CyberItalia: DORA regulation and new cyber obligations for financial institutions

Starting in 2025, the DORA Regulation will introduce specific cybersecurity obligations for financial companies like banks, insurance companies and fintech companies.

In the sixth article in our CyberItalia column, we’re looking at the new obligations under the DORA Regulation. The obligations are aimed at strengthening the operational resilience of the financial sector so operators can prevent and deal with cyberattacks.

The DORA Regulation (Regulation (EU) 2022/2554, Digital Resilience Operational Act) is part of the EU regulatory package on digital finance. It’s a sectoral regulation that applies only to operators in the financial sector.

When?

Adopted on 14 December 2022, it will be directly applicable in Member States – without the need for transposition – from 17 January 2025.

Who is it addressed to?

The scope of the DORA Regulation is very broad and will apply to:

• traditional financial institutions (eg banks, investment firms and insurance companies);
• new fintech players (eg e-money companies and crypto-asset services);
• critical ICT service providers (eg cloud service providers), who provide their services to the abovementioned parties, with reference to some specific monitoring obligations.

What does it provide for?

The provisions of the DORA Regulation can be summarised in four basic pillars:

• Governance and internal organisation: provision for the adoption of an internal cybersecurity governance system and control framework to ensure effective management of all ICT risks to achieve a high level of digital operational resilience.
• Risk management: expectations regarding the implementation of a robust, comprehensive and well-documented cyber-risk management framework as part of their overall risk management system, and periodic testing activities to which financial institutions will be subjected.
• Incident management and reporting: detailed forecasts with respect to the measures to be taken to manage and report incidents related to ICT services.
• ICT third-party management: provisions for the proper evaluation of third-party ICT service providers and the consequent impacts of their actions.

In addition to these pillars, states have to adopt a supervision system at national level to make sure the entities comply with specific security levels.

Numerous provisions of the DORA Regulation will be specified in regulatory and implementing technical standards (RTS and ITS), adopted by the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ESAs).

On 20 June 2023, the supervisory authorities launched a public consultation on the first set of technical standards to be approved, which will remain open until 11 September 2023.

This first set of standards:

• provides more detail on the ICT risk management framework and the simplified risk management framework;
• specifies harmonised requirements for the classification of ICT incidents by financial entities;
• identifies some harmonised templates that financial entities should adopt to register information on contractual arrangements with ICT service providers; and
• defines the content of policies on the use of ICT services that support critical or important functions.

For more on the contents of the RTS and ITS, see DORA Regulation: consultation on first technical standards. The authorities will have to submit the draft technical standards to the European Commission by 17 January 2024, so they can be adopted in time for the application of the DORA Regulation from 17 January 2025.

In parallel, on 29 September 2023, the ESAs published their joint response to the EU Commission's request for an opinion on the identification of criteria for critical ICT service providers and the quantification of the supervision fees to be borne by these providers.