DORA – Digital Operational Resilience Act Part 2: Outlook and objectives

DORA is intended to counter the growing cyber risks. What regulations are planned? Who will be affected by the regulations?

We want to highlight this in two separate and consecutive blog posts. In the first part, we gather information on governance and organisation and look at the extensive ICT risk management requirements, ICT-related incident reporting and risks from ICT third-party providers.

In the second part, we give an outlook on upcoming developments – up to the question of how US cloud providers can be motivated to consider establishing branches in the EU. 

Part 2 

The European Parliament and the Council are expected to adopt the official text of the regulation in autumn 2022, after which it will be published in the Official Journal of the European Union. It is expected that the DORA regulation will apply throughout the EU by the end of 2024. Already at this stage, financial institutions and financial service providers should think about the implementation of an adequate ICT risk management and consider appropriate measures.

Financial companies have an intrinsic interest in protecting their digital operational resilience and improving their resilience against cyber attacks, because operational disruptions can lead to significant revenue losses and – as a result – immense reputational damage. The fact that large financial institutions and Fin- and BigTechs represent a large projection surface for hacker attacks and that the exponentially advancing digitalisation is becoming increasingly relevant reinforce the need to implement EU measures to strengthen the digital operational resilience of financial companies.

Due to the fact that financial companies are usually very strongly interconnected, even a localised cyber incident can pose enormous systemic risks for the financial sector and endanger the financial stability. The products and services provided by financial companies are often fundamental to the functioning of a society. The costs incurred by a cyber attack often mean very high costs for the society and financial companies.

On the one hand, financial companies may be deterred from reporting cyber incidents to the relevant authorities in view of reporting costs and possible reputational damage. On the other hand, cyber incident reports could generate significant external benefits in that other financial companies could identify and close security gaps. However, the proposed regulation lacks proportionality. Financial companies' ICT risk management should focus only on critical elements of the digital operational resilience. DORA, meanwhile, includes all physical components, infrastructures, premises and data centres, regardless of their operational risk. 

DORA requires financial companies to terminate contracts with critical ICT third-party providers if they violate laws, regulations, directives or contract terms, or if they are forced to do so by a financial supervisory authority.

This is likely to increase the operational risk for financial companies because it may be difficult to find suitable alternative providers on an ad hoc basis. Instead, DORA should promote a close coordination between the players concerned, articulate a catalogue of sanction levels and at least provide for transition periods. A strict contract termination mandate should be a last resort.

The restriction on concluding IT supply contracts with critical ICT third-party providers from third countries is a strong interference in the contractual freedom of European financial companies. This measure could paradoxically run counter to the strengthening of digital operational resilience, as financial companies could find themselves forced to contract providers that have a lower level of cyber maturity. This restriction has the potential to limit the selection and access to more cyber-secure and innovative ICT solutions, products and services.

The EU Commission's goals of reducing the European financial sector's dependence on US cloud providers should not turn into actionism. A more targeted measure would be to use regulatory measures to encourage these providers to establish branches in the EU so that they could be monitored more effectively by the local supervisory authorities in connection with operational risks.

In 2023 the European Banking Authority (EBA) will be responsible for the mandate to create the regulatory framework for MiCAR and DORA. In addition to its supervisory duties, the EBA is entrusted with the task of developing supervisory guidelines and procedures, as well as guidelines to ensure the exchange of information between all relevant parties. These include i.a. regulated issuers of crypto-assets, national competent authorities, the ECB and other relevant central banks. The time for this is tight, as everything has to happen before the date on which MiCAR and DORA are applied. The framework to be developed for DORA will provide a supervisory framework to ensure the monitoring and mitigation of cyber risks and ICT-related incidents. For the MiCAR regulation, on the other hand, the EBA will have to develop specific requirements for issuing crypto-assets and offering crypto-services.

Source of the figure: EU Digital Operational Resilience Act (DORA) | Compliance | Haufe

Salar Hydary (working student, Consulting Payments)
Judith Petersen (Senior Manager, Consulting Payments)


Post a Comment