DORA

On November 17, the European Council adopted the Regulation of the European Parliament and of the Council on Digital Operational Resilience in the Financial Sector (“DORA” for short) and it will enter into force 20 days after publication in the Official Journal of the EU. 24 months later and thus from the beginning of 2025, the regulation will then apply directly and bindingly in every member state. As this is a regulation, no separate national implementation is required; the text applies equally in all member states. Thus, only these two years remain for the organizations concerned to fully prepare for the requirements of DORA, which are quite profound.

Let’s start with the scope of the organizations involved: due to the objective of creating a coherent approach to the management of ICT risks in the financial sector in the EU – with the aim of strengthening the digital operational resilience of the financial services industry – a very broad scope has been chosen, which, in addition to traditional credit institutions, payment institutions and financial market infrastructure entities such as central securities depositories, central counterparties and trading venues, it also includes all financial service providers in the broader sense, such as investment firms, investment funds, crypto service providers, account information service providers, insurance and reinsurance companies, insurance intermediaries, rating agencies and all their data provision services and third-party ICT service providers. Article 2 provides for some (few) exemptions from the Regulation, as well as certain facilitations (e.g., a simplified ICT risk management framework) for financial service providers that qualify as “micro-entities” (fewer than 10 employees and an annual turnover or balance sheet of less than EUR 2 million). In all regulations, reference is made to the principle of proportionality, in which account must be taken of the size, overall risk profile, and the nature, scope, and complexity of the financial service provider’s services and operations. DORA is considered a lex specialis for the NIS 2 Directive, which was adopted at the same time, and therefore supersedes it for all affected companies. At the same time, some aspects of DORA (e.g., requirements for the ICT risk management framework and protective measures to be implemented) are much more comprehensive and in-depth than the similarly worded NIS 2 directive, which means that it can be assumed that the national supervisory authorities will be guided by the more detailed requirements of DORA when it comes to implementation standards.

So what are the key requirements in DORA? Article 5 Governance and Organization requires that financial firms have an internal governance and control framework that ensures effective and prudent management of ICT risks in order to achieve a high level of digital operational resilience. In this context, the management body of the financial enterprise is responsible for implementing all arrangements in connection with the ICT risk management framework. This includes, but is not limited to, the allocation of adequate budgetary resources. The management body must also ensure that it is kept up to date on all risk-related issues, including agreements on the use of ICT services. Furthermore, DORA requires that the members of the financial company’s management body have sufficient up-to-date knowledge and skills on ICT risks – this means that they must regularly complete special training courses. It can be assumed that this will find its way into an expanded catalog of requirements for the Fit & Proper examinations.

Section 2 of DORA then includes detailed requirements for the ICT risk management framework, which must include policies, guidelines, procedures, and ICT protocols and tools to properly and adequately protect all ICT assets, as well as to protect all relevant physical components and infrastructure, such as premises, data centers, and designated sensitive areas. This ICT risk management framework must be documented and managed by an independent control function in accordance with the three lines of defense model and reviewed at least once a year. The ICT risk management framework must describe the risk tolerance threshold, define key performance indicators and risk metrics, and continuously review effectiveness through testing and monitoring. Furthermore, an ICT reference architecture must be defined and the systems it encompasses must always be kept up to date. The following articles describe along the Security Lifecycle “Identification”, “Prevention”, “Detection”, “Response” and “Recovery” all the minimum requirements that the ICT risk management framework must contain to meet the security objectives. This covers all essential topics described by common security standards such as ISO 27001 or NIST 800-53: Scenario Analysis, Business Impact Analysis, Asset Management, Change Management, Protection of Availability, Authenticity and Integrity of Data, Authorization Management and Authentication up to Business Continuity Guidelines and Contingency Planning. Technical measures are also described in concrete terms, such as the ability to detect anomalies and immediately disconnect or segment network connections if necessary. By establishing concrete technical capabilities at the regulation level, DORA goes further than any existing legislative text at the EU level. DORA also specifies very concrete requirements with regard to disaster recovery & BCM, specifications for recovery times and recovery points that take into account the potential overall impact on market efficiency, as well as redundant ICT capacities with sufficient resources and their own risk profile, which must also be extensively tested on a regular basis, including the full-failover tests feared by IT departments. DORA explicitly requires that the agreed service quality is achieved even in extreme scenarios. Although the requirements are already relatively specific in the text of the regulation, the ESA will be tasked with specifying the requirements for technical and organizational safeguards in even more concrete terms within the framework of technical regulatory standards, and this will be done within a year, i.e. by the end of 2023.

Chapter 3 deals with the handling of ICT-related incidents, which include “significant cyber threats.” Early warning indicators must be used for these and appropriate classification, response and communication measures must be provided. There will also be ESA technical regulatory standards for the materiality thresholds of serious ICT-related incidents by the end of 2023. Furthermore, DORA – analogous to NIS – provides for a reporting obligation for serious security incidents, with initial reports, interim reports and a final report. The exact deadlines and formats of the notifications will be defined by the ESA within 18 months in the framework of regulatory technical standards. Financial service providers are given the right to outsource reporting obligations under this Article to a third-party service provider, always retaining full responsibility for compliance. Furthermore, the ESA is to examine the extent to which further centralization of reporting is possible and what the requirements are for the establishment of a uniform EU reporting platform. This would provide relief to financial firms with respect to current multiple reporting obligations.

Another focus of DORA is requirements for testing digital resilience, to which a separate chapter is dedicated. The central point is that appropriate tests must be performed at least once a year on all ICT systems and applications that support critical or important functions. Testing here is very broad and includes vulnerability assessments and scans, open source analysis, network security analysis, physical security reviews, software solution scans, source code reviews, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing. These tests must be performed by independent internal or external testers, with at least one in three tests being performed by external testers. Financial companies that are classified as significant are also required to perform a Threat Led Penetration Test (TLPT) at least every three years, which includes several or all of a financial company’s critical or important functions and must be performed on live production systems. Third-party ICT service providers may also need to be involved in these tests. Upon completion of the tests, a summary of the significant findings, corrective action plans, and documentation demonstrating that the test was performed as required shall be submitted to the Authority. Also with respect to TLPTs, ESA will develop regulatory technical standards within 18 months that further specify scope and testing methodology.

Another central point of DORA is the management of ICT third-party risk, which is addressed in chapter 5. Financial firms will be required to manage ICT third party risk as an integral part of ICT risk and to establish a strategy and associated guidance for this purpose. Companies will be required to keep an information register of all contractual agreements with third-party ICT service providers and to keep it up to date. The management body shall be required to regularly monitor and review the risks associated with the contractual agreements on the use of ICT services; a separate function shall be established to monitor the use of ICT services. Before entering into any contractual agreement for the use of ICT services, financial companies must ensure that these service providers comply with appropriate information security standards, and in the case of critical or important functions, even the most current and highest quality standards for information security. This must be ensured throughout the selection and evaluation process and is seen as part of due diligence. Financial firms must ensure that third-party ICT service providers comply with their information security and resilience requirements, including integrating them into their relevant training programs as necessary to do so.Financial firms must also ensure that contractual agreements for the use of ICT services can be terminated if demonstrable weaknesses in the third-party ICT service provider’s overall ICT risk management become known, particularly in the way it ensures the availability, authenticity, security and confidentiality of data. To this end, suitable exit strategies must also be defined that allow the financial company to withdraw from contractual agreements without interrupting its business activities and without impairing the continuity and quality of the services it provides to customers. The ESA will also prepare technical implementation standards in this regard within a year, which will include standard templates for contractual agreements, specifications regarding the information register as well as the content of the required guideline.

To mitigate concentration risks, DORA also provides for a separate monitoring framework of critical third-party ICT service providers. This is intended to include third-party ICT service providers that have a systemic impact on the stability, continuity or quality of the provision of financial services or that service a (yet to be determined) number of global systemically important institutions (G-SRIs) or other systemically important institutions (A-SRIs). This should also take into account the degree of substitutability of the third-party ICT service provider. Intra-group ICT service providers should not fall within the monitoring scope of critical third-party ICT service providers. ESA will establish, publish and update the list of critical ICT third-party service providers. A separate supervisory authority will be established for them, which will assess whether each critical third-party ICT service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements for managing ICT risks, which are listed in Article 33 and comply with the requirements for financial firms. To this end, an individual monitoring plan is drawn up for each critical ICT third-party service provider, describing the planned annual monitoring targets and key monitoring measures. To this end, the supervisory authority will be given extensive powers and sanction options, ranging from the imposition of periodic penalty payments amounting to 1% of average daily global turnover to the restriction of subcontracting and the possibility of requiring financial companies to terminate the contractual agreements concluded with this critical third-party ICT service provider. The Authority’s expenses for carrying out monitoring tasks are fully charged to the critical ICT third-party service providers.

Also with respect to financial firms themselves, the regulation establishes appropriate administrative sanctions and remedies for violations of the regulation, which are intended to be effective, proportionate, and dissuasive.

DORA establishes for the first time a strict supervisory framework for operational risks that is uniform throughout Europe. In addition to the strict measures defined by DORA, which should lead to a further improvement in the resilience of European financial service providers, this will bring about harmonization, especially for internationally active financial service providers, which will lead to improved legal certainty within the European framework.

The full legal text can be found at: https://data.consilium.europa.eu/doc/document/PE-41-2022-INIT/en/pdf