DORA is intended to counter the growing cyber risks. What regulations are planned? Who will be affected by the regulations?
We want to highlight this in two separate and consecutive blog posts. In the first part, we gather information on governance and organisation and look at the extensive ICT risk management requirements, ICT-related incident reporting and risks from ICT third-party providers.
In the second part, we give an outlook on upcoming developments – up to the question of how US cloud providers can be motivated to consider establishing branches in the EU.
Part 1
The European Commission, the Council of the European Union and the European Parliament reached a preliminary agreement on the Digital Operational Resilience Act (DORA) proposal on 22 May 2022. DORA thus moves to the centre stage as an integral part of the strategy to digitise the entire European financial sector. The European Commission first published the legislative proposal for DORA on 24 September 2020 as part of the digital finance package. The triumvirate of the Commission, Council and Parliament already adopted the digital finance package in September 2020 to realise the cross-border digitalisation.
The digital finance package includes the following parts:
- Strategy for the digitalisation of the financial sector
- Legislative proposals on crypto assets (markets in crypto-assets regulation, pilot regime for market infrastructures based on distributed ledger technology, transfer of funds regulation)
- Legislative proposals on the operational resilience of digital systems (DORA) of the financial sector
- Strategy for mass payments
The European strategy for digital operational resilience was completed with the two important crypto regulations markets in crypto-assets regulation (MiCAR) and the transfer of funds regulation (ToFR). On 30 June 2022, the European Union gave the green light to the MiCAR regulation for the supervision of the crypto industry.
Already one day earlier, on 29 June 2022, the European Parliament had reached an agreement on the ToFR.
The aim of DORA is to ensure financial stability, consumer protection and market integrity on the one hand, and to effectively remove regulatory barriers in the financial sector through legal harmonisation on the other. It also creates an EU-wide, cross-sector framework to manage and mitigate the risks associated with information and communication technologies (ICT risks). The DORA regulation affects traditional financial players such as financial institutions, insurance companies and investment companies, but also FinTechs and BigTechs, crypto service providers and trading venues. Micro-enterprises that employ fewer than 10 people and whose annual turnover or annual balance sheet does not exceed EUR 2 million are excluded from the scope of application. (Art. 3 (1) No. 50 in conjunction with Article 2 (3) of the annex to the recommendation 2003/361/EC).
Control and organisation
Financial institutions and financial service providers should have internal governance and control frameworks that ensure the effective and prudent management of all ICT risks (Art. 4 para. 1). Financial institutions and financial services providers should have a robust, comprehensive and well-documented ICT risk management framework that enables them to address ICT risks directly and effectively (Art. 5 para. 1). The governing body defines, approves and monitors the ICT risk management framework and is accountable for its implementation. To ensure a well-functioning governance, funds should be allocated for investments in ICT resources, including training on ICT risks for the employees (Art. 4 para. 2).
Requirements for ICT risk management
The requirements listed in DORA to provide an adequate ICT risk management require specific functions. The ICT risk management framework is documented and reviewed at least annually, as well as when serious ICT-related incidents arise from digital operational resilience audits or audit procedures. The aim is to identify potential threats at an early stage, gain insights and ensure a continuous improvement of the IT risk management. (Art. 5 para. 9 DORA)
The ICT management must ensure protection and prevention against cyber attacks or minimise vulnerability to cyber incidents, and implement policies and procedures that ensure the "resilience, continuity and availability of ICT systems" and "high standards of security, confidentiality and integrity of data" (Art. 8 para. 2).
Financial institutions and financial service providers should implement an ICT strategy designed to respond promptly, effectively and appropriately to all ICT-related incidents, in particular cyber attacks, so as to minimise damage, ensure resumption of activities and restore operations as far as possible (Art. 10 para. 2). The implementation of mechanisms that both detect vulnerabilities and record all ICT-related incidents is essential.
As a market player with a strong customer focus and a reputation for integrity, financial institutions and financial service providers should have communication plans in place that "enable the responsible disclosure of ICT-related incidents or significant vulnerabilities to customers and other financial companies, as well as to the public" (DORA Art. 13 para. 1).
Reporting ICT-related incidents
DORA requires financial institutions and financial service providers to implement management procedures to monitor, identify, classify, track, log and report serious ICT-related incidents to the competent authorities (Art. 15 para. 1).
The addressees of reports of serious ICT incidents are the competent national authorities. Financial institutions and financial services providers must provide relevant details of incidents to other institutions or agencies, such as the European Supervisory Authorities (ESAs), the European Central Bank (ECB), or the central contact points designated in the directive on security of network and information systems (NIS Directive). Serious ICT-related incidents are to be reported by authorities in a centralised manner at Union level. Financial companies will be required to submit initial, interim and final reports. Should an ICT-related incident have an impact on the financial interests of service users and customers of the respective financial company, they should be informed immediately (Art. 17 para. 2).
An essential task of the ESA is to publish annually a comprehensive report in anonymous form, which provides information on the reports of competent authorities on serious ICT-related incidents. This concerns the minimum number of serious incidents, their nature, the impact on the business activities of financial companies or customers, as well as the costs (Art. 20 para. 2). In addition, the proposed regulation obliges financial institutions to ensure that contracts for the use of ICT services are terminated if ICT third-party providers violate applicable laws, regulations or contractual terms (Art. 25 para. 8).
Check of the digital operational resilience
The ICT risk management of financial institutions and financial service providers needs to be regularly assessed for defence preparedness and detection of vulnerabilities, deficiencies or gaps and prompt implementation of corrective actions. ICT systems need to be thoroughly checked on a regular basis. Such a check must be performed at least once a year and documented accordingly. Conducting prevention, detection, response and recovery tests is essential to comprehensively address any vulnerabilities, deficiencies or gaps (Art. 21 para. 5).
The most important instruments for checking the digital operational resilience are the following (Art. 22):
- Vulnerability assessments and checks
- Analyses of open source software
- Network security assessments
- Gap analyses
- Physical security analyses
- Physical security checks
- Questionnaires and scan software solutions
- Source code checks, as far as practicable
- Scenario-based tests
- Compatibility tests
- Performance tests
- End-to-end tests
- Threat-driven penetration tests
How demanding the resilience tests have to be depends largely on the size of the business and risk profile of each financial company.
Particularly high requirements for digital operational resilience checks apply to major institutions in the payments sector, for example large financial institutions, large payment institutions and large e-money institutions. This also applies to sub-sectors that play a central role in payments, banking, clearing and settlement.
Risks from ICT third-party providers
DORA places a special focus on the EU supervision of so-called ICT third-party providers and the associated ICT third-party risk. The outsourcing of digital functions plays an important role in the ICT strategy of financial companies today. This is where the ICT third-party providers come in. They offer financial companies the provision of storage space or computing power (infrastructure as a service) and the provision of software applications (platform as a service).
Outsourcing can only work if financial institutions can fully monitor and control the subcontracting processes. Financial companies that use ICT services from ICT third-party providers are responsible for ensuring that they comply with the DORA regulation (Art. 25 para. 1). However, if a financial company finds that the ICT third-party provider violates applicable laws, regulations or contractual conditions in the provision of IT services, the contract with the third-party provider must be terminated (Art. 25 para. 8). Financial companies need to put exit strategies in place to deal with failures of ICT third-party providers. The termination of the contract must not conflict with the compliance with regulatory requirements or impair the quality of the services offered (Art. 25 para. 9).
In summary, it can be stated that DORA aims to create an EU supervisory framework for "critical" ICT third parties (Art. 28 para. 1). DORA grants the financial company the right to fully monitor the services to be provided by the ICT third-party provider (Art. 27 para. 2). In doing so, the competent financial supervisory authorities may force financial companies to temporarily suspend some or all of their contracts with ICT third-party providers until the risks have been eliminated. Authorities may, if necessary, require financial companies to terminate, in whole or in part, the relevant contractual agreements concluded with critical ICT third-party providers (Art. 37 para. 3).
Before concluding a contract with an ICT third-party provider, financial institutions and financial service providers must check whether the respective IT supplier is to be classified as a critical provider or whether it covers important digital functions. Financial institutions and financial service providers should check whether their ICT third-party provider is substitutable or whether several contracts are concluded with it (Art. 25 para. 5). The assessment of these criteria is important in that financial companies are not allowed to have contractual relationships with critical ICT third-party providers that are based outside the EU and thus not established in the EU (Art. 28 para. 9).
Authors:
Salar Hydary (working student, Consulting Payments)
Judith Petersen (Senior Manager, Consulting Payments)