What DORA is all about – a shift in cyber security awaiting the financial sector
The European Union has recently witnessed an increase in cyber-attacks on financial institutions, and this rapid jump in cyber-aggression is one of the reasons for the development of a proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (“DORA”).
Both Member States and EU bodies have attempted to address the risks associated with ICT. The to-date proposed solutions have regulated ICT only in a limited way and were too general, leaving national authorities with a wide margin of interpretation. The absence of a uniform policy in this area has led to inconsistent legal requirements and duplication of regulations in EU and national laws. This creates risks for financial institutions with cross-border operations from having to comply with differing regulations depending on their activities and local ICT requirements, and translates, in particular, into high costs associated with administration and compliance.
DORA – objective, rationale and personal scope
DORA improves and updates existing regulations on ICT management, ICT risk management and ICT-related incident reporting. It also introduces new regulations to fill existing gaps, in particular with regard to digital operational resilience testing, information sharing and management of ICT third-party risk. DORA also confers appropriate powers on financial supervisory authorities to monitor compliance with the obligations under the proposed regulation.
The personal scope of DORA is broad, covering 20 types of regulated financial sector entities (“Financial Entities”). In addition to “classic” entities such as banks, credit and payment institutions and investment firms, DORA also covers crypto-asset service providers, data reporting service providers and crowdfunding service providers, among others.
DORA follows the principle of proportionality in its treatment of subject entities. Financial entities classified as micro enterprises are required to comply to a lesser extent with some of the obligations under DORA and are completely exempt from others.
Management body responsibility as an overarching principle
The overarching principle introduced via DORA is that the management body has full responsibility for defining, approving, implementing and overseeing ICT risk management frameworks. This translates into the obligation to develop and approve appropriate policies, set roles and responsibilities for ICT-related functions, determine the risk tolerance level of an ICT risk, and approve audit plans and arrangements for ICT third-party service providers.
Members of the management body of a financial entity are required to improve and keep up to date their knowledge and skills to ensure they are able to accurately understand and assess ICT risks and their impact on the operations of the financial entity.
Management of ICT-related risk
Financial Entities are required to identify on a continuous basis all sources of ICT risk, set-up protection and prevention measures and quickly detect anomalous activities and ICT network performance issues.
DORA requires Financial Entities to put in place ICT business continuity policies, contingency plans and ICT disaster recovery plans. Financial Entities are also required to have in place adequate numbers of qualified staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks. Staff should also be able to analyse the likely impacts of cyber-attacks on digital operational resilience of the entity.
ICT-related incident reporting
DORA requires Financial Entities to implement ICT-related incident detection and management. Incidents must be classified based on criteria detailed in the proposed regulation (e.g. the number of financial counterparts disrupted by an ICT-related incident, its duration or the criticality of services affected).
Financial Entities should report major ICT-related incidents to the relevant supervisory authority (not yet designated), and service users or clients, indicating remedial steps taken. For each major incident, Financial Entities should submit initial, intermediate and final reports.
New approach to testing
Each Financial Entity covered by DORA must have a digital operational resilience testing programme in place to assess their preparedness for ICT-related incidents, and to identify weaknesses or gaps in their defences. The programme proposes a range of assessments, tests, methodologies, practices and other assessment tools, with Financial Entities being required to test all critical ICT systems and applications at least on an annual basis.
In addition, Financial Entities identified by the relevant supervisory authority as significant will be subject to advanced testing, by means of threat led penetration testing (TLPT), at least every 3 years.
ICT service providers – a new chapter in relations with the financial sector
DORA defines ICT third-party service providers as undertakings providing digital and data services, including providers of cloud computing services, software, data analytics services and data centres. Key elements of the relationship with ICT service providers will be regulated at all stages of contractual arrangements, with Financial Entities bearing the responsibility for complying with their obligations under DORA and financial services legislation.
Contracts between a Financial Entity and an ICT service provider should now include a complete description of contracted functions and services, an indication of where and how data will be transferred, and information on the accessibility, availability, integrity, security and protection of personal data. In addition, notice periods, reporting obligations of ICT service providers, clear termination rights and dedicated exit strategies must also be indicated.
ICT third-party service providers with critical status
According to the proposal, taking into account DORA criteria, ESAs (EBA, ESMA, EIOPA) shall designate ICT third-party service providers that are critical for financial entities, adopting an individual oversight plan for each such critical service provider.
Financial Entities will also be prohibited from engaging ICT third-party service providers established in a third country that would be designated as critical if established in the European Union. This significantly prevents large non-EU service providers from rendering services.
DORA allows supervisory authorities to impose penalty payments on critical service providers for each day of non-compliance with DORA requirements, reaching 1% of the average daily worldwide turnover in the preceding business year. This penalty payment may also be imposed for submitting incomplete information to the supervisory authority in response to a request or for failing to submit to an inspection by that authority.
It should be stressed that DORA is still at the proposal stage with some way to go before finalising. Although Financial Entities covered by DORA will certainly need time to get a firm grasp on the new requirements, based on the draft proposal, they can already take pre-emptive steps to manage their compliance process more smoothly. Entities are well advised to already be performing a preliminary analysis of the conditions for being considered a “significant” entity, and at minimum, review existing internal policies, response and recovery plans for potential compliance with the requirements.
DORA is a further step towards the establishment of a robust digital single market for financial services. Laying down a comprehensive and harmonised legal framework at EU level, with supervisory authorities at the helm, the new proposals will certainly serve to gradually enhance security and resilience to ICT risks.
Any questions? Contact the authors: