The DORA (Digital Operational Resilience Act) European Directive will apply to the 27 EU Member States from January 2025 onwards. As an EU legislative tool, it is intended to boost the resilience of the financial sector, whose activities are increasingly digital-based and therefore exposed to growing cyber risks.
The Directive will require firms to adopt a broader business view of resilience, with accountability clearly established at the senior management level. In particular, it applies to 21 types of entities, among which are credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings.
The regulation aims to consolidate and upgrade information and communications technology (“ICT”) risk requirements in the financial sector in a single European legal act. DORA will introduce targeted rules in respect of ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring.
For the purposes of DORA, ‘digital operational resilience’ is defined as the ‘ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third–party service providers, the full range of ICT–related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions’.
The five pillars of DORA — what does the DORA mean for firms in the financial sector?
DORA will apply to over 22,000 financial entities and ICT service providers operating in the EU, which will be obliged to:
- Manage the risks associated with information and communication technologies (ICT): the DORA Directive highlights the need to implement a system to deal with ICT risks. The DORA text stresses the fact that “the financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy.”
DORA clearly obliges the management body of a financial entity to take full responsibility for managing IT risks, defining and approving the disruption tolerance strategy for digital operations, and implementing it.
- Notify the relevant authorities about major ICT-related incidents and significant cyber threats: harmonizing notifications about ICT-related incidents is a central part of the DORA Directive, which describes in detail the methods for sending key information to the ESAs (European Supervisory Authorities) such as the EBA, EIOPA and ESMA.
Notifications include all the data that the relevant authorities need to determine the scale of the major ICT-related incident and evaluate any cross-border effects. Financial entities can also notify the relevant ESAs voluntarily about significant cyber threats, in situations where they believe that the threat pertains to the financial system, service users or clients.
- Test digital operational resilience: for the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities must establish a digital operation immunity testing program for systematic immunity testing that takes place annually.
DORA requires financial services firms to include all third-party service providers (TPPs) supporting critical or important functions (CIF) in their advanced testing. Therefore, companies should prepare for significant planning and mapping of third-party service providers and critical and important functions.
- Facilitate the sharing of information and intelligence on cyber threats and cyber vulnerabilities: the DORA Regulation incorporates mechanisms that empower financial companies to exchange information concerning cyber threats. “Information sharing contributes to increased awareness on cyber threats. This, in turn, enhances financial entities’ capacity to prevent threats from materializing into real incidents, and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently,” as articulated in the European text.
- Apply CTPP Supervisory Framework — the world’s first financial sector supervisory framework for third parties: financial entities must implement measures to guarantee healthy management of risks linked to third-party providers of ICT services and manage the risks associated with third-party ICT service providers.
DORA significantly expands the role of the Joint Oversight Forum (JOF) formed by European supervisory authorities, relevant authorities, supervisors and independent experts.
Broad supervisory powers are applied to third parties defined as critical (Critical Third-Party Provider, CTPP). With them, the European supervisory authorities can evaluate relevant parties, request adjustments to their security practices and impose sanctions on them if they do not act according to the requests of the supervisory authorities. This forces the parties to demonstrate that they can improve the resilience of their operations supporting financial companies, especially in cases where critical and important financial operations are at stake.
The latest key updates related to DORA you might have missed
- ESAs deliver technical advice on DORA
On 29 September 2023, the ESAs delivered a joint response (here) to a call for advice by the European Commission in respect of delegated acts under the Digital Operational Resilience Act (“DORA”) specifying further criteria for critical ICT third-party service providers (“CTPPs”) and determining oversight fees levied on such providers.
- Guidance for Financial Entities Within Scope of NIS 2 and DORA
On 18 September 2023, the European Commission issued a communication (here) setting out guidelines on the application of Article 4 NIS 2 Directive (2022/2555) to financial entities that are also within the scope of DORA.
In relation to such entities, the provisions of DORA relating to: information and communication technology (“ICT”) risk management (Article 6); management of ICT-related incidents and major ICT-related incident reporting (Article 17); digital operational resilience testing (Art 24); information-sharing arrangements (Article 25); and ICT third-party risk (Article 28) shall apply, rather than the equivalent provisions under the NIS 2 Directive.
Now it is time for Financial Services firms to act
The European financial sector has until January 17, 2025, to prepare for the implementation of the Digital Operational Resilience Act. The task is significant, requiring thoroughness, resources, and, most importantly, time. The Financial Services firms should prepare for increased supervisory engagement, which also includes anticipating supervisory frameworks to be developed by their relevant authorities that use their new mandates to push firms to improve their ability to assess and enhance their operational resilience-related capabilities.
As many of the DORA’s new requirements will demand substantial investment in the governance, risk, and compliance framework around ICT, Cyber and TPRM functions, another key task for Financial Services firms is to identify capabilities that will require investment/development.
Our experts keep on examining the implications of the DORA Directive for Financial Services firms and National Competent Authorities. Stay tuned as more expert recommendations are coming your way.
Be among the first to receive the most recent updates on DORA and other regulatory developments from us:
Are you looking for support in meeting DORA’s requirements? Contact our team of dedicated professionals in matters related to DORA and get a customized expert advice and solution for your needs: