On 16 January 2023 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) entered into force. DORA is a first European-level legislation aiming to introduce a harmonised and comprehensive framework on digital operational resilience for European financial institutions. In the light of the fact that the post-2008 sweep of financial services regulatory reform mainly focused on strengthening the financial resilience of the sector and as such, addressed the Information and Communication Technologies (ICT) risks only as a side matter, the European Commission’s underlying intention for DORA was to address gaps in the European sectoral financial services legislation, which to date, has provided for a fragmented approach to operational resilience. In addition, one of the most significant implications of DORA is that it will bring within the scope of European financial services supervision those ICT third-party service providers that will be deemed critical. DORA is accompanied by Directive (EU) 2022/2556 that amends certain pieces of European financial services legislation, including MiFID II, as regards provisions regarding digital operational resilience.
With DORA being new and complex legislation we set out below 10 key things to know about it:
DORA will have a very broad application and it will cover all authorised European financial entities, altogether 20 types of them. This includes credit, payment and e-money institutions, investment firms, crypto-asset service providers (CASPs) that will be authorised under the Markets in Crypto-Assets Regulation (MiCA) as well as issuers of asset-referenced tokens, central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories. As mentioned earlier, DORA will also apply to ICT third-party service providers.
Notwithstanding its intentionally broad scope, DORA provides some elements of proportionality. In line with a general principle of proportionality, in-scope financial entities will be required to comply with DORA by taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. DORA also provides limited exemptions for those financial entities that will meet the criteria of “microenterprise”, as well as to small and non-interconnected investment firms, payment and electronic money institutions exempted from their sectoral legislation, small institutions for occupational retirement provision and institutions exempt from the Capital Requirements Directive. Conversely, some of the most advanced digital testing requirements will be applicable only to the biggest, “significant” financial entities.
(2) ICT Risk Management and Internal Governance Arrangements
DORA will require financial entities to have in place comprehensive internal governance and control frameworks for the “effective and prudent” management of ICT risks. It puts an explicit and ultimate responsibility upon a management body of a financial entity for defining, approving and overseeing the implementation of all arrangements relating to the ICT risk management framework. The relevant elements of the management body responsibilities are set out in the legislation. In addition, financial institutions, with an exception of microenterprises, will have to establish a role to monitor the arrangements concluded with ICT third-party service providers, or designate a member of senior management for the purpose of overseeing the related risk exposures and documentation.
Financial entities will be obliged to build, maintain and subject to regular audits a sound, comprehensive and well-documented ICT risk management framework, consisting of strategies, policies, procedures, ICT protocols and tools. They will be required to use and maintain updated ICT systems, protocols and tools, as well as identify and detect developments that pose a potential source of ICT risk, especially those configurations that interconnect with internal and external ICT systems. DORA sets out prescriptive measures that financial entities will need to comply with for the purpose of protection and prevention, detection, response and recovery from ICT risks, including having a dedicated and comprehensive ICT business continuity policy and plans, notably in respect of critical or important functions outsourced or contracted through arrangements with ICT third-party service providers. As part of their business continuity policy, financial entities will have to conduct a business impact analysis (BIA) of their exposures to severe business disruptions; they will also have to establish a crisis management function, ready to manage internal and external crisis communications in case an ICT business continuity plan gets activated.
Finally, financial entities will have to have in place measures establishing backup policies and recovery methods (including, for example, a specific obligation for CSDs to maintain at least one secondary processing side), as well as establish appropriate “learning and evolving” frameworks allowing them to gather information on vulnerabilities and cyber threats for the purpose of analysing their likely impacts on their digital operational resilience. Their staff and senior management will have to undertake compulsory digital operational resilience training. Financial entities should have measures in place allowing them to monitor the effectiveness of the implementation of their digital resilience strategy as well as bespoke crisis communications plans as well as internal and external communication policies.
(3) ICT Related Incidents: Management, Classification and Reporting
DORA will require financial entities to establish and implement a specific ICT-related incident management process to detect, manage and notify ICT-related incidents, and to record them together with significant cyber threats. Financial entities will also have to classify ICT-related incidents and determine their impact in accordance with a set of prescribed criteria, details of which are to be set out in secondary legislation. Adding to the already existing complexity of regulatory reporting, DORA will require financial entities to report major ICT-related incidents to competent authorities; this obligation could be outsourced to a third-party service provider. Reporting templates, their content and time-limits for the submission of initial notifications and reports is to be set out in secondary legislation.
(4) Digital Operational Resilience Testing
Within the context of their ICT risk management framework, financial entities will have to put in place a sound and comprehensive digital operational resilience testing programme, comprising of a range of assessments, tests, methodologies, practices and tools. Testing should be applied on a risk-based approach, by an independent party – either internal or external. In addition, significant financial entities will be required to carry out every three years advanced testing by means of threat-led penetration testing.
(5) Management of ICT Third-Party Risks and Contractual Arrangements
As indicated earlier, one of the objectives of DORA is to provide a framework for a principle-based sound management of ICT third-party risks. The legislation sets out the relevant principles, including in respect of contractual arrangements, taking into account the principle of proportionality. Financial entities will have to establish a strategy on ICT third-party risk, and will only be able to enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. DORA specifies circumstances in which such contractual arrangements should be terminated and requires that for ICT services supporting critical or important functions, financial entities will have to have in place exit strategies. Among other obligations, financial entities will have to perform a preliminary assessment of ICT concentration risk at the entity level, weighting the benefits and costs of alternative solutions if applicable. Finally, DORA sets out a list of elements that a contractual arrangement between a financial entity and an ICT third-party service provider will have to include.
(6) Critical ICT Third-Party Service Providers and Oversight Framework
As indicated earlier, DORA sets out a separate set of provisions applicable to critical ICT third-party service providers, which in accordance with the Commission’s proposal, would be designated by the European Supervisory Authorities’ (ESAs) Joint Committee and on the basis of a list of criteria set out in DORA and specified in secondary legislation. DORA sets out limited exemptions from the designation rules, including for intra-group provision of ICT services. As an alternative to a top-down designation process, DORA foresees a possibility for an ICT third-party service provider to opt-in to the oversight regime. In respect of cross-border arrangements, financial entities will not be able to use the services of an ICT third-party service provider that is deemed critical but established in a third-country unless such a service provider has established a subsidiary in the EU within the 12 months following designation.
DORA sets out a structure of an Oversight Framework, composed of the Oversight Forum and the Lead Overseer (this being one of the ESAs). The latter will have far-reaching powers, including power to request access to relevant information and conduct general investigations and inspections, and imposing periodic penalty payments in cases of non-compliance with measures the Lead Overseer requires a critical ICT third-party service provider to undertake. DORA sets out modalities for the Lead Overseer to exercise its powers outside the EU.
(7) Information sharing arrangements, supervision and enforcement
DORA will permit – albeit not mandate – financial entities to exchange amongst themselves information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.
(8) Supervision and Enforcement
In terms of the supervisory framework and enforcement, DORA places supervision of compliance with its requirements with the respective competent authorities responsible for overseeing the in-scope financial entities. To this end, the competent authorities will have all supervisory, investigatory and sanctioning powers necessary to fulfil their supervisory duties and including, among other powers, access to any document or data, carrying out on-site inspections and investigations, as well as imposing administrative penalties and remedial measures.
(9) Interlinkage with other regulatory requirements
With all its complexity, DORA should not be considered in isolation. Throughout its legislative review much focus has been dedicated to DORA’s interlinkage with other initiatives, notably the revised Directive on Security of Network and Information Systems (the NIS 2 Directive), as well as pre-existing initiatives such as the European Banking Authority’s (EBA) guidelines on outsourcing arrangements and the EBA guidelines on ICT and security risk management. In this context it is also important to note a new regime for critical third party providers that is currently being developed in the UK.
(10) Next steps
DORA will become applicable on 17 January 2025. In the meantime, a whole set of secondary legislation that will set out detailed, technical rules specifying some of the key provisions of DORA will have to be developed. This work is already under way, with the European Commission already issuing a letter to the ESAs setting out the scope of its Call for Technical Advice on two delegated acts: a delegated act specifying the amount of fees to be collected from critical third-party service providers and a delegated act specifying the criteria for assessing criticality of the third-party service providers. In respect of the regulatory technical standards, the ESAs are required to submit the drafts to the European Commission by 17 January 2024, so intense regulatory work is likely to continue throughout 2023.
As outlined above, DORA sets out very detailed rules for financial entities and critical ICT third-party service providers. While some of them might be a harmonisation of what certain financial entities already do or are already subject to, for some others, including those smaller firms or those that will enter the European regulatory perimeter by means of authorisation as CASPs, compliance with DORA’s requirements might prove to be a challenge. Overall DORA is expected to have a significant impact on in-scope firms’ governance structures and processes. While some of the biggest and most sophisticated financial services firms’ are already likely to have complex ICT systems and procedures in place, conducting their review and adaptation to DORA’s standards is likely to be a complex task. Integrating financial institutions’ management bodies so that they play an active role in the ICT risk management framework may require an in-depth evaluation of the internal governance arrangements.
In light of the relatively short implementation timeframe, in-scope entities, including European financial entities as well as entities that can potentially be designated as critical ICT third-party service providers should start reviewing their internal arrangements with a view to getting ready to ensure timely compliance. This review should include, but not be limited to, making an inventory of third-party ICT services arrangements and considering them in the content of DORA’s requirements.
How can we help
Norton Rose Fulbright has a multi-disciplinary team of specialised lawyers, risk advisory and compliance experts with relevant expertise to provide comprehensive DORA support. Our relevant practices include:
- Financial Services Regulatory: Our global financial services and regulation practice helps our clients navigate the evolving and increasingly complex regulatory environment, working seamlessly across major business and financial hubs. We have broad expertise advising clients on all aspects of governance arrangements, outsourcing and third party risk management.
- Information, Governance, Privacy and Cybersecurity: Our dedicated global practice of information governance, privacy and cybersecurity lawyers helps clients manage legal risks related to cybersecurity, privacy, data governance, information technology, and intellectual property.
- Technology Consulting: Effective implementation and adoption of any technology requires a deep understanding of what is technically possible and operationally feasible. Our technology consulting practice provides technical knowledge to help clients take full advantage of new and emerging technologies, together with legal and compliance experts we help to devise and implement technologically-savvy compliance arrangements.
- Sourcing and Technology: Our global team of sourcing and technology lawyers use their industry knowledge to provide commercial legal advice on all aspects of sourcing transactions in areas including emerging technologies and intellectual property to multi-jurisdictional data transfer and regulation. We regularly advise clients on the most complex outsourcing transactions and third-party contractual arrangements in the market.
- Risk Advisory and Risk Consulting: Our global risk advisory and risk consulting practice, comprising risk, compliance and industry specialists, works closely with our lawyers to deliver a combination of skills and experience that can meet the increasingly complex risk challenges facing your business. We regularly advise clients on issues relating to operational resilience, including operational resilience frameworks, crisis scenario planning and response and operational resilience enhancement and good practice.
- Government Relations and Public Policy: Our government relations and public policy practice helps clients promote policy change, shape draft legislation and manage regulatory risk, and to track all relevant legislative and regulatory developments. We have been closely following DORA legislative review, and we continue doing so with its secondary regulations.