In this digital age, the use of ICT has taken a central role in the provision of financial services and is essential for the operation of the financial sector taken as a whole. However, digitalisation and interconnectedness between parties has led to increased ICT risks for the financial sector. As financial institutions are ever more dependent on software and digital processes, their digital resilience needs to be strengthened.
The European Union has put cybersecurity and digital operational resilience high on its agenda. Several legislative initiatives are pending, including financial sector specific legislation. Currently, separate legal acts already address ICT risk requirements for the financial sector, creating a fragmented legislative landscape. With the entry into force of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (‘DORA’) on 16 January 2023, this will change. DORA aims to consolidate and upgrade the existing decentralised legislation in a uniform European wide framework.
This blog is the first in a series regarding DORA, as well as other related legislative initiatives (such as the NIS2 directive), to be published on our website. In this first blog, we will highlight the key pillars of DORA.
Who has to comply with DORA?
DORA has a broad scope and applies to almost all authorised financial institutions, ranging from credit institutions to pension funds and from alternative investment fund managers to insurance undertakings (jointly the ‘Financial Entities’). DORA allows for a proportionate application of the requirements for certain Financial Entities, particularly micro-enterprises. Besides Financial Entities, DORA is also applicable to critical ICT third-party service providers providing ICT services to financial institutions.
DORA: Key pillars
DORA is a new and complex piece of legalisation, consisting of the following 6 key pillars:
1. ICT risk management framework
DORA requires that Financial Entities have an internal governance and control framework in place that ensures an effective and prudent management of ICT risks. The ultimate responsibility of the management body in managing a financial entity’s ICT risks should be an overarching principle of this framework. The ICT risk management framework, which is an integral part of the overall risk management framework, must address the various functions in ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). This framework is laid down in strategies, policies, procedures, ICT protocols and tools.
2. ICT-related incident management, classification and reporting
Financial Entities must establish and implement an ICT-related incident management process that detects, manages, records and reports ICT-related incidents. Every major ICT incident must be reported to the competent authorities. This will most probably require a step up for many Financial Entities in terms of compliance. We expect this to be similar to the coming into force of GDPR, which gave a boost to personal data breach notification duties.
3. Digital operational resilience testing
Part of the ICT risk management framework must be testing programmes which identify weaknesses, deficiencies, and gaps in the digital operational resilience of the entity. Micro-enterprises can benefit from a more flexible regime as regards digital operational resilience testing programmes. The testing should determine the cybersecurity preparedness of the entity and should include a wide range of actions, such as vulnerability assessments, network security assessments, gap analyses, physical security reviews, source code reviews where feasible, compatibility testing and performance testing. In addition, some Financial Entities are required to carry out more advanced testing by means of Thread-Led Penetration Testing at least every three years.
4. Managing of third-party risk and contractual arrangements
DORA lays down principle-based rules to help Financial Entities to monitor risks arising when outsourcing functions to ICT third-party service providers. This is particularly relevant for ICT services supporting critical or important functions and more generally in the context of all ICT third-party dependencies.
Irrespective of how critical or important the outsourced functions are, contractual arrangements should be in place with the ICT third-party service providers. DORA harmonises which contractual provisions must be included in the contracts with ICT third-party service providers, including several elements in relation to the performance, oversight and termination of the outsourced service.
This includes, for example, (i) access and audit rights, (ii) guarantees for enabling the access, recovery and return of data in the event of insolvency, resolution or discontinuation of the ICT third-party service provider and (iii) the locations where the functions are provided and where data is to be processed.
5. Critical ICT third-party service providers
DORA is also applicable to critical third-party service providers, which will be designated by the European Supervisory Authorities (‘ESAs’).
The third-party service providers will be supervised by one of the ESAs, which has far-reaching power to conduct oversight and impose sanctions in case of non-compliance with the instructions from the respective ESA.
6. Information-sharing arrangements
DORA encourages Financial Entities to share information regarding ICT threats. Information sharing should contribute to creating increased awareness of cyber threats and increase the knowledge and experience of cyber threats.
What is next?
Financial Entities have two years, until 2025, to implement the rules from DORA into their organisations. During this period, a set of complementary legislation is expected, which will specify and provide more details on some of the key pillars of DORA. Over this period, we will provide you with consecutive blog posts, in which we will address in more depth the key pillars of DORA, as well as related other legislative initiatives, and the impact of this type of legislation on certain Financial Entities.
Time to start exploring and get ready for action!