DORA: how to strengthen financial entities’ digital operational resilience
Thursday 6 July 2023
Thibault Boscart
LYDIAN, Brussels
thibault.boscart@lydian.be
Bastiaan Bruyndonckx
LYDIAN, Brussels
bastiaan.bruyndonckx@lydian.be
Introduction
On 27 December 2022, the Digital Operational Resilience Act (DORA)[1] was published in the Official Journal of the EU. Its aim is to achieve a high common level of digital operational resilience for the financial sector.
It lays down uniform requirements for the security of network and information systems supporting the business processes of financial entities. These are, in particular, requirements applicable to financial entities relating to: ICT risk management; reporting of major ICT-related incidents or major operational or security payment-related incidents and voluntary notification of significant cyber threats; digital operational resilience testing; and information and intelligence sharing in relation to cyber threats and vulnerabilities. There are also requirements relating to ICT third-party risk management, including contractual arrangements with ICT third-party service providers.
DORA also provides rules for the establishment and conduct of an oversight framework for critical ICT third-party service providers, and establishes rules on cooperation among and enforcement by competent authorities.[2]
While DORA provides for the general requirements, many obligations will be further elaborated by regulatory and implementing technical standards or delegated acts.
Scope of application
DORA applies to a broad spectrum of financial entities: credit institutions; payment institutions; account information service providers; electronic money institutions; investment firms; crypto-asset service providers and issuers of asset-referenced tokens; central securities depositories; central counterparties; trading venues; trade repositories; managers of alternative investment funds; management companies; data reporting service providers; insurance and reinsurance undertakings; insurance intermediaries; reinsurance intermediaries and ancillary insurance intermediaries; institutions for occupational retirement provision; credit rating agencies; administrators of critical benchmarks; crowdfunding service providers; and securitisation repositories.[3]
Certain financial entities are excluded due to their size. For example, insurance and reinsurance undertakings excluded under Solvency II are also excluded from DORA’s scope.[4] DORA does not apply to insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises,[5] nor to institutions for occupational retirement provision which operate pension schemes with no more than 15 members in total.[6]
In addition, various exemptions from certain requirements apply to microenterprises[7] or financial entities which are subject to a simplified ICT risk management framework.[8]
DORA also applies to ICT third-party service providers – that is, to certain undertakings providing ICT services to financial entities, such as cloud computing services, software, data analytics services or data centre services.[9]
Requirements for financial entities
The main obligations of financial entities under DORA relate to ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing and ICT third-party risk management.[10] DORA also allows for information and intelligence sharing arrangements.[11] Each of the above topics are briefly introduced below.
Given the broad scope of application of DORA and the extensive obligations it imposes on financial entities, DORA introduces the so-called ‘proportionality principle’[12] Financial entities must therefore implement the ICT risk management obligations considering their size and overall risk profile, and the nature, scale and complexity of their services, activities, and operations, and the other obligations as well if specifically provided for.
ICT risk management
DORA required financial entities to set up an internal governance and control framework which ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience.
The ‘management body’[13] bears the ultimate responsibility for the management of the financial entity’s ICT risk and, more generally, plays a crucial role in compliance with DORA.[14] In respect of ICT third-party risk, financial entities must appoint an ‘ICT Third-Party Officer’ to monitor the arrangements concluded with ICT third-party service providers or must designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation. The management body must also keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the entity’s operations.
Financial entities must have a sound, comprehensive and well-documented ICT risk management framework which enables them to address ICT risk quickly, efficiently, and comprehensively and which includes, among others, the policies, protocols, and tools necessary to protect all information or ICT assets and a digital operational resilience strategy.[15]
The ICT risk management framework must at least contain mechanisms of identification,[16] protection and prevention,[17] detection,[18] response, backup, and recovery,[19] learning and evolving[20] and communication.[21]
Small and non-interconnected investment firms, payment and electronic money institutions exempted from sectoral legislation, institutions for occupational retirement provision which operate pension schemes with no more than 100 members in total or institutions exempted from the Capital Requirements Directive are subject to a simplified ICT risk management framework.[22]
ICT-related incident management, classification and reporting
DORA contains requirements for financial entities with respect to the management and classification of ICT-related incidents and cyber threats as well as the reporting of ICT-related incidents.[23]
Financial entities will be required to report major ICT-related incidents to the competent authorities and notify clients of the incident and measures taken in case they affect their financial interests. DORA further provides for a possibility to notify, on a voluntary basis, significant cyber threats to the competent authorities and where applicable to potentially affected clients.
For credit institutions, payment institutions, account information providers and electronic money institutions, the same obligations apply mutatis mutandis to operational or security payment-related incidents, whether ICT-related or not.[24]
Digital operational resilience testing
For purposes of periodically addressing cyber resilience and identifying weaknesses, deficiencies, or gaps, as well as the prompt implementation of corrective measures, financial entities must establish, maintain and review a sound and comprehensive digital operational resilience testing programme. Testing is to be performed by (internal or external) independent parties, according to established procedures and policies and at least on an annual basis for all ICT systems and applications supporting critical or important functions.[25]
All financial entities must perform appropriate regular tests of ICT tools and systems, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.[26]
In addition, financial entities which are identified by competent authorities as ‘significant’ will be required to conduct advanced testing by way of Threat-Led Penetration Testing (TLPT), a framework that mimics tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat. [27] TLPT must cover critical or important functions and must be performed on live production systems.
ICT third-party risk management
Financial entities must adopt and regularly review their ICT third-party risk strategy as part of their ICT risk management framework. The strategy must include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. The management body must regularly review the risks identified in relation to contractual arrangements on the use of those ICT services.[28]
Financial entities must maintain and update a register of information in relation to all contractual arrangements with ICT third-party service providers and report at least annually to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions provided.[29] The competent authority must also be informed in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.[30]
Financial entities must also conduct a pre-contractual assessment of any ICT third-party service provider and any relevant risks concerning ICT concentration, subcontracting and bankruptcy.[31]
DORA furthermore contains minimum requirements concerning the contractual arrangements[32] entered into between financial entities and ICT third-party service providers, such as monitoring rights, termination rights or exit strategies.
Information sharing arrangements
To enhance their digital operational resilience, financial entities are allowed to set up cyber threat information and intelligence exchange arrangements, for example on indicators of compromise, tactics, techniques, and procedures, cybersecurity alerts and configuration tools.
Supervision of critical ICT third-party service providers
DORA creates an entirely new oversight framework for critical ICT third-party service providers.[33] The European Supervisory Authorities (ESAs) will designate the ICT third-party service providers that are critical for financial entities and appoint, per critical ICT third-party service provider, an ESA that shall function as ‘lead overseer’.[34]
The designation will be based on an assessment of: the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant service provider would face a large-scale operational failure; the systemic character or importance of the financial entities that rely on the relevant service provider; the reliance of financial entities on the services provided by the relevant service provider in relation to critical or important functions of financial entities that ultimately involve the same service provider; and the degree of substitutability. Cloud service providers would for example be considered as critical.
Critical ICT third-party service providers will be subject to comprehensive oversight from their lead overseer. The lead overseer will assess the service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risk which it may pose to financial entities. The assessment will focus mainly on ICT services supporting critical or important functions but can be extended where necessary.[35]
The powers of the lead overseer include requesting all relevant information and documentation;[36] conducting general investigations;[37] conducting inspections;[38] issuing recommendations and requesting, after the completion of the oversight activities, reports on actions taken or remedies implemented.
If oversight cannot be adequately exercised on the EU subsidiary or EU premises of a service provider, the lead overseer can exercise its powers on any third country premises owned or used for providing services to EU financial entities subject to certain conditions.[39]
The lead overseer shall charge critical ICT third-party service providers oversight fees that fully cover its necessary expenditure.[40] It can also impose penalty payments in case of non-compliance with the measures to be taken.[41]
Implementation
DORA entered into force on 11 January 2023 and shall apply from 17 January 2025.
Financial entities, (critical) ICT third party service providers and competent authorities are granted a transition period of two years to ensure compliance with DORA, its regulatory or implementing technical standards and delegated acts.
As highlighted above, many important obligations will be further elaborated by regulatory and implementing technical standards and delegated acts. The ESAs are tasked with the development of draft regulatory and implementing technical standards further detailing the requirements regarding: ICT risk management tools, methods, processes and policies; simplified ICT risk management framework; classification; reporting content and templates; register of information; TLPT; ICT third-party risk policy; assessment in case of subcontracting; and conditions enabling the conduct of oversight.[42] The ESAs must submit their draft regulatory and implementing technical standards by 17 January 2024, after which the Commission is expected to adopt these technical standards by 17 January 2025.
The European Commission is also expected to adopt delegated acts with respect to the criteria for designation of critical third-party service providers and the oversight fees by 17 July 2024.[43] Various delegated acts and regulatory technical standards are therefore expected to be published between 17 January 2024 and 17 January 2025.
Notes
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
[2] Cooperation and enforcement will not be addressed in this article.
[7] ie, entities, other than trading venues, central counterparties, trade repositories or central securities depositories, which employ fewer than ten people and have an annual turnover and/or annual balance sheet total that does not exceed €2m (Art 3(60) DORA).
[8] Recital 42 and 43 DORA.
[9] Recital 63 and Art 2(1)(u) DORA.
[13] ‘Management body’ refers to a management body as defined in Art 4(1), point (36), of Directive 2014/65/EU, Art 3(1), point (7), of Directive 2013/36/EU, Art 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Art 2(1), point (45), of Regulation (EU) No 909/2014, Art 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant EU or national law (Art 3(30) DORA).
[19] Arts 11 and 12 DORA.
[22] Recital 42 and 43 DORA.
[29] Art 28(3), paras 1 and 2 DORA.
[30] Art 28 (3), para 5 DORA.
[41] Art 35(6) to (11) DORA.
[42] Arts 15, 16(3), 18(3), 20, 26(11), 28(9) and (10), 30(5), and 41 DORA.
[43] Art 31(6) and 43(2) DORA.