On 11 May 2022 the Council of the EU and the European Parliament announced that they have reached a provisional political agreement on the proposed Regulation on digital operational resilience for the financial services sector, referred to as the ‘Digital Operational Resilience Act’ (DORA or the Regulation). The final text is not yet available but the latest draft of the text can be found here.
The next steps are for formal approval and then adoption of the Regulation, which are expected to take place later in 2022. Once DORA is adopted it will be passed into law by each EU Member State.
The financial services sector in the UK will continue to adhere to the rules of the Financial Conduct Authority/FCA and the Prudential Regulatory Authority/PRA, which are also focusing on enhanced requirements around operational resilience.
What is the aim of introducing DORA?
DORA aims to consolidate and upgrade information communication technology/ICT risk requirements throughout the EU financial sector and establish a streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities.
Amongst other requirements, financial entities and service providers caught by DORA will be required to:
- implement governance and control frameworks to manage ICT risks effectively within such frameworks;
- carry out enhanced digital operational resilience testing;
- manage ICT third-party risk with ICT management frameworks; and
- report major ICT related incidents to competent authorities.
Who will be caught by DORA?
The Regulation contains specific provisions that apply to financial entitles. In the draft version currently available, Article 2(1) lists financial entities for the purposes of the Regulation. This list is wide ranging and includes credit, payment and e-money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, insurance and reinsurance undertakings, credit rating agencies, statutory auditors and audit firms and crowdfunding service providers. Key requirements of financial entitles include the following:
- A requirement to have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks (Article 4(1)).
- The management of each financial entity shall oversee and be accountable for the implementation of all arrangements related to an ICT risk management framework. This obligation encompasses bearing financial responsibility for ICT risks and setting clear roles and responsibilities regarding ICT functions.
The Regulation also includes provisions applicable to ICT services and third-party service providers. Article 3 sets out various key definitions that apply to such businesses, including:
- ICT services, which is definely widely, meaning digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services. It is not therefore limited to outsourcing arrangements, and will instead be relevant to a wide range of technology related contracts;
- critical or important function, meaning a function whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or the soundness or continuity of its services and activities;
- ICT third-party service provider, meaning an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres (but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services); and
- critical ICT third-party service provider meaning an ICT third-party service provider designated in accordance with Article 29 (or Article 28, as we think it should correctly read) and subject to the Oversight Framework referred to in Articles 30 to 37 (see below).
When DORA is adopted, how long will business have to comply?
The draft Regulation states (at Article 56) that there will be a twelve-month window before it comes into force, save for Articles 23 (Advanced testing of ICT tools, systems and processes based on threat led penetration testing) and 24 (Requirements for testers) which, as currently drafted, will have a thirty-six month window.
What steps to prepare for DORA should be taken?
It is important that those entities falling within the scope of DORA should start preparing for its implementation now. Firstly, a thorough assessment of the new requirements against current practises should be applied to identify potential compliance gaps. This may include assessing whether or not the classification as a ‘critical’ ICT third-party service provider applies. If so, it may be prudent to start thinking about the compliance stategy that will need to be planned and implemented in time for the compliance window to be met.
Key requirements under DORA
ICT risk management requirements (Articles 5 to 14)
- Financial entities are required to implement a ‘sound, comprehensive and well-documented’ ICT risk management framework enabling them to address ICT risk ‘quickly, efficiently and comprehensively and ensure a high level of digital operational resilience that matches their business needs, size and complexity’ (Article 5(1)).
- ICT risk management frameworks should include strategies, policies, procedures, ICT protocols and tools which are necessary to duly and effectively protect all relevant physical components and infrastructures, including computer hardware, servers, as well as all relevant premises, data centres and sensitive designated areas, to ensure that all those physical elements are adequately protected from risks including damage and unauthorised access or usage (Article 5(2)).
- To address this, ICT risks must be identified, ‘state-of-the-art’ ICT technology and process must be used to guarantee the security of the means of transfer of information and minimise the risk of corruption or loss of data (Article 8(3)), detection mechanisms must be deployed, backup policies and recovery systems put in place and (under Article 12(2)), post incident reviews must be carried out after ICT incidents have occurred to enable financial entities to learn from past incidents and improve systems accordingly.
ICT related incidents (Articles 15 to 20)
- Financial entities must establish and implement an ICT related incident management process to detect, manage and notify ICT related incidents and must also put in place early warning indicators as alerts (Article 15(1)).
- They must also establish appropriate processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT related incidents to ensure that root causes are identified and eradicated to prevent the occurrence of such incidents.
- Article 16 sets out how financial entities should classify ICT related incidents and the criteria that apply to different levels of impact, and Article 17 establishes how incidents must be reported to the relevant authority. In particular the reporting obligations apply where a major ICT-related incident has or may have an impact of the financial interests of service users and clients. Financial entities must inform their service users and clients about the major ICT-related incident without undue delay, and inform them of all measures which have been taken to mitigate the adverse effects of such incident as soon as possible. Financial entities must report to the relevant competent authority (without delay and in any event by end of business day/not more than four hours from start of next business day where the incident occurred within two hours of the end of the previous business day).
Digital operational resilience testing (Articles 21 to 24)
- Article 21 lays out the following general requirements in relation to the testing programme to be implemented by financial entities, stating that:
- a risk-based approach should be followed when carrying out the testing programme, taking into account the evolving landscape of ICT risks, any specific risks to which the financial entity is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate;
- financial entities must ensure that tests are undertaken by independent parties, whether internal or external;
- financial entities must establish procedures and policies to prioritise, classify and remedy all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed; and
- financial entities shall test all critical ICT systems and applications at least yearly.
- Under Article 23, financial entities must also carry out advanced testing by means of threat led penetration testing at least every three years. This must cover all underlying iCT processes, systems and technologies supporting critical functions and services, including those outsourced or contracted to the ICT third-party service provider. Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers.
ICT third-party risk (Articles 25 to 39)
- Articles 25-39 of the Regulation set out detailed requirements as to how financial entities must manage ICT third-party risk as part of their ICT risk management framework. General principles of managing ICT third-party risk in a proportionate way will apply, taking into account the scale, complexity and importance of ICT related dependencies and risks that arise from the contractual arrangements in place with ICT third-party suppliers.
- Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate and the latest information security standards.
- A register of information relating to ICT third-party supply contracts must be kept by financial entities setting out if suppliers are providing critical or important functions.
- Financial entities must report to the relevant competent authority at least once a year regarding how many new arrangements it has put in place with ICT third-party suppliers and provide information as to the nature of those arrangements and the contracts underpinning them.
- Financial entities must also make assessments when entering into new contractual arrangements, including by assessing whether the contractual arrangement covers a critical or important function, identifying and assessing all relevant risks relating to the contractual arrangement, undertaking due diligence on prospective ICT third-party service providers to ensure they are suitable and by identifying potential conflicts of interest.
Key contractual provisions (Article 27)
- The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in a writing. The full contract, which includes the services level agreements, shall be documented in one written document available to the parties on paper or in a downloadable and accessible format (Article 27(1)).
- Article 27(2) sets out the following minimum requirements for the contractual arrangements (and is applicable to all ICT third-party providers, not just those designated as critical). This includes:
- a clear and complete description of all functions and services to be provided by the third-party service provider indicating whether sub-contracting of a critical or important function, or matierial parts thereof, is permitted and, if so, the conditions applying to such sub-contracting;
- provisions on accessibility, availability, integrity, security and protection of personal data and on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider;
- full service level descriptions and quantitative and qualitative performance targets within agreed service levels with appropriate corrective mechanism if these are not met; and
- termination rights and related minimum notices period for the termination of the contract (please note that Article 25(8) includes a broad list of termination rights that will be required).
- When negotiating contractual arrangements, financial entities and third-party service providers should consider the use of standard contractual clauses (which may be developed by the Comission) for specific services (Article 27(3)).
- It is also envisaged that regulatory technical standards, to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions, will be developed (Article 27(4)).
Oversight framework applying to critical ICT third-party service providers
Section II of the Regulation considers the oversight of ‘critical’ ICT third-party service providers. Under Article 28, European Supervisory Authorities (ESAs) shall designate ICT third-party service providers as ‘critical’, by applying the following criteria:
- the systemic impact on the stability, continuity or quality of the provision of financial services in case the relevant ICT third-party service provider would face a large-scale operational failure to provide its services, taking into account the number of financial entities to which the relevant third-party provides services;
- the systemic character or importance of the financial entities that rely on the relevant ICT third-party service providers, assessed in accordance with the following parameters:
- the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the respective service provider;
- the interdependence between the G-SIIs or O-SIIs and other financial entities including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities;
- the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of financial entities that ultimately involve the same service provider, irrespective of whether financial entities rely on those services directly or indirectly, by means or through subcontracting arrangements;
- the degree of substitutability of the ICT third-party service provider, taking into account the following parameters:
- the lack of real alternatives, even partial, due to the limited number of ICT third-party service providers active on a specific market, or the market share of the relevant service provider, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the third-party’s organisation or activity; and
- difficulties to partially or fully migrate the relevant data and workloads from the relevant to another third-party service provider, due to either significant financial costs, time or other type of resources that the migration process may entail, or to increased ICT risks or other operational risks to which the financial entity may be exposed through such migration;
- the number of Member States in which the relevant third-party service provider provides services; and
- the number of Member States in which financial entities using the relevant third-party service provider are operating.
ESAs shall publish the list of designated critical ICT third-party service providers ‘at EU level’ and update this on a yearly basis. Assessment (of the dependency of financial entities on ICT third-party service providers) shall be based on the information required to be provided by financial entities to competent authorities (see ICT third-party risk (Articles 25 to 39) above).
Each critical service provider will be allocated one of the three ESA regulators as its Lead Overseer. Article 31 (1) (a)-(c) sets out powers of the Lead Overseer to request information and documentation directly from a critical service provider, and potentially to start imposing requirements regarding the contract terms that they use and the degree of subcontracting that they undertake. Suppliers who expect to be caught by this regime should note that if a critical service provider does not comply with its Lead Overseer’s information and documentation request it can be fined up to 1% of its average daily worldwide turnover, each day, for up to six months (see Article 31 (4) – (9)).
ESAs will under Article 35(3) develop regulatory technical standards frameworks that will provide further details as to what a financial entity needs to determine and assess when sub-contracting critical or important functions. The frameworks will be submitted to the European Commission within a year of the date of the Regulation.
Information sharing arrangements on cyber threat information and intelligence
Article 40 provides that financial entities may exchange cyber threat information and intelligence with each other where:
- the information and sharing enhances the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting financial entities’ range of defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages;
- takes places within trusted communities of financial entities; and
- is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.