Publication
Mission impossible? Teresa Ribera’s mission letter and the future of EU merger review
Executive Vice President Vestager’s momentous tenure as Commissioner responsible for EU competition policy is nearing its end.
Global | Publication | October 2024
On 17 January 2025, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) will start to apply. DORA is a first European-level legislation aiming to introduce a harmonised and comprehensive framework on digital operational resilience for European financial institutions. In the light of the fact that the post-2008 sweep of financial services regulatory reform mainly focused on strengthening the financial resilience of the sector and as such, addressed the information and communication technologies (ICT) risks only as a side matter, the European Commission’s (Commission) underlying intention for DORA was to address gaps in the European sectoral financial services legislation, which to date, has provided for a fragmented approach to operational resilience.
In addition, one of the most significant implications of DORA is that it will bring within the scope of European financial services supervision those ICT third-party service providers that will be deemed critical. DORA is accompanied by Directive (EU) 2022/2556 that amends certain pieces of European financial services legislation, including MiFID II, as regards provisions regarding digital operational resilience.
To support financial institutions in preparing for the imminent application of DORA we set out below 10 key things to know about it:
DORA will have a very broad application and it will cover all authorised European financial entities, altogether 20 types of them. This includes credit, payment and e-money institutions, investment firms, crypto-asset service providers (CASPs) that will be authorised under the Markets in Crypto-Assets Regulation (MiCA) as well as issuers of asset-referenced tokens, central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories. As mentioned earlier, DORA will also apply to ICT third-party service providers.
Notwithstanding its intentionally broad scope, DORA provides some elements of proportionality. In line with a general principle of proportionality, in-scope financial entities will be required to comply with DORA by taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. DORA also provides limited exemptions for certain financial entities, including sub-threshold AIFMs, small insurance and re-insurance undertakings exempt from Solvency II, small institutions for occupational retirement provision, persons exempt from the Markets in Financial Instruments Directive (MiFID), insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises, as well as certain post-office giro institutions. Conversely, some of the most advanced digital testing requirements will be applicable only to the biggest, “significant” financial entities.
In addition, for the purpose of the application of DORA it is necessary to consider the scope of ICT services that will be subject to its requirements. Whist DORA defines the term “ICT services” in high-level terms, there are a lot of uncertainties about the practical identification of the relevant in-scope ICT services. In particular, there is an ongoing debate about delineation between the financial services and ICT services, guidance on which is expected to be provided by the Commission.
DORA will require financial entities to have in place comprehensive internal governance and control frameworks for the “effective and prudent” management of ICT risks. It puts an explicit and ultimate responsibility upon a management body of a financial entity for defining, approving and overseeing the implementation of all arrangements relating to the ICT risk management framework. The relevant elements of the management body's responsibilities are set out in the legislation. In addition, financial institutions, with an exception for microenterprises, will have to establish a role to monitor the arrangements concluded with ICT third-party service providers, or designate a member of senior management for the purpose of overseeing the related risk exposures and documentation.
Financial entities will be obliged to build, maintain and subject to regular audits a sound, comprehensive and well-documented ICT risk management framework, consisting of strategies, policies, procedures, ICT protocols and tools. DORA is documentation-heavy: financial entities will be required to use and maintain updated ICT systems, protocols and tools, as well as identify and detect developments that pose a potential source of ICT risk, especially those configurations that interconnect with internal and external ICT systems. Secondary legislation lays down detailed rules on these tools, methods, processes and policies. DORA sets out prescriptive measures that financial entities will need to comply with for the purpose of protection and prevention, detection, response and recovery from ICT risks, including having a dedicated and comprehensive ICT business continuity policy and plans, notably in respect of critical or important functions outsourced or contracted through arrangements with ICT third-party service providers. Secondary legislation further specifies the required content of this policy. As part of their business continuity policy, financial entities will have to conduct a business impact analysis (BIA) of their exposures to severe business disruptions; they will also have to establish a crisis management function, ready to manage internal and external crisis communications in case an ICT business continuity plan gets activated.
Finally, financial entities will have to have in place measures establishing backup policies and recovery methods (including, for example, a specific obligation for CSDs to maintain at least one secondary processing side), as well as establish appropriate “learning and evolving” frameworks allowing them to gather information on vulnerabilities and cyber threats for the purpose of analysing their likely impacts on their digital operational resilience. Their staff and senior management will have to undertake compulsory digital operational resilience training. Financial entities should have measures in place allowing them to monitor the effectiveness of the implementation of their digital resilience strategy as well as bespoke crisis communications plans as well as internal and external communication policies.
DORA will require financial entities to establish and implement a specific ICT-related incident management process to detect, manage and notify ICT-related incidents, and to record them together with significant cyber threats. Financial entities will also have to classify ICT-related incidents and determine their impact in accordance with a set of prescribed criteria, details of which are set out in secondary legislation. Adding to the already existing complexity of regulatory reporting, DORA will require financial entities to report major ICT-related incidents to competent authorities; this obligation could be outsourced to a third-party service provider. Draft Regulatory Technical Standards (RTS) setting out reporting templates, their content and time-limits for the submission of initial notifications and reports were proposed by the European Supervisory Authorities (ESAs) in July 2024 following a public consultation in the beginning of the year. The Commission has yet to endorse and adopt these RTS.
Within the context of their ICT risk management framework, financial entities will have to put in place a sound and comprehensive digital operational resilience testing programme, comprising of a range of assessments, tests, methodologies, practices and tools. Testing should be applied on a risk-based approach, by an independent party – either internal or external. In addition, significant financial entities will be required to carry out every three years advanced testing by means of threat-led penetration testing (TLPT). The ESAs have developed detailed rules that specify elements related to this threat-led penetration testing, including threshold-based pre-classification of financial entities that will be subject to TLPT.
As indicated earlier, one of the objectives of DORA is to provide a framework for a principle-based sound management of ICT third-party risks. The legislation sets out the relevant principles, including in respect of contractual arrangements, taking into account the principle of proportionality. Financial entities will have to establish a strategy on ICT third-party risk, and will only be able to enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. DORA specifies circumstances in which such contractual arrangements should be terminated and requires that for ICT services supporting critical or important functions, financial entities will have to have in place exit strategies. Among other obligations, financial entities will have to perform a preliminary assessment of ICT concentration risk at the entity level, weighting the benefits and costs of alternative solutions if applicable. DORA sets out a list of elements that a contractual arrangement between a financial entity and an ICT third-party service provider will have to include. This includes controversial rules on subcontracting which are to be set out in secondary legislation and are yet to be finalised. Finally, financial entities will have to include detailed information about all ICT third-party service providers in a register of information, distinguishing between those that cover ICT services supporting critical or important functions and those that do not. As recently demonstrated in a sample dry-run exercise hosted by the ESAs, completion of the register of information might be a complex task, in particular when the financial entity procures many ICT services from third-parties. To add to the complexity of things, the draft implementing technical standards (ITS) that will set out templates for the registers of information has been rejected by the Commission and sent for re-drafting to the ESAs.
As indicated earlier, DORA sets out a separate set of provisions applicable to critical ICT third-party service providers, which in accordance with the Commission’s proposal, would be designated by the ESA's Joint Committee and on the basis of a list of criteria set out in DORA and specified in secondary legislation. DORA sets out limited exemptions from the designation rules, including for intra-group provision of ICT services. As an alternative to a top-down designation process, DORA foresees a possibility for an ICT third-party service provider to opt-in to the oversight regime. In respect of cross-border arrangements, financial entities will not be able to use the services of an ICT third-party service provider that is deemed critical but established in a third country unless such a service provider has established a subsidiary in the EU within the twelve months following designation. As the ESAs will be using information on ICT third-party service providers that will be included by financial entities in their registers of information, it is expected that the first critical ICT third-party service providers will be designated in H2 2025.
DORA sets out a structure of an Oversight Framework, composed of the Oversight Forum and the Lead Overseer (this being one of the ESAs). The latter will have far-reaching powers, including power to request access to relevant information and conduct general investigations and inspections, and imposing periodic penalty payments in cases of non-compliance with measures the Lead Overseer requires a critical ICT third-party service provider to undertake. DORA sets out modalities for the Lead Overseer to exercise its powers outside the EU. In July 2024 the ESAs published final draft RTS and guidelines that aim to harmonise a number of conditions that would enable the ESAs to work within the Oversight Framework. The Commission has yet to endorse and adopt these RTS.
DORA will permit – albeit not mandate – financial entities to exchange amongst themselves information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.
In terms of the supervisory framework and enforcement, DORA places supervision of compliance with its requirements with the respective competent authorities responsible for overseeing the in-scope financial entities. To this end, the competent authorities will have all supervisory, investigatory and sanctioning powers necessary to fulfil their supervisory duties and including, among other powers, access to any document or data, carrying out on-site inspections and investigations, as well as imposing administrative penalties and remedial measures.
With all its complexity, DORA should not be considered in isolation. Throughout its legislative review much focus has been dedicated to DORA’s interlinkage with other initiatives, notably the revised Directive on Security of Network and Information Systems (the NIS 2 Directive) and pre-existing initiatives such as the European Banking Authority’s (EBA) guidelines on outsourcing arrangements and the EBA guidelines on ICT and security risk management. To provide more clarity on the relationship between DORA and the NIS 2 Directive, the Commission has published guidelines. In this context it is also important to note a new regime for critical third-party providers that is currently being developed in the UK, which is likely to be an important point of consideration for firms with both EU and UK presence.
DORA will become applicable on 17 January 2025. In the meantime, a whole set of secondary legislation that will set out detailed, technical rules specifying some of the key provisions of DORA will have to be developed. This work is already well under way, with the relevant rules being at different stages of development and the great majority still pending formal approval. This means that intense regulatory work is likely to continue until the very last moments ahead of the DORA’s application.
As outlined above, DORA sets out very detailed rules for financial entities and critical ICT third-party service providers. While some of them might be a harmonisation of what certain financial entities already do or are already subject to, for some others, including those smaller firms or those that will enter the European regulatory perimeter by means of authorisation as CASPs, compliance with DORA’s requirements might prove to be a challenge. Overall, DORA will have a significant impact on in-scope firms’ governance structures and processes. While some of the biggest and most sophisticated financial services firms’ are already likely to have complex ICT systems and procedures in place, conducting their review and adaptation to DORA’s standards will be a complex task. Integrating financial institutions’ management bodies so that they play an active role in the ICT risk management framework may require an in-depth evaluation of the internal governance arrangements.
As 17 January 2025 is fast approaching, in-scope entities, including European financial entities as well as entities that can potentially be designated as critical ICT third-party service providers should start reviewing their internal arrangements and third-party contracts with a view to getting ready to ensure timely compliance. This review should include, but not be limited to, making an inventory of third-party ICT services arrangements and considering them in the content of DORA’s requirements.
Norton Rose Fulbright has a multi-disciplinary team of specialised lawyers, risk advisory and compliance experts with relevant expertise to provide comprehensive DORA support. Our relevant practices include:
Publication
Executive Vice President Vestager’s momentous tenure as Commissioner responsible for EU competition policy is nearing its end.
Publication
On November 28, 2023, the European Commission (EC) adopted its first list of Projects of Common Interest (PCIs), i.e., projects within the EU territory, and Projects of Mutual Interest (PMIs), i.e., projects connecting the EU with other countries, including 166 projects implementing the European Green Deal.
Publication
The Securities and Futures Commission (SFC) and the Stock Exchange of Hong Kong Limited (SEHK) issued a Joint Statement on 18 October 2024 in relation to an enhancement in the timeline for the IPO1 application process (Enhanced Application Timeframe) by new listing applicants (the Applicants), taking effect immediately.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023