What was the reason for the creation of DORA? To understand the present and the future of DORA, we explore its history and its aim for the future in this second blog.
Our previous blog was the first in a series of blogs about Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (‘DORA’). In the previous blog, we briefly introduced DORA and highlighted the 6 key pillars of DORA.
Concerns of the European Systemic Risk Board
In February 2020, the European Systemic Risk Board (“ESRB”) and many Member States expressed their deep concerns about the lack of control over third parties and the need to consolidate third-party risk management requirements in financial entities across Europe. The ESRB published its recommendation as a response to a report on cyber incidents. In this report, the ESRB identified cyber risks as a source of systemic risk to the financial system that could have serious negative consequences. It was acknowledged that one single event could potentially trigger a systemic crisis threatening financial stability.
As DORA mentions in one of its first recitals (no.2) in the context of the ESRB report: “Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.”
Digital finance package
Seven months after the ESRB report was published, on 24 September 2020, the European Commission adopted a ‘digital finance package’. This included a digital finance strategy and legislative proposals on crypto-assets and digital resilience for a competitive EU financial sector. The aim was to give consumers access to innovative financial products, while ensuring consumer protection and financial stability. Part of this digital finance package was the first draft of DORA.
As stated, by the Council of the EU, this digital financial package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments. At the same time, this package ensures that new technologies and products are covered by the scope of financial regulation and operational risk management arrangement of firms active in the EU. According to the Council, the digital financial package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.
DORA is in fact being presented by the Council as part of the EU’s crisis response mechanisms and enhancing its resilience against physical and digital risks. It is mentioned together with the EU’s response against health emergencies (such as the COVID-19 pandemic), food security crises and physical risks (such as the act of sabotage against critical infrastructure such as the Nord Stream pipelines). By doing so, digital resilience is one of the hottest topics on the current (regulatory) agenda.
DORA’s aim and conjunction with existing legal framework
At EU level, the requirements related to the management of ICT risks in the financial sector are currently provided for in different laws and regulations such as MiFID II, CRD IV and the AIFMD and guidance by the ESAs on topics relating to ICT security, governance, and outsourcing. These requirements are diverse and occasionally incomplete. As the fragmented legislative landscape resulted in gaps and overlaps as well as inconsistency across type of financial entities and member states, the EU wishes to introduce uniform requirements across the EU. The introduction of DORA is a big step in creating such a harmonised framework, which is to entirely and directly apply in all EU member states, without the need for transposition into national laws.
The purpose of DORA is the harmonisation of existing rules on managing ICT governance, risks and incident reporting for all financial institutions and crucial third parties providing these institutions with ICT-related services to ensure operational resilience against cyberattacks. In that light, DORA introduces uniform requirements across the EU. To ensure consistency with DORA, Directive (EU) 2022/2556 (“Amending Directive”) came into force on the same day as DORA. The Amending Directive enacts a set of amendments to various directives (e.g., MiFID II, AIMFD, etc.) to ensure a consistent implementation of the new framework on digital operational resilience for the financial sector.
DORA also builds on the Network Security Directive (“NIS”). If there is any conflict between DORA and NIS, DORA prevails. We will focus on NIS, and DORA’s conjunction with NIS, in one of our next blogs.
DORA aims to create a level playing field, with the same rules applying to all financial institutions across the EU. Let’s wait and see if this becomes reality in the months and years to come. Stay tuned for our next blog.