DORA – Digital Operational Resilience Act Part 2: Outlook and objectives

DORA is intended to counter the growing cyber risks. What regulations are planned? Who will be affected by the regulations?

We want to highlight this in two separate and consecutive blog posts. In the first part, we gather information on governance and organisation and look at the extensive ICT risk management requirements, ICT-related incident reporting and risks from ICT third-party providers.

In the second part, we give an outlook on upcoming developments – up to the question of how US cloud providers can be motivated to consider establishing branches in the EU. 

Part 2 

The European Parliament and the Council are expected to adopt the official text of the regulation in autumn 2022, after which it will be published in the Official Journal of the European Union. It is expected that the DORA regulation will apply throughout the EU by the end of 2024. Already at this stage, financial institutions and financial service providers should think about the implementation of an adequate ICT risk management and consider appropriate measures.

Financial companies have an intrinsic interest in protecting their digital operational resilience and improving their resilience against cyber attacks, because operational disruptions can lead to significant revenue losses and – as a result – immense reputational damage. The fact that large financial institutions and Fin- and BigTechs represent a large projection surface for hacker attacks and that the exponentially advancing digitalisation is becoming increasingly relevant reinforce the need to implement EU measures to strengthen the digital operational resilience of financial companies.

Due to the fact that financial companies are usually very strongly interconnected, even a localised cyber incident can pose enormous systemic risks for the financial sector and endanger the financial stability. The products and services provided by financial companies are often fundamental to the functioning of a society. The costs incurred by a cyber attack often mean very high costs for the society and financial companies.

On the one hand, financial companies may be deterred from reporting cyber incidents to the relevant authorities in view of reporting costs and possible reputational damage. On the other hand, cyber incident reports could generate significant external benefits in that other financial companies could identify and close security gaps. However, the proposed regulation lacks proportionality. Financial companies' ICT risk management should focus only on critical elements of the digital operational resilience. DORA, meanwhile, includes all physical components, infrastructures, premises and data centres, regardless of their operational risk. 

DORA requires financial companies to terminate contracts with critical ICT third-party providers if they violate laws, regulations, directives or contract terms, or if they are forced to do so by a financial supervisory authority.

This is likely to increase the operational risk for financial companies because it may be difficult to find suitable alternative providers on an ad hoc basis. Instead, DORA should promote a close coordination between the players concerned, articulate a catalogue of sanction levels and at least provide for transition periods. A strict contract termination mandate should be a last resort.

The restriction on concluding IT supply contracts with critical ICT third-party providers from third countries is a strong interference in the contractual freedom of European financial companies. This measure could paradoxically run counter to the strengthening of digital operational resilience, as financial companies could find themselves forced to contract providers that have a lower level of cyber maturity. This restriction has the potential to limit the selection and access to more cyber-secure and innovative ICT solutions, products and services.

The EU Commission's goals of reducing the European financial sector's dependence on US cloud providers should not turn into actionism. A more targeted measure would be to use regulatory measures to encourage these providers to establish branches in the EU so that they could be monitored more effectively by the local supervisory authorities in connection with operational risks.

In 2023 the European Banking Authority (EBA) will be responsible for the mandate to create the regulatory framework for MiCAR and DORA. In addition to its supervisory duties, the EBA is entrusted with the task of developing supervisory guidelines and procedures, as well as guidelines to ensure the exchange of information between all relevant parties. These include i.a. regulated issuers of crypto-assets, national competent authorities, the ECB and other relevant central banks. The time for this is tight, as everything has to happen before the date on which MiCAR and DORA are applied. The framework to be developed for DORA will provide a supervisory framework to ensure the monitoring and mitigation of cyber risks and ICT-related incidents. For the MiCAR regulation, on the other hand, the EBA will have to develop specific requirements for issuing crypto-assets and offering crypto-services.

Source of the figure: EU Digital Operational Resilience Act (DORA) | Compliance | Haufe


Authors:
Salar Hydary (working student, Consulting Payments)
Judith Petersen (Senior Manager, Consulting Payments)

DORA – Digital Operational Resilience Act: Part 1: Why digital operational resilience should be assessed uniformly at EU level

DORA is intended to counter the growing cyber risks. What regulations are planned? Who will be affected by the regulations?
We want to highlight this in two separate and consecutive blog posts. In the first part, we gather information on governance and organisation and look at the extensive ICT risk management requirements, ICT-related incident reporting and risks from ICT third-party providers.
In the second part, we give an outlook on upcoming developments – up to the question of how US cloud providers can be motivated to consider establishing branches in the EU.

Part 1

The European Commission, the Council of the European Union and the European Parliament reached a preliminary agreement on the Digital Operational Resilience Act (DORA) proposal on 22 May 2022. DORA thus moves to the centre stage as an integral part of the strategy to digitise the entire European financial sector. The European Commission first published the legislative proposal for DORA on 24 September 2020 as part of the digital finance package. The triumvirate of the Commission, Council and Parliament already adopted the digital finance package in September 2020 to realise the cross-border digitalisation.
The digital finance package includes the following parts:

  • Strategy for the digitalisation of the financial sector
  • Legislative proposals on crypto assets (markets in crypto-assets regulation, pilot regime for market infrastructures based on distributed ledger technology, transfer of funds regulation)
  • Legislative proposals on the operational resilience of digital systems (DORA) of the financial sector
  • Strategy for mass payments  

The European strategy for digital operational resilience was completed with the two important crypto regulations markets in crypto-assets regulation (MiCAR) and the transfer of funds regulation (ToFR). On 30 June 2022, the European Union gave the green light to the MiCAR regulation for the supervision of the crypto industry.
Already one day earlier, on 29 June 2022, the European Parliament had reached an agreement on the ToFR.
The aim of DORA is to ensure financial stability, consumer protection and market integrity on the one hand, and to effectively remove regulatory barriers in the financial sector through legal harmonisation on the other. It also creates an EU-wide, cross-sector framework to manage and mitigate the risks associated with information and communication technologies (ICT risks). The DORA regulation affects traditional financial players such as financial institutions, insurance companies and investment companies, but also FinTechs and BigTechs, crypto service providers and trading venues. Micro-enterprises that employ fewer than 10 people and whose annual turnover or annual balance sheet does not exceed EUR 2 million are excluded from the scope of application. (Art. 3 (1) No. 50 in conjunction with Article 2 (3) of the annex to the recommendation 2003/361/EC). 

Control and organisation
Financial institutions and financial service providers should have internal governance and control frameworks that ensure the effective and prudent management of all ICT risks (Art. 4 para. 1). Financial institutions and financial services providers should have a robust, comprehensive and well-documented ICT risk management framework that enables them to address ICT risks directly and effectively (Art. 5 para. 1). The governing body defines, approves and monitors the ICT risk management framework and is accountable for its implementation. To ensure a well-functioning governance, funds should be allocated for investments in ICT resources, including training on ICT risks for the employees (Art. 4 para. 2). 

Requirements for ICT risk management
The requirements listed in DORA to provide an adequate ICT risk management require specific functions. The ICT risk management framework is documented and reviewed at least annually, as well as when serious ICT-related incidents arise from digital operational resilience audits or audit procedures. The aim is to identify potential threats at an early stage, gain insights and ensure a continuous improvement of the IT risk management. (Art. 5 para. 9 DORA)
The ICT management must ensure protection and prevention against cyber attacks or minimise vulnerability to cyber incidents, and implement policies and procedures that ensure the "resilience, continuity and availability of ICT systems" and "high standards of security, confidentiality and integrity of data" (Art. 8 para. 2).
Financial institutions and financial service providers should implement an ICT strategy designed to respond promptly, effectively and appropriately to all ICT-related incidents, in particular cyber attacks, so as to minimise damage, ensure resumption of activities and restore operations as far as possible (Art. 10 para. 2). The implementation of mechanisms that both detect vulnerabilities and record all ICT-related incidents is essential.
As a market player with a strong customer focus and a reputation for integrity, financial institutions and financial service providers should have communication plans in place that "enable the responsible disclosure of ICT-related incidents or significant vulnerabilities to customers and other financial companies, as well as to the public" (DORA Art. 13 para. 1).

Reporting ICT-related incidents
DORA requires financial institutions and financial service providers to implement management procedures to monitor, identify, classify, track, log and report serious ICT-related incidents to the competent authorities (Art. 15 para. 1).
The addressees of reports of serious ICT incidents are the competent national authorities. Financial institutions and financial services providers must provide relevant details of incidents to other institutions or agencies, such as the European Supervisory Authorities (ESAs), the European Central Bank (ECB), or the central contact points designated in the directive on security of network and information systems (NIS Directive). Serious ICT-related incidents are to be reported by authorities in a centralised manner at Union level. Financial companies will be required to submit initial, interim and final reports. Should an ICT-related incident have an impact on the financial interests of service users and customers of the respective financial company, they should be informed immediately (Art. 17 para. 2).

An essential task of the ESA is to publish annually a comprehensive report in anonymous form, which provides information on the reports of competent authorities on serious ICT-related incidents. This concerns the minimum number of serious incidents, their nature, the impact on the business activities of financial companies or customers, as well as the costs (Art. 20 para. 2). In addition, the proposed regulation obliges financial institutions to ensure that contracts for the use of ICT services are terminated if ICT third-party providers violate applicable laws, regulations or contractual terms (Art. 25 para. 8). 

Check of the digital operational resilience
The ICT risk management of financial institutions and financial service providers needs to be regularly assessed for defence preparedness and detection of vulnerabilities, deficiencies or gaps and prompt implementation of corrective actions. ICT systems need to be thoroughly checked on a regular basis. Such a check must be performed at least once a year and documented accordingly. Conducting prevention, detection, response and recovery tests is essential to comprehensively address any vulnerabilities, deficiencies or gaps (Art. 21 para. 5).

The most important instruments for checking the digital operational resilience are the following (Art. 22):

  • Vulnerability assessments and checks
  • Analyses of open source software
  • Network security assessments
  • Gap analyses
  • Physical security analyses
  • Physical security checks
  • Questionnaires and scan software solutions
  • Source code checks, as far as practicable
  • Scenario-based tests
  • Compatibility tests
  • Performance tests
  • End-to-end tests
  • Threat-driven penetration tests


How demanding the resilience tests have to be depends largely on the size of the business and risk profile of each financial company.
Particularly high requirements for digital operational resilience checks apply to major institutions in the payments sector, for example large financial institutions, large payment institutions and large e-money institutions. This also applies to sub-sectors that play a central role in payments, banking, clearing and settlement. 

Risks from ICT third-party providers
DORA places a special focus on the EU supervision of so-called ICT third-party providers and the associated ICT third-party risk. The outsourcing of digital functions plays an important role in the ICT strategy of financial companies today. This is where the ICT third-party providers come in. They offer financial companies the provision of storage space or computing power (infrastructure as a service) and the provision of software applications (platform as a service).
Outsourcing can only work if financial institutions can fully monitor and control the subcontracting processes. Financial companies that use ICT services from ICT third-party providers are responsible for ensuring that they comply with the DORA regulation (Art. 25 para. 1). However, if a financial company finds that the ICT third-party provider violates applicable laws, regulations or contractual conditions in the provision of IT services, the contract with the third-party provider must be terminated (Art. 25 para. 8). Financial companies need to put exit strategies in place to deal with failures of ICT third-party providers. The termination of the contract must not conflict with the compliance with regulatory requirements or impair the quality of the services offered (Art. 25 para. 9).
In summary, it can be stated that DORA aims to create an EU supervisory framework for "critical" ICT third parties (Art. 28 para. 1). DORA grants the financial company the right to fully monitor the services to be provided by the ICT third-party provider (Art. 27 para. 2). In doing so, the competent financial supervisory authorities may force financial companies to temporarily suspend some or all of their contracts with ICT third-party providers until the risks have been eliminated. Authorities may, if necessary, require financial companies to terminate, in whole or in part, the relevant contractual agreements concluded with critical ICT third-party providers (Art. 37 para. 3).
Before concluding a contract with an ICT third-party provider, financial institutions and financial service providers must check whether the respective IT supplier is to be classified as a critical provider or whether it covers important digital functions. Financial institutions and financial service providers should check whether their ICT third-party provider is substitutable or whether several contracts are concluded with it (Art. 25 para. 5). The assessment of these criteria is important in that financial companies are not allowed to have contractual relationships with critical ICT third-party providers that are based outside the EU and thus not established in the EU (Art. 28 para. 9).

Source of the figure: EU Digital Operational Resilience Act (DORA) | Compliance | Haufe


Authors:
Salar Hydary (working student, Consulting Payments)
Judith Petersen (Senior Manager, Consulting Payments)