On 24 September 2020, the EU Commission published a draft law on the Digital Operational Resilience Act (DORA). DORA is intended to strengthen operational resilience in the financial services sector and ensure increased operational reliability. The new regulation is expected to enter into force in 2022.
Background and goals of DORA
The existing EU legal framework for ICT risks and operational resilience in the financial sector is fragmented and inconsistent. Each EU country has its own rules, standards and requirements that often do not take sufficient account of ICT risks. Inconsistent regulations lead to a high financial and administrative burden for cross-border companies. The financial sector is highly dependent on information and communication technologies. This dependency makes financial companies particularly vulnerable to cyber attacks.
DORA also aims to ensure that all financial sector actors have the necessary security measures in place to prevent or mitigate ICT-related cyber attacks and other incidents.
The core objectives of DORA are:
By harmonising rules and standards for ICT risks and operational stability, the burden on financial companies and service providers is significantly reduced. It also provides for harmonisation of reporting processes and classification of ICT incidents to ensure early detection of threats.
DORA is intended to ensure that financial companies and service providers take all necessary measures to protect against cyber threats. The focus is on ICT risk management and the implementation of penetration tests as well as the control and monitoring of third-party ICT providers.
Direct monitoring by supervisory authorities of ICT service providers working for financial institutions is to be made possible by DORA.
Institutions and companies concerned
According to the proposal, the DORA obligations would apply to all financial undertakings regulated at EU level, namely financial undertakings such as credit and payment institutions, electronic money institutions, investment firms, crypto asset service providers, alternative investment fund managers, management companies, insurance undertakings and intermediaries, credit rating agencies, auditing firms, occupational pension institutions, securities, transactional and and securitisation registers as well as crowdfunding service providers.
DORA is not limited to regulated companies in the financial sector. The second part of DORA would have an impact on companies providing ICT services to these financial companies and create a level playing field for them. Third-party ICT service providers such as providers of cloud computing services, software, data analysis and data centres are affected by the draft law.
Focus of DORA
ICT risk management framework and governance
Financial firms need to establish and maintain a solid, comprehensive and well-documented ICT risk management framework. This must include special and comprehensive business continuity management (BCM), emergency plans and a communication policy. In addition to this framework, financial institutions must use and maintain ICT systems that meet specific requirements and enable them to immediately detect abnormal activity, continuously identify all sources of ICT risks, design and implement security and threat prevention measures, and immediately activate response and recovery measures.
Incident reporting and information sharing
The reporting of ICT-related incidents will be extended to sectors that are not currently covered. Reporting will be simplified with common templates, timeframes and a single reporting office. Financial institutions must classify ICT incidents and report “significant” ICT incidents to an EU headquarters. In addition, the guidelines promote cooperation between other financial firms on information and intelligence on cyber threats.
Management of ICT third party risk
Builds on the existing EBA outsourcing requirements and requires companies to expand their register of providers to cover all contractual arrangements. DORA imposes substantive requirements for contracts between financial companies and third-party ICT providers, including the locations where data is processed, descriptions of the level of performance, reporting obligations, access rights and the circumstances in which such contracts must be terminated.
Operational resilience testing
Financial institutions will be required to conduct regular tests of digital operational resilience by independent internal or external parties. The ICT risk management framework must also include a comprehensive programme for the assessment of digital operational resilience, taking into account the principle of proportionality. This programme should include a set of assessments, tests, methods, practices and tools, procedures and guidelines to prioritise, classify, remedy deficiencies and to ensure that all deficiencies are fully remedied. The European Banking Association (EBF) recommends allowing companies to test the most important critical systems and applications according to a risk-based approach.
DORA enables financial companies to share information and insights about cyber threats with each other to strengthen digital operational stability. This includes indicators of impact, tactics, techniques, procedures, cybersecurity alerts, and configuration tools.
Potential fields of action
ICT risk framework
Assessment of existing ICT risk strategy, policies, procedures and tools. Consideration of roles and responsibilities.
Testing – ‘basic’
Review of the scope and coverage of the “digital operational resilience test” against DORA items.
Testing – ‘advanced’
Further evaluation of the scope of threat-driven penetration tests (similar to CBEST and TIBER) against DORA specifications.
‘Critical’ ICT third party status
Use the ongoing work to consolidate the information register for all ICT third-party providers currently required by the EBA Guidelines on outsourcing.
Conduct an assessment of the DORA requirements with associated gap analysis and a mitigation plan to meet the requirements.