The Digital Operational Resilience for the Financial Sector Regulation 2022/2554 (hereinafter the “Regulation” or “DORA”) of the 14th of December 2022 enters into force the 17th of January 2025.
To prevent and mitigate cyber threats, DORA should enable the financial sector to remain resilient in the event of a serious operational disruption. The European Union (hereinafter “EU”) sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide Information Communication Technologies (hereinafter “ICT”)-related services to them, such as cloud platforms or data analytics services.
II. WHO IS CONCERNED?
The Regulation has a very broad scope and covers almost the entire financial sector. It covers 21 categories of entities, including mainly:
- credit institutions
- payment institutions
- electronic money institutions
- insurance companies
- management companies
- third party ICT-related service providers (excluding traditional analogue telephone services)
The Regulation contains a review clause (3 years from now) on whether statutory auditors and audit firms should be included within the scope of DORA.
Technology risks have no borders, and the financial sector deploys its services on a wide cross-border basis within and outside the Union. Therefore, DORA does not only concern European entities! Its scope is broad, and it has extraterritorial effects:
- UK based and other international financial organisations can be subject to DORA requirements if they operate in the EU financial activities falling under its scope.
- Third party ICT-related service providers outside the EU are subject to DORA requirements as soon as they are entering into contractual arrangements with financial entities covered by DORA. Those providers, if designated by DORA as “Critical providers”, have a requirement to set up a subsidiary in the EU within 12 months of the designation if that is not already the case. While there will be no requirements to process data only locally in the EU, DORA lays down that EU supervisory authorities can conduct inspections outside the Union if necessary.
DORA constitutes lex specialis in the financial sector regarding NIS 2 Directive 2022/2555 which lays out measures to ensure a common high level of cyber security throughout the EU (hereinafter “NIS2”) :
- if critical third party ICT-related service providers affected by DORA are cloud service providers affected by NIS2, then the supervisory framework under DORA is complementary to the supervisory framework under NIS2. Therefore, the lead overseer appointed by DORA should be able to consult with the competent authorities under NIS2 before taking any binding action against the provider to promote a collaborative approach in the financial sector.
- the reporting obligations for major ICT-related incidents will be limited to authorities in the financial sector, the latter being responsible for transmitting information on these major incidents to EU public non-financial authorities (e.g. EBA, ESMA, ECB) and information systems security authorities (e.g. ANSSI in France).
Are excluded from the scope of the Regulation, among others:
- managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU ;
- insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC ;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises ;
- natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU
III. THE REGULATION’S INPUTS
1. OBLIGATION TO STRENGTHEN THE FINANCIAL SECTOR’S GOVERNANCE MECHANISMS
The Regulation requires each entity to adopt an internal governance and control frameworks that ensures effective and prudent management of all types of ICT-related risks. As such, it lists the obligations of the management body that defines, approves, supervises and is responsible for the implementation of such governance.
2. OBLIGATION TO MAINTAIN ICT-RELATED RISK MANAGEMENT PROCEDURES
These procedures are intended to effectively protect the information and IT assets of financial entities. Management bodies should first carry out a risk analysis of their information system and those of their technical service providers. A detailed mapping of the information system and internal and external data flows (e.g. to cloud service providers) will then be necessary.
Financial entities must also implement mandatory technical measures to protect data, including:
- maintaining high standards of data availability, authenticity, integrity and confidentiality, whether at rest, in use or in transit;
- limiting access rights and providing strong authentication;
- detecting anomalous activities by putting into place mechanisms which detect such activities quickly;
- ensuring adequate redundancy of all critical components;
- gathering information on vulnerabilities, cyber threats, ICT-related incidents, and their likely impact on their digital operational resilience. Post-ICT-related incidents reviews should then be conducted after a major incident has disrupted their core business, to analyse the causes of the disruption and identify improvements.
3. OBLIGATION TO REPORT SECURITY INCIDENTS
Major ICT-related incidents must be reported to the competent authorities (and in some cases to the end client) according to a common template and a harmonised procedure. To do this, entities must implement a process for managing these incidents (e.g. putting in place early warning indications to ensure that root causes are identified, documented and to be remedied) and classifying them according to specific criteria.
If such a process already exists, a review should be conducted to ensure that the internal processes already implemented comply with DORA requirements.
Warning: where a major ICT-related incident has an impact on the financial interests of clients, the latter must be informed as soon as possible about that incident and the measures that have been taken to mitigate the adverse effects of such incident.
4. REQUIREMENT TO PERFORM OPERATIONAL RESILIENCE TESTING
Financial entities must perform at their own expense, at least once a year, by independent parties (internal or external) operational resilience tests to verify the level of risk preparedness, identify possible weaknesses, and take prompt corrective action.
5. OBLIGATION TO CONTRACTUALLY FRAME THE RISKS ASSOCIATED WITH THIRD PARTY ICT-RELATED SERVICE PROVIDERS
(I) ENTITIES MUST RESPECT THE GENERAL PRINCIPLES SET OUT IN ARTICLE 28 IN THEIR CONTRACTUAL RELATIONSHIPS WITH THIRD PARTY ICT-RELATED SERVICE PROVIDERS, NAMELY:
- ensuring that their service providers comply with adequate security standards;
- providing a framework for termination options;
- ensuring the possibility to exercise their access, inspection and audit rights;
- providing the reversibility of services supporting critical or important functions.
(II) POINTS TO CHECK BEFORE CONTRACTUAL ARRANGEMENTS WITH THIRD PARTIES:
- assess whether the agreement covers a critical or important function, and if so, assess the benefits and costs of alternative solutions;
- identify and assess all relevant risks, including information concentration risks (that is, when contracting with a provider whose services are not easily substitutable);
- identify and assess any conflicts of interest that may arise from the agreement;
- in case of subcontracting to third parties: assess the benefits and risks that may arise, especially insolvency legislation in case of bankruptcy, constraints for urgent data recovery, compliance with EU data protection rules and effective enforcement in non-EU countries.
- If subcontracting concerns the use of ICT-related services supporting critical or important functions: financial entities shall assess whether and how long and complex chains of subcontracting may compromise their ability to fully monitor the execution of their contractual obligations and the ability of the competent authority to effectively supervise the financial entity in that respect.
(III) OBLIGATIONS TO COMPLY WITH DURING CONTRACTUAL ARRANGEMENTS WITH THIRD PARTIES:
A register of information must be kept in relation to all contractual arrangements on the use of third party ICT-related services providers, distinguishing between those covering critical functions and others.
All contracts concluded with a third party ICT-related service provider must at least include:
- an indication of the locations where the services will be provided and where the data will be processed;
- provisions on the availability, authenticity, integrity and confidentiality of data, including personal data;
- provisions on the guarantee of access, recovery and return of data in the event of insolvency, resolution, cessation of activities of the third party service provider or termination;
- the obligation of third-party service providers to offer incident support to the financial entity at no additional cost or at a cost determined ex ante;
- the obligation of the service provider to cooperate fully with the competent authorities and resolution authorities of the financial entity;
- termination rights and minimum notice periods; financial entities shall ensure that contractual agreements can be terminated if:
- the service provider has significantly breached applicable laws;
- there are circumstances which may alter the performance of the functions provided through the contractual arrangement;
- the service provider has proven weaknesses in its overall ICT-related risk management;
- the competent authority can no longer effectively supervise the financial entity because of the conditions of the contractual arrangement or the circumstances related to it; and
- conditions for the participation of service providers in security awareness programmes and digital operational resilience training developed by financial entities.
Supplementary provisions must be present in contracts covering critical and important functions, including:
- service levels and applicable remedies;
- notice periods and notification requirements by the service provider regarding their ability to provide services supporting critical functions under certain conditions;
- the obligation to implement and test contingency plans;
- the obligation to put in place additional security measures, tools and policies ;
- the obligation for the service provider to participate and cooperate fully in the pen-tests carried out by the financial entity;
- the right to continuously monitor the service provider's performance;
- exit strategies from the contractual arrangements with mandatory adequate transition periods
- without disrupting their business activities;
- without limiting compliance with regulatory requirements;
- without affecting the continuity and quality of services provided to clients.
Finally, financial entities must put in place a specific supervisory framework for critical third party ICT-related providers.
6. MEASURES AND SANCTIONS OF COMPETENT AUTHORITIES
To carry out their tasks under this Regulation, the competent authorities are given injunctive powers to access any documents or data relevant to their supervisory task and to carry out inspections and investigations.
They may also impose remedial measures in case of non-compliance with this Regulation such as:
- require the cessation of conduct;
- impose financial penalties;
- issue public communications indicating the identity of the financial entity in question and the type of violation it is responsible of.
Now that DORA has been officially published, aspects that require clarifications at the national level will be incorporated into the legislation of each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the Regulation as necessary.