DORA is bringing resilience to the financial sector and beyond
Does she also bring a lot of bureaucracy and how to manage the compliance process?
The financial sector has been dependent on information and communication technology (ICT) for a long while and this dependency is only increasing with time. ICT is used by the sector for the delivery of its financial services to other sectors and to society. For which delivery the financial sector depends on ICT service providers.
This chain of dependency, according to the EU, poses a risk of disruptions to financial entities, impacting other sectors and potentially the whole economy, because ICT service providers are not as well-regulated as the financial entities. So, that’s why DORA comes to the rescue!
Who is DORA?
DORA stands for Digital Operational Resilience Act. It entered into force on 16 January 2023 and will apply as of 17 January 2025. The goal of The Act is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms thus ensuring that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
According to the Council of the EU “the ever-increasing risks of cyber-attacks” and other disruptions in the ICT field need to be addressed. DORA sets uniform requirements for the security of network and information systems for the whole chain of all entities in the financial sector and all third parties providing ICT services to them (e.g. cloud platforms or data analytics services).
These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats. Organisations falling in the scope of the regulation need to be able to withstand, respond to and recover from all types of ICT-related disruptions and threats.
From broader to particular
DORA was part of a larger digital finance package, proposed by the European commission with the aim to lay the foundation for fostering technological development and ensuring financial stability and consumer protection. In addition to the DORA proposal, the package contained a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT). You can read more about MiCA and how we can help you to comply by clicking here.
DORA covers six crucial tracks:
- ICT risk management – this framework sets principles and requirements on ICT risk management;
- ICT third-party risk management – this one covers monitoring third-party risk, and key contractual provisions;
- Digital operational resilience testing – a range of tests, including basic and advanced testing;
- ICT-related incidents – this framework includes management of ICT-related incidents, as well as notification of major ones and of significant cyber threats to competent authorities;
- Information sharing – exchange of information and intelligence on cyber threats;
- Oversight of critical third-party providers – oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.
The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards that all financial service institutions should comply with, from banking to insurance to asset management. The respective national competent authorities will be responsible of the compliance oversight and will enforce the regulation as necessary.
First batch of policy products
The first set of technical standards developed by the ESAs came out on 17 January 2024. The joint final draft technical standards include:
Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework
This section identifies more elements related to ICT risk management. The goal is to harmonise tools, methods, processes and policies. It is stated that these elements are complementary to the ones already identified in DORA.
The RTS identify the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework. The RTS ensure the ICT risk management requirements are harmonised among the different financial sectors.
RTS on criteria for the classification of ICT-related incidents
Here the criteria for the classification of major ICT-related incidents is specified as well as
- the approach for the classification of major incidents,
- the materiality thresholds of each classification criterion,
- the criteria and materiality thresholds for determining significant cyber threats,
- the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard.
The RTS ensure a harmonised and simple process of classifying incident reports throughout the financial sector.
RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs)
These RTS specify parts of the governance arrangements, risk management and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers.
They aim to ensure financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with such ICT third-party service providers.
Implementing Technical Standards (ITS) to establish the templates for the register of information
Finally, the ITS set out the templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information will play a crucial role in the ICT third-party risk management framework of the financial entities. It will also be used by competent authorities and ESAs in the context of supervising financial entities’ compliance with DORA and to designate critical ICT third-party service providers that will be subject to the DORA oversight regime.
Second batch of policy products
The second batch, again developed by the ESA’s, was published exactly 6 months later – on 17 July 2024. It consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and 2 guidelines. The aim of those documents is to enhance the digital operational resilience of the EU’s financial sector.
The package focuses on the reporting framework for ICT-related incidents (reporting clarity, templates) and threat-led penetration testing. It also introduces some requirements on the design of the oversight framework.
The final draft technical standards include:
- RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
- RTS on the harmonization of conditions enabling the conduct of the oversight activities;
- RTS specifying the criteria for determining the composition of the joint examination team (JET); and
- RTS on threat-led penetration testing (TLPT).
The set of guidelines includes:
- Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
- Guidelines on oversight cooperation.
Additionally, a Joint Final report on the draft technical standards on subcontracting was released the following week. These RTS focus on ICT services provided by subcontractors that support critical or important functions, or material parts of them.
They also specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. In particular, they require financial entities to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process.
Delegated and implementing acts
As part of the implementation process the European Commission adopts different acts to specify how competent authorities and market participants shall comply with the obligations laid down in the regulation
So far there are 5 delegated regulations, related to DORA, with regard to:
- RTS specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
- RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by third-party service providers;
- RTS specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework;
- Determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid;
- Specifying of the criteria for the designation of ICT third-party service providers as critical for financial entities.
The regulations will come into force once they are published in the Official Journal of the EU.
Next steps
The application of DORA starts from 17 January 2025. The oversight activities also start from the beginning of 2025, which means the institutions will be actively monitoring if the new rules are being observed.
How can we support you?
YNG legal is here to support you in the process of transitioning to full compliance with the Digital operational resilience act by:
- guiding you through the whole process of meeting the new regulatory requirements: analysing the current situation, mapping the next steps, creating key documents and working with the authorities;
- closely cooperating with your in-house IT team: our lawyers are tech-savvy and experienced in working with IT specialists in various fields and on different scales: from start-ups to global corporations;
- connecting you with highly specialized IT companies to further consult you, no matter how big or small your in-house IT department is.
Don’t wait more! Get in touch now to set up your compliance!