a differentiated system of responsibilities of the supervisory authorities on an institution-by-institution basis in order to ensure compliance with the Regulation. The supervisory authorities are requested to cooperate amongst each other as well as with the lead supervisory authority. The Regulation then establishes broad supervisory, investigatory and sanctioning powers for the benefit of these authorities to ensure the performance of their duties. The minimum list of powers includes, in principle, access to documents or data in any form, the conduct of on-site inspections or investigations, including rights of subpoena and questioning, and the request for corrective and remedial action in the event of breaches of the Regulation.
In this context DORA requires EU Member States to lay down appropriate administrative sanctions and remedies for breaches of the DORA regulation and must ensure that they are effectively implemented.
DORA itself does not provide for fines or other criminal sanctions for non-compliance with the regulation. Thus, the regulation departs from the approach of the General Data Protection Regulation (GDPR) or the amended Network and Information Security 2 (NIS-2) regulation, which was approved by the European Council on 28.11.2022. However, EU member states are free to provide for criminal sanctions for breaches of DORA in their national law, which remains to be seen.
DORA enters into force on 16 January 2023 but will be effective from 17 January 2025. The insurance market should act now and start preparing to meet the 2025 deadline.
Firms within DORA’s scope should immediately start implementation planning, with identification of a business owner, engagement with external experts and identification of the resources needed for the implementation project. On the basis of the existing information security management framework and a related due diligence process, a GAP analysis should conducted to identify the specific tasks and targets to be implemented afterwards according to a specific roadmap. The supervisory authorities have already begun preparing for implementation, especially since, according to DORA, the ESAs have to draw up standards, among other things, which financial service providers and critical ITC third-party providers must observe in several contexts, the tasks to be completed within the period until 17 January 2025. Firms will only have a limited time for implementation. In view of the regular technical and operational complexity, this is likely to be challenging.
For more information regarding DORA and how it will affect your business, contact your usual DLA Piper advisor.
1 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
PE/41/2022/INIT, OJ L 333, 27 December 2022.
2 Excluding those intermediaries which employ fewer than 250 persons and have an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.