On 24 September 2020, the European Commission published a proposal for a new regulation – the Digital Operational Resilience Act ("DORA") – and an accompanying directive to harmonise digital operational resilience rules for financial organisations in the EU.
Digital operational resilience
Digital operational resilience is the ability to build, assure and review the technological operational integrity of an organisation by ensuring that the organisation can support the continued provision of services and their quality in the face of operational disruptions affecting its information and communication technologies ("ICT") capabilities.
Examples of disruptions affecting ICT capabilities include, for example, cyber-attacks and other incidents, technological failures, as well as other malicious and non-malicious events.
Aim of the proposals
The European Commission has introduced the DORA to harmonise the EU's currently fragmented regulatory landscape regarding digital operational resilience testing and the oversight of critical ICT third-party service providers. This fragmentation makes it difficult for cross-border financial organisations to be compliant with EU Member States' national rules, especially where the rules are overlapping, inconsistent and/or duplicative.
The DORA proposal forms part of the wider European Commission's digital finance package seeking to support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it. Other parts of the package include, for example, legislative proposals on crypto-assets and a pilot regime for market infrastructures based on distributed ledger technology.
Types of organisations expected to be in scope
According to the proposal, the DORA obligations would apply to:
- financial entities such as credit and payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment funds managers, management companies, insurance undertakings and intermediaries, credit rating agencies, audit firms, institutions for occupational retirement pensions, securities, trade and securitisation repositories, crowdfunding service providers; and
- ICT third-party service providers such as providers of cloud computing services, software, data analytics and data centres.
- ICT risk management (Chapter 2 DORA) Financial entities will be required, amongst others, to:
- Put in place an ICT risk management framework to ensure an effective and prudent management of all ICT risks, including detection, response and recovery. Such frameworks should be defined, approved and overseen by the management who will bear the final responsibility for managing the financial entity's ICT risk.
- Use and maintain updated ICT systems which are reliable and appropriate to the conduct of their activities, have sufficient capacity to accurately process data, and are technologically resilient.
- Design and implement ICT security strategies and policies, including an information security policy, business continuity policy and backup policy, to ensure the resilience, continuity and availability of ICT systems.
- ICT-related incidents (Chapter 3 DORA) Financial entities will be required, amongst others, to:
- Establish and implement an ICT-related incident management process to detect and manage ICT-related incidents.
- Report major ICT-related incidents to the relevant competent authority within prescribed timeframes to allow financial supervisors to better assess the frequency, nature, significance and impact of all major ICT-related disruptions.
- Digital operational resilience testing (Chapter 4 DORA) Financial entities will be required to perform regular digital operational resilience testing by independent parties (whether internal or external).
- Managing ICT third-party risk (Chapter 5 DORA) Financial entities will be required to manage ICT third-party risk as an integral component of its ICT risk management framework. They shall ensure that the contract with the ICT third-party service provider covers at least the minimum requirements set out in Article 27 of the DORA proposal. The contract will be required to include, among others, a clear and complete description of all functions and services to be provided, the location of the provision of services, full service level descriptions, requirements for the ICT third-party service provider to implement and test business contingency plans, audit rights and exit strategies.
In addition, the DORA proposal envisages that some ICT third-party service providers will be publicly designated by regulators as "critical" and regulated by an EU Oversight Framework. The critical third-party service providers will be required to:
- Put in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to financial entities.
- Provide information to a "lead overseer" and allow for investigations and on-site inspections by the lead overseer.
- Pay fees to the lead overseer that cover the regulator's costs and are proportionate to the provider's turnover.
- Information sharing arrangements (Chapter 6 DORA) Subject to EU data protection and competition laws, financial entities will be allowed to participate in information-sharing arrangements regarding cyber threat information and intelligence. Financial entities will be expected to notify their competent authority if they take part in such arrangements.
For financial entities, it is expected that compliance with the obligations set out in DORA will be ensured by the entity's existing competent authority. In addition to the right to impose administrative fines and remedial measures (such as cease and desist orders and public notices), EU Member States will also have the right to impose criminal penalties for breach of the obligations.
It is expected that each critical ICT third-party service provider will have the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), or the European Insurance and Occupational Pensions Authority (EIOPA) appointed as a "lead overseer". The lead overseer will assess whether the provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities.
The European Commission is seeking public feedback on the proposals until 12 April 2021. The feedback will be summarised and presented to the European Parliament and Council to inform the legislative debate. The proposals are likely to undergo further changes before their final adoption, for example, in relation to the oversight framework for critical ICT third-party service providers (see letter from the chairs of the EBA, ESMA and EIOPA published on 9 February 2021 outlining some of the potential challenges with the current proposal).
However, it is very likely that the new rules will come into force in some form and that the financial services industry and ICT third-party providers will be required to comply with new rules on operational resilience.
Global view on digital operational resilience
Once approved, the DORA would not apply directly in the United Kingdom as a result of Brexit. However, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority have been co-ordinating and consulting on new requirements to strengthen operational resilience in the financial services sector including in relation to third-party risk management and outsourcing. The consultation period closed in October 2020 and the regulators are likely to consider any new requirements for digital operational resilience with a new post-Brexit outlook. It is expected that any new requirement would not replace the existing risk management requirements but sit alongside them. Certain market participants, including multinational firms, have expressed concern that differing international approaches to operational resilience make it difficult to know how to implement the varying requirements. In the UK, the Prudential Regulation Authority has stated that the UK finalised rules will have been made in consultation with other international bodies and supervisors and therefore such firms can be reassured that compliance with the UK rules will mean they are also complying with other major operational resilience frameworks.
Digital operational resilience in the financial sector is also a hot topic for regulators in other jurisdictions. Last year, the Basel Committee on Banking Supervision's consulted on Principles for operational resilience to help banking regulators promote a principles-based approach to improving operational resilience. In the US, federal banking regulators issued guidance in October 2020 on sound practices for the largest banking organizations to strengthen their operational resilience, including with respect to cyber risk management (see our client alert).
As mentioned above, the introduction of new rules and guidance creates a patchwork of regulation which presents compliance challenges to financial services organisations and their third-party suppliers. However, in the EU, the introduction of DORA as a single legislative instrument would be a welcome step and help to harmonise digital operational resilience rules for financial services across the EU.