What is DORA (Digital Operational Resilience Act)?
The Digital Operational Resilience Act, or DORA for short, provides for the introduction of a comprehensive regulatory framework at the EU level that includes regulations on digital operational resilience for all supervised financial institutions.
Reading Time: .
- A definition of DORA ➔
- What problems does DORA address? ➔
- What are the objectives of DORA? ➔
- Which companies are affected by DORA? ➔
- What are the practical implications of DORA? ➔
- What are the core requirements of DORA for financial entities? ➔
- When can the new DORA regulations be expected? ➔
- What do financial entities need to consider when choosing an ICT third party service provider in the future? ➔
- Myra is already fit for DORA ➔
A definition of DORA
The proposed Digital Operational Resilience Act (DORA) is part of a package of measures to digitize the financial sector presented by the European Commission at the end of September 2020. The Commission aims for the package to promote Europe’s competitiveness and innovation in the financial sector.
The financial sector relies heavily on information and communication technology (ICT). The coronavirus pandemic has exacerbated this as customers are increasingly using digital services. This dependency on ICT makes financial entities particularly vulnerable to cyber attacks or incidents. Moreover, the consequences of an attack or disruption at an important cross-border financial service can have far-reaching effects on other companies, sub-sectors, or even the rest of the economy. That is why digital operational resilience in the financial sector is of enormous importance. With regard to industry investigations, the Commission estimates the cost of operational incidents in the EU financial sector to be up to €27 billion per year.
Improve cyber defense and oversight
In this context, DORA aims to ensure that all financial sector stakeholders have taken the necessary security measures to prevent or mitigate ICT-related cyber attacks and other incidents. Moreover, DORA is expected to enable European supervisory authorities to review outsourced services. To this end, a supervisory framework for third-party ICT providers operating in the financial sector, such as cloud computing service providers, will be introduced.
The current draft of the proposed EU regulation “on digital operational resilience for the financial sector” contains requirements relating to ICT risk management, the classification and reporting of ICT-related incidents, digital operational resilience tests, contractual agreements between ICT third-party service providers and financial entities, the supervisory framework for critical ICT third-party service providers, and rules for the exchange of information.
What problems does DORA address?
The existing EU legal framework for ICT risks and operational resilience in the financial sector is fragmented and, to some extent, inconsistent. Currently, virtually every country has its own rules (e.g., for carrying out resilience tests) and supervisory approaches (e.g., for ICT third-party dependencies) that sometimes do not sufficiently consider certain ICT risks. At the same time, cross-border financial entities are under increased administrative and financial burdens as a result of duplicative requirements and inconsistent provisions, such as the Directive on Security of Networks and Information Systems (NIS Directive), EU legislation on financial services, and national regulations (e.g., for reporting incidents).
The new EU regulation aims to harmonize the rules and no longer give member states any reason to adopt their own national operational resilience and cybersecurity regulations, standards, and requirements. Cross-border financial entities will also be given legal clarity on digital resilience regulations.
What are the objectives of DORA?
The overall and absolute objective of DORA is to address ICT risks more comprehensively and to strengthen the operational resilience of digital systems in the EU financial sector. The new legal framework provides for the streamlining and modernization of existing rules and includes the introduction of new requirements. This concept intends to
- ensure that financial entities assess the effectiveness of their prevention and resilience measures and where their ICT vulnerabilities lie in order to make such risks more manageable.
- provide financial authorities with access to information on ICT-related incidents in order to improve their knowledge of the current threat situation.
- strengthen the outsourcing regulations for the indirect supervision of ICT third-party service providers.
- allow direct monitoring of the activities of ICT third-party service providers when they provide services to financial entities.
- incentivize the exchange of information about cyber threats in the financial sector.
More coherent and consistent procedures for the classification and reporting of ICT incidents should also reduce the administrative burden on financial institutions and increase the efficiency of supervisory authorities. The lack of uniform reporting obligations often means that the supervisory authority does not have a complete overview of the nature, frequency, importance, and impact of incidents. Another positive effect of harmonization is that cross-border financial entities would not have to report the same incident to different EU or national government agencies. According to the European Commission’s estimates, eliminating overlapping reporting requirements could save some of the largest banks between €40 million and €100 million per year.
Which companies are affected by DORA?
DORA applies to all financial entities regulated at the EU level. The draft law refers namely to credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, crowdfunding service providers, and securitization repositories.
In light of the principle of proportionality, differences in business model, size, risk profile, or system relevance should be taken into account when defining the key requirements in the different scopes of application. For example, according to the EU Commission, smaller financial entities will have to take less comprehensive measures to report incidents and carry out resilience tests.
What are the practical implications of DORA?
DORA aims to harmonize the rules for ICT risk management as well as the classification and reporting of ICT incidents. In the long term, there could be a single EU hub for reporting incidents. In general, financial entities will have to comply with extended requirements and adapt their procedures accordingly. For instance, new EU reporting rules require the provision of root cause analysis reports at the latest one month after a major ICT incident occurs.
Moreover, EU-wide standards for digital operational resilience tests will be defined in order to better identify unknown vulnerabilities and risks. The European Commission estimates that a uniform testing approach would save the 44 largest cross-border banks up to €88 million in costs.
Due to new threshold criteria and the EU-wide application of threat-controlled penetration tests (based on TIBER), it is likely that more companies be required to carry out such tests on a regular basis. New stakeholders should develop strategies to make the most of these tests.
However, the new supervisory framework provides for critical ICT third-party service providers to be monitored in the future by one of the European Supervisory Authorities (ESAs). The lead ESA can then also request information, inspect the service providers and, in the event of non-compliance, impose penalties (up to 1% of the daily worldwide turnover or termination of the contract). Whether an ICT third-party service provider is classified as critical is decided by the Joint Committee of the ESAs on the basis of a list of criteria set out in DORA.
What are the core requirements of DORA for financial entities?
In principle, many of the requirements formulated in the current draft DORA regulation, such as for ICT risk management, are already familiar from existing financial sector regulations such as the EBA Guidelines, MaRisk, or BAIT. In some cases, however, they also go beyond this, such as the monitoring and supervision of ICT service providers or the audit of ICT systems. The following points must be observed:
ICT risk management
Strong involvement of the management board:
It is responsible for all arrangements related to the ICT risk management framework and needs to review business continuity and disaster recovery plans, for instance.
Companies must identify, classify, and document business functions and supporting information resources that are potential sources of ICT risk. This applies in particular to system areas that are networked with internal and external ICT systems.
Protection and prevention:
The functioning of ICT systems must be continuously overseen and monitored to ensure adequate protection. This requires the preventive implementation of appropriate security strategies, policies, procedures, and tools.
Detection of anomalous activities:
Companies must have mechanisms in place to detect anomalous activities immediately and identify any potential vulnerabilities.
Countermeasures and recovery:
Companies must set up response and recovery measures as well as develop appropriate business continuity and disaster recovery strategies and plans. Even companies that otherwise already meet many of DORA’s ICT risk management requirements should therefore consider whether their response and recovery strategies and plans also comply with the extended rules in these areas.
Companies must develop a “responsible disclosure of ICT-related incidents or major vulnerabilities” to clients, other financial entities, and the public.
Reporting of ICT-related incidents
Financial entities must establish and apply a specific incident management process to identify, track, log, categorize, and classify ICT incidents.
The classification of ICT incidents must be based on a number of criteria to be further developed by the Joint Committee of the ESAs.
Companies are required to report serious ICT incidents to the competent authority within prescribed deadlines and using harmonized report templates.
Digital operational resilience testing
As an integral part of the ICT risk management framework, DORA requires companies to adopt a robust and comprehensive digital operational resilience testing program covering ICT tools, systems, and processes.
Certain financial institutions must carry out advanced testing of their ICT tools, systems, and processes at least every three years using threat-led penetration tests. Affected companies should closely monitor how the ESAs establish the implementation criteria.
Management of ICT third-party risk
Financial entities must manage the ICT third-party risk within their ICT risk management framework in accordance with certain principles. These include responsibility and liability, proportionality, a strategy for ICT third-party risk, documentation and record-keeping, pre-contractual analysis, information security, audits and inspections, termination rights, and exit strategies.
Preliminary assessment of ICT concentration risk and other sub-outsourcing arrangements:
The mandatory preliminary assessment aims to determine whether the conclusion of a contractual agreement in relation to the ICT services would lead to a contract with an ICT third-party service provider considered dominant, which is not easily replaceable. It should also show whether several contractual arrangements have been concluded with the same ICT third-party service provider or with closely connected service providers.
Key contractual provisions:
The rights and obligations of the financial entity and of the ICT third-party service provider must be clearly allocated and defined in a contractual agreement whose detailed scope is defined in legislation.
Information sharing arrangements
Information-sharing on cyber threats:
DORA enables financial entities to share among themselves cyber threat information and intelligence to strengthen digital operational resilience. This includes indicators of compromise, tactics, techniques, procedures, cybersecurity alerts, and configuration tools.
When can the new DORA regulations be expected?
The draft law adopted by the European Commission on September 24, 2020, has yet to be submitted to the European Parliament and the Council of Ministers for review and adoption. Both institutions may make additional changes. A final version is not expected before the end of 2021. After that, the ESAs will draw up further secondary legislation and technical standards to flesh out application of the new rules. After DORA enters into force, a transitional period for implementation will also be determined.
What do financial entities need to consider when choosing an ICT third party service provider in the future?
DORA will most likely lead to significant adjustments to existing national outsourcing rules such as MaRisk and BAIT. Under the current DORA draft law, EU financial entities must assess the risk of outsourcing in advance and conduct due diligence to identify suitable third party service providers. In addition, Article 25 Section 6 states: “Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate and the latest information security standards.”
Contractual agreements with third-country service providers must take into account data protection, effective enforcement of the law, insolvency provisions in the event the third party becomes insolvent, and restrictions that may arise in relation to the urgent restoration of company data.
In practice, all these requirements will be made much easier to implement by choosing an ICT third-party service provider from the EU. In general, ICT third-party service providers without a commercial presence in the EU whose operating failure would have a systemic impact on the provision of financial services should be excluded as outsourcing partners.
Myra is already fit for DORA
Myra Security already meets all of DORA’s core requirements. As an experienced service provider in the finance sector, we have long been supporting essential and non-essential outsourced activities and processes. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years to cover both their cybersecurity and compliance needs.