The financial sector is greatly dependent on information and communication technologies (ICT). The importance of ensuring remote access to financial services increased to an even greater extent during the COVID-19 pandemic, with a 72 percent increase in the use of financial applications in Europe.1 Such reliance on ICT is not left unnoticed, and since the pandemic began, cyberattacks on financial institutions have risen by 38 percent,2 and national regulators, being occupied elsewhere, struggle to effectively address digital incidents and threats so financial entities are able to withstand potential ICT disruptions.
Under these circumstances, the European Commission adopted a digital finance package on September 24, 2020, which includes a digital finance strategy and legislative proposals on crypto-assets and digital resilience.3 Focusing on the latter legislative package, it formulated new common rules mitigating risks of digital transformation into a Proposal for a Regulation on digital operational resilience for the financial sector (DORA),4 accompanied by a directive.5
So far, the European Union's intervention in this field has been based on minimum harmonization with rules that are too general, leaving at the discretion of national authorities to reach their own interpretation. The rules are limited as to application, only partially regulating certain aspects of digital operational resilience, such as ICT risk management, incident reporting and ICT third-party risk, while excluding others, such as testing.
In consequence, these inconsistencies and gaps led to duplicate rules set out in the NIS Directive, EU financial services law and national regimes, mainly as regards incident reporting and uncoordinated national initiatives, especially concerning testing, and supervisory approaches, particularly to ICT third-party dependencies. These issues altogether convert into high administrative and compliance costs for cross-border financial entities, or into high ICT risks.6
The overall objective of the DORA is therefore to streamline and upgrade existing (limited) rules on ICT governance (Chapter I), to manage ICT risks (Chapter II) and ICT-related incident reporting (Chapter III), and to introduce new requirements where gaps exist, particularly with respect to digital testing (Chapter IV), information sharing (Chapter VI) and management of ICT third-party risks (Chapter V), which includes an oversight framework for critical ICT third-party service providers to monitor digital risks. Furthermore, it provides financial supervisors with the tools necessary to fulfill their mandate to contain financial instability stemming from those ICT vulnerabilities (Chapter VII).
The directive is then tasked with amendments to financial services directives to introduce cross-references to the DORA and to update empowerments for technical standards.
In order to achieve the objective, the European Commission is extending the applicability of the rules to 20 types of regulated EU financial entities, such as banks, stock exchanges and clearinghouses, as well as fintechs. Outside of its remit remain payment systems, card payments schemes, some system operators and participants under the Settlement Finality Directive. While the scope of the DORA itself is proposed to encompass nearly the entire financial system, at the same time it allows for a proportionate application of requirements for financial entities that are micro enterprises7 or, on the flip side, significant financial entities, such as large credit institutions, central securities depositories or counterparties.
As for ICT governance, the DORA aims to align financial entities' business strategies and the conduct of ICT risk management. To that effect, the full responsibility and accountability of the management body is an overarching principle in managing a financial entity's ICT risk, to be further translated into a set of specific requirements, such as the full range of approval and control processes (e.g., ICT policies, audits and arrangements regarding third-party service providers), the assignment of clear roles and responsibilities for all ICT-related functions, the setting of ICT risk tolerance levels, as well as an appropriate allocation of ICT investments and trainings.8
ICT risk management requirements form a set of key principles revolving around specific functions (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). Most of them are recognized by current technical standards and industry best practices, such as the NIST framework, and thus the DORA does not impose specific standardization itself. Regulated financial entities are required to identify on a continuous basis all sources of ICT risk set-up, to set up protection and prevention measures, to promptly detect anomalous activities, and to put in place dedicated and comprehensive business continuity policies and disaster and recovery plans. In addition, the DORA stresses the function of learning and evolving in the form of information-gathering, post-incident review and analysis, and communication by requiring a strategy for communicating ICT-related incidents to clients, counterparts and the public.9
ICT-related incident reporting obliges financial entities to establish and implement a management process to monitor and log ICT-related incidents and to classify them based on criteria detailed therein and further developed by the European Supervisory Authorities (ESAs).10 Only ICT-related incidents classified as major must be reported to the relevant competent authority. For the purpose of reporting, a common template should be used in a harmonized procedure as developed by the ESAs. Financial entities should submit initial, intermediate and final reports, and should inform their users and clients where the incident has or may have an impact on their financial interests. The competent authority should provide feedback and pertinent details to the ESAs, ECB and single points of contact designated under Directive (EU) 2016/1148. Last but not least, the ESAs and ECB, together with ENISA, should consider establishing a single EU Hub for centralized reporting of major ICT-related incidents.11
Digital operational resilience testing serves for the periodic testing of the ICT risk management framework for preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt adoption of corrective measures. Financial entities should test all critical ICT at least yearly.
The DORA allows for a proportionate application— whereas basic testing is obligatory for all financial entities, and advanced testing is only required for financial entities identified as significant by the competent authority based on criteria in this regulation and further developed by the ESAs.12
ICT third-party risk harmonizes key elements of relationships with ICT third-party service providers throughout all stages of contractual arrangements. Most notably, contracts will be required to contain a complete description of services, an indication of locations and the storage of data, relevant provisions on accessibility, availability, integrity, security and protection of personal data, notice periods and reporting obligations of the ICT third-party service providers, the right to monitor, clear termination rights, and dedicated exit strategies. As some of these contractual arrangements can be standardized, the DORA counts with a voluntary use of standard contractual clauses, which are to be developed for the use of cloud computing services by the European Commission. Moreover, ICT third-party service providers designated as critical (CTPPs) by the ESAs, forming the Joint Committee, should be subject to an oversight framework. The ESAs designated as lead overseers should ensure that each such CTPP is adequately monitored to avoid a domino effect of the heavily interconnected financial sector. The ESAs' efforts (Joint Committee) should be supported by the relevant subcommittee (Oversight Forum) carrying out preparatory work for individual decisions and collective recommendations to CTPPs.13
Information sharing allows financial entities to set up arrangements to exchange among themselves cyber threat information and intelligence on tactics, techniques, procedures, alerts and configuration tools in a trusted environment.14
Provisions on competent authorities set out a competent authority for each respective type of financial entity, order Member States to confer the power to apply administrative penalties or remedial measures, and delineate cooperation with NIS structures, given the fact that the DORA maintains links to the NIS framework, instead of creating a new EU authority for ICT third-party risk supervision.15
In summary, the DORA would be a much welcomed catalyzer for efforts to build the digital single market for financial services. It is clear that the same merits could not be achieved by means of increased capital buffers, which is the traditional approach to operational risk, notably in banking. Instead, current circumstances call for the introduction of a comprehensive framework at the EU level, setting out rules on digital operational resilience for all regulated financial entities, which would address ICT risks more comprehensively, enable financial supervisors' access to information on ICT-related incidents, ensure that financial entities assess and identify ICT vulnerabilities, strengthen the outsourcing rules governing the indirect oversight of ICT third-party providers, enable direct oversight of the activities of ICT third-party providers when they provide their services to financial entities, and additionally, incentivize the exchange of threat intelligence in the financial sector.16
Although the DORA is still only a proposal, it is very likely that the new obligations set out above will come into force in some form, given that the digital finance package already garnered broad support from the economic and finance ministers of the Member States at the Economic and Financial Affairs Council (ECOFIN) on October 6, 2020. Moreover, the German presidency intends to work intensively on legislative proposals on crypto-assets and operational resilience.17 Bearing in mind that it can be a time-consuming matter to familiarize ourselves (both legally and technologically) with these requirements and to ensure compliance with them, the swift developments taking place in this field should not escape your attention. In this spirit, we hope this message finds you well.