DORA et labora

The new EU regulation to strengthen digital operational resilience aimed at financial entities – also known as DORA – places heavy demands on certain companies.

Which companies are affected by the regulation, and what do they need to do? I will answer these questions in my blog post.

Although DORA entered into force on 17 July 2023, firms will be given a two-year window to comply with its rules.

This is similar to what happened during the rollout of the GDPR. The regulation was first enacted with mandatory compliance with its rules coming only later.

Any company that wishes to delay taking up the matter until 2025 would be well advised to remember the hectic months prior to the deadline to meet the rules imposed by the GDPR. They would be better off if they took the time now to explore how DORA will actually impact their company, seeing as the new regulation will likely mean a lot of extra work for some firms.

What is meant by ‘digital operational resilience’?

Financial entities need to run smoothly. Robust ICT systems, resilient processes and the requisite agreements with service providers all ensure this happens.

The regulation provides a more detailed definition of the concept.

Under it, digital operational resilience is defined as ‘the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions’. (Article 3(1) DORA)

What is regulated under DORA?

DORA establishes ‘uniform requirements concerning the security of network and information systems supporting the business processes of financial entities’ (Art. 1(1) DORA)

Here are just a few of the requirements:

• 1. Requirements applicable to financial entities in relation to

  • a. ICT risk management
  • b. reporting of major ICT-related and payments incidents as well as – on a voluntary basis – cyber threats to the competent authorities
  • c. digital operational resilience testing
  • d. sharing information and intelligence on cyber threats and vulnerabilities
  • e. measures for a sound management by financial entities of the ICT third-party risk
• 2. Requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities
• 3. Rules on the establishment and implementation of the oversight framework for critical ICT third-party service providers when providing services to financial entities
• 4. Rules on cooperation among competent authorities and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.

What are the active parties?

In broad terms, there are three types of active party:

• 1. Financial entities
• 2. ICT third-party service providers
• 3. Supervisors

Financial entities

The requirements set out in DORA (Article 2(1)) apply to all

• credit institutions,
• payment institutions,
• account information service providers,
• electronic money institutions,
• investment firms,
• crypto-asset services providers,
• central securities depositories,
• trading venues,
• trade repositories,
• managers of alternative investment fund,
• management companies,
• data reporting service providers,
• insurance and reinsurance undertakings,
• insurance intermediaries and reinsurance intermediaries,
• institutions for occupational retirement pensions,
• rating agencies,
• crowdfunding service providers,
• and so forth.

The financial entities concerned can be divided into two groups:

1. Financial entities that already have to meet strict requirements regarding information security imposed by the German Federal Financial Supervisory Authority (BaFin) (banks, insurance companies, payment service providers, capital management companies).

They know the ‘regulatory IT requirements’ issued by BaFin (xAIT) that apply to them. Along with that, the firms typically have functioning management systems for information security, risks, emergencies and service providers and operate an IT service management system aligned to their needs.

DORA adds a variety of other aspects to the existing topics. The challenge is to assess the new requirements and implement them correctly in the existing management systems.

2. Financial entities that have so far only had to provide for a basic level of protection.

In this case, it is important to run through all of the requirements.

Readiness checks have proven an excellent option here since they make it possible to meet the requirements in a structured way by asking targeted questions and making use of the answers to develop action plans.

The regulation defines proportionality thresholds in order to keep the work required of financial entities within the scope of what is possible.

There are the following types of financial entities:

• microenterprises that employ fewer than ten people and whose annual turnover and/or balance sheet total does not exceed €2 million
• small enterprises that employ ten or more persons, but fewer than 50 persons, and have an annual turnover and/or annual balance sheet total that exceeds €2 million, but does not exceed €10 million
• medium-sized enterprises that employ between 50 and 250 persons and have an annual turnover that does not exceed €50 million and/or that have an annual balance sheet that does not exceed €43 million.
• all companies that exceed the requirements for medium-sized companies.

In particular, microenterprises benefit from a simplified ICT risk management framework and are not required to set up an office to monitor ICT third-party service provider arrangements, review the ICT risk management framework at least once annually, conduct regular risk analyses on ICT legacy systems, establish a crisis management function, maintain redundant ICT capacity or set up a comprehensive digital operational resilience testing scheme.

All other financial services providers must comply with these and other requirements.

Financial entities are obliged to develop and regularly conduct mandatory ICT security and digital operational resilience training for all employees and, where appropriate, for ICT third-party service providers as well. The training shall have a level of complexity ‘commensurate to the remit of their functions’ (Art. 13(6) DORA).

ICT third-party service providers

In addition to the financial entities that fall under the regulation, DORA also requires their service providers to guarantee stable service provision. An ‘ICT third-party service provider’ is defined under Art. 3 No 19 DORA as ‘an undertaking providing ICT services’.

‘ICT services’ means ‘digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services’ (Art. 3 No 21 DORA).

This definition is quite broad, so transparency on both sides is recommended.

Financial entities need to know their relevant ICT service providers, and ICT service providers should make preparations for clients who need to fulfil DORA requirements.

For the sake of completeness, financial entities that ‘have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, [remain] fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law’ (Article 28(1)(a) DORA).

Financial entities are therefore required to ensure that their ICT service providers (as well as their subcontractors) are working according to proper procedure and that they manage ‘ICT third-party risk’.

Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When exercising rights of access, inspection and audit in relation to the ICT third-party service provider, financial entities shall determine in advance, on the basis of a risk-based approach, the frequency of audits and inspections and the areas to be audited.

Financial entities shall also ensure that contractual arrangements meet defined minimum standards and can be terminated, for example, if the risks are too high.

Exit strategies and plans must be put in place with regards to ICT services that support critical or important functions of the financial entity.

Supervisors

DORA has been published but is not yet fully fleshed out.

On 17 January 2024 or six months thereafter, technical regulatory standards will be made available by the European banking regulator, covering, among others, the topics of:

• network security,
• safeguards against intrusions and misuse of data,
• controls of access management rights,
• detection of anomalous activities and monitoring of anomalous behaviour and response processes,
• ICT business continuity planning,
• review of the ICT risk management framework,
• classification of ICT-related incidents and cyber threats,
• reports of serious ICT-related incidents,
• advanced testing of ICT tools, systems and processes based on TLPT,
• key principles for sound ICT third-party risk management;
• harmonisation of the requirements for carrying out monitoring activities.

In addition, the European banking regulator also classifies ICT third-party service providers as critical and thus subject to special oversight.

And finally, the general conditions under which penalties will be imposed are also defined.

EU Member States will be required to ensure that their competent national authorities effectively monitor compliance with the DORA requirements. Furthermore, penalties shall be ‘effective, proportionate and dissuasive’ (Article 50(3) DORA), taking into account the circumstances of the individual case. Similarly, public authorities may adopt any ‘type of measure, including of a pecuniary nature’ (Art. 50(4)(c) DORA) to compel financial entities to remedy breaches of the DORA requirements or to cease any conduct that the competent authority considers to be contrary to the provisions of DORA.

Conclusion

Even if specific questions remain unanswered today, the objective of DORA is clear.

It is difficult to fulfil all the requirements and requires the coordinated action of different corporate units.

That is why it is important for financial entities and ICT service providers to take the following steps early on in the process:

• 1. Evaluate the requirements and determine the degree of fulfilment
• 2. Identify fields of action
• 3. Create a roadmap
• 4. Implement work packages
• 5. Carry out a target/performance comparison

They also need to mark requirements that have not yet been met as ICT risks in line with the rules set out in DORA.

Would you like to learn more about exciting topics from the adesso world? Then take a look at our blog posts that have appeared so far.