The EU’s aim with the draft proposal on digital operational resilience for the financial sector (DORA) is to ensure that “EU financial sector operations can withstand operational disruption and cyber-attacks.” We consider DORA and set out its scope and current status.
DORA will apply to a wide range of financial entities, such as:
- Credit and payment institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Trading venues
- Trade repositories, and
- Some insurance and reinsurance undertakings
DORA will also apply to service providers operating in the financial services sector. For example, the current draft text applies to information and communication technology (ICT) third-party service providers and data reporting service providers. This is a particularly noteworthy issue as, in general, regulation and guidance focus on the regulated entities themselves and do not typically extend to their third party service providers directly.
Although listed in the original September 2020 proposal text, statutory auditors and audit firms were removed from the most recent text published in June 2022. It’s been indicated their inclusion within the scope of DORA will be subject to a future review.
DORA sets out new statutory requirements for the security of financial entities’ network and information systems, including in relation to:
- Risk management
- Incident reporting
- Resilience testing
- Cyber threat information sharing, and
- Contractual arrangements with ICT third-party service providers
Financial entities must, amongst other matters:
- Identify, and document ICT supported business functions, roles and responsibilities, information assets, ICT assets and the potential risks that may impact them. In addition, there’s a requirement to conduct a business impact analysis of the relevant entity’s exposures to severe business disruptions.
- Continuously monitor and control the security and functioning of ICT systems and tools and deploy appropriate ICT security tools, policies and procedures.
- Implement ICT security policies, procedures and tools to ensure the resilience, continuity and availability of ICT systems.
- Implement and test mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents.
- Implement post-incident reviews after major ICT-related incidents disrupting core activities in order to analyse the causes and identify improvements.
- Maintain a digital operational resilience testing programme.
There are extensive reporting requirements, such as reporting the following to competent authorities:
- Major ICT-related incidents. Financial entities must also inform their clients about incidents that have an impact on the financial interests of clients
- An estimate of aggregated annual costs and losses caused by major ICT-related incidents
- Changes implemented following incident reviews
In addition, DORA sets out detailed provisions regarding the contractual arrangements between financial entities and ICT third-party service providers.
Scope for further requirements
Once DORA is formally adopted, relevant European Supervisory Authorities (ESAs) will develop technical standards to govern all financial services institutions. The ESAs concerned are the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA).
The technical standards to be developed by ESAs will address issues such as:
- Materiality thresholds for determining major ICT-related incidents
- The content of the major ICT-related incident reporting
- Specifying further elements to be included in the ICT security policies, procedures and tools and the scope of threat led penetration testing
The draft technical standards must be submitted to the European Commission within 12 or 18 months, depending on the context, of DORA’s entry into force.
Current status and timescales
The most recent progress is that the European Parliament voted to adopt the draft DORA text on 10 November 2022. DORA is due to apply twenty-four months after its publication in the Official Journal of the EU. The official publication of DORA had been expected before the end of 2022. However, it remains to be seen if the EU will publish the final text this year. If the official publication is delayed into 2023, DORA will become effective in 2025, rather than 2024 which had been anticipated.
While we wait for official publication of the final text, relevant financial entities should start to review their existing network and information systems and relevant third party contracting arrangements for sufficiency against the current draft DORA requirements. Although there is a twenty-four month implementation period once the final text has been published, it’s suggested that entities caught by the scope of DORA start to prepare as soon as possible in order to spot gaps in their current regimes and scale up resources to ensure compliance in time for when DORA becomes effective.