Digital operational resilience for the financial sector and beyond

Introduction

Two years after the first draft, the European regulation on digital operational resilience for the financial sector (DORA) was eventually adopted 28 November 2022 under number 2022/2554. This Regulation shall apply from 17 January 2025, so that stakeholders can get ready to it. The full text is available here.

The Regulation is part of the Commission's wider "Digital Finance Package" which also includes:

• a proposed regulation on markets in crypto assets (MICA), provisional agreement was reached 30 June 2022;
• a pilot regime on distributed ledger technology market infrastructure; and
• a proposed Directive to clarify or amend existing EU financial services legislation such as UCITS, MiFID2, and AIFMD.

The Commission has stated that the package is intended to boost the EU's competitiveness and innovation in the financial sector.

The Commission has introduced the Regulation as it is concerned about the operational resilience of a financial sector increasingly reliant on information and communications technology (ICT). The Commission wants the EU to have the correct rules to ensure the financial sector can withstand security threats and that third-party service providers are being adequately monitored.

The Regulation has broad application, covering not just banks but also payment institutions, electronic money institutions, investment firms, crypto-asset service providers, trading venues, management companies including UCITS, data reporting service providers, insurance and reinsurance undertakings, intermediaries, pension providers, credit rating agencies and audit firms among others. The provisional agreement introduced however certain limited exemptions (eg small insurance or reinsurance companies, very small institutions for occupational retirement provision).

In a major development, the Regulation, subjects also some ICT third-party service providers to direct oversight (but not supervision) by the European Supervisory Authorities (ESAs), namely the EBA, ESMA and EIOPA. The latest version of the Regulation is also taking into account the situation where the ICT provider is controlled by a financial institution (intragroup relationship).

Consistent with the principle of proportionality, the Regulation doesn't apply equally to all entities. Microenterprises, defined as those with under 50 employees plus annual turnover and/or a balance sheet total of up to €10m will not have to comply with the more onerous requirements such as those on governance, dedicated management functions, BCPs and recovery and resolution plans. Significant financial institutions will have greater responsibilities than others and will be required to conduct threat led penetration tests with qualified red team.

The Regulation is split into six key chapters:

• Governance (Article 4) and ICT Risk Management (Articles 5 to 14a);
• ICT-Related Incidents - Management, Classification and Reporting (Articles 15 to 20a);
• Digital Operational Resilience Testing (Articles 21 to 24);
• Managing ICT Third Party Risk (Articles 25 to 39);
• Information Sharing Arrangements (Article 40); and
• Competent Authorities - rights and obligations conferred upon competent authorities.

In scope, the Regulation bears many similarities to the Basel Committee's consultation "Principles for operational resilience" (the Basel Principles). Yet it is also narrower; in particular it focuses on "digital" operational resilience and does not require firms to look at all resources needed to deliver services as Basel does, and as the UK regulators do their proposed operational resilience package.

Governance

Consistent with the draft Basel Principles, section 1 of Chapter II of the Regulation requires the firm's management board to define an ICT risk framework and then ensure measures are implemented to give effect to that framework. That framework is to include an appropriate tolerance for ICT risk. The Commission expects the firms' management bodies to maintain a crucial, active role in steering the ICT risk management framework.

ICT Risk Management

The second section of Chapter II gives further details on what a "a sound, comprehensive and well-documented ICT risk management framework" might comprise. The outcome desired is that firms implementing the measures within the framework would be able to "address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and complexity."

Firms' ICT risk management framework should include strategies, policies, procedures, ICT protocols and tools to protect physical infrastructure and minimise ICT risk. This includes the implementation of disaster recovery plans, ensuring the firm's ICT infrastructure can handle adverse situations, is appropriate, reliable, has sufficient capacity and can detect anomalies. The ICT systems used by these financial entities needs to meet recognised international standards. There is also a requirement for continuous:

• monitoring of all sources of ICT risk (in particular the risk exposure to and from other financial entities); and
• assessments of cyber threats and ICT vulnerabilities.

Finally, the ICT risk management framework should be reviewed and audited on a regular basis.

ICT-Related Incidents

The Regulation requires firms to establish and implement a management process to monitor and log ICT-related incidents. Firms must then classify these incidents based on criteria detailed in the Regulation. Incidents qualifying as "major" must be reported to the relevant authorities. A Regulatory Technical Standards (RTS) jointly developed by the ESAs in consultation with the ECB and ENISA will provide further details on what will qualify as a "major" incident, looking at factors such as:

• the number of users affected;
• reputational impact;
• duration including service downtime;
• geographical spread;
• data losses;
• severity of the impact on the financial entity's ICT systems including the criticality of the services affected; and
• the economic impact.

Other significant cyber threats can be notified on a voluntary basis.

Digital Operational Resilience Testing

Firms will have to test their capabilities and functions on a regular basis and at least annually. This includes testing for preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt implementation of corrective measures. For significant and cyber mature entities there is a further obligation in Article 23 to conduct advanced threat-led penetration testing. This testing must be conducted every three years and requires testing of critical functions and services of the financial entity and is performed on the live production systems supporting such functions.

Managing ICT Third Party Risk

Chapter V of the Regulation requires firms to monitor ICT third-party risk effectively. It sets out eleven principles that financial entities will have to follow to manage third-party risks. These principles (which overlap with requirements under the EBA Guidelines on Outsourcing and are consistent with the Basel Principles) cover wide ranging areas including contractual arrangements, adoption of strategies, inspection and audit rights, maintenance of a register of third-party service providers, and implementation of exit strategies (including conditions when contracts must be terminated). However, the Regulation pointedly does not confine itself to arrangements that qualify as "outsourcing" or "material outsourcing".

The Regulation also imposes minimum contractual terms which are deemed crucial to enable financial entities to monitor ICT third-party risk and enables the regulators to suggest standardised contractual terms.

Similar to the EBA Outsourcing Guidelines and crucially, it requires firms to maintain a Register of Information in relation to the use of third party ICT service providers, not just at individual firm, but also at consolidated and sub-consolidated levels. The Registers must be available for inspection by the regulator. These requirements will be further supplemented by another RTS. To that extent, the accountability requirements of the GDPR should cover the ones of DORA, except that the framework of the register will be the one published by the ESAs. This is that kind of competing requirements due to the overlap of different regulations that the last version of DORA tried to reduce, but obviously with many gaps.

Probably the most important inclusion in the Regulation is the extension of oversight to critical ICT service providers. The proposal is that if an ICT service provider is considered "critical" for financial entities, then a "Lead Overseer" will be appointed from among the ESAs. Whether a service provider is "critical" will depend on factors such as its potential systemic impact, how widely it is used, the extent to which it is substitutable and its geographical reach. The Lead Overseer will assess whether the critical ICT service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks that it may pose to financial entities.

The Lead Overseer will have extensive powers to carry out its duties, and critical ICT service providers are required to cooperate with and assist the Lead Overseer. If a critical ICT service provider does not comply, the Lead Overseer may impose a periodic penalty payment to compel them. The periodic penalty payment is imposed on a daily basis until compliance is achieved (maximum six months). The amount of the periodic penalty payment is proposed to be 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year.

Importantly, this is an oversight rather than a supervision/licensing regime; the latter, which would have required the establishment a new European regulator, was also considered by the Commission but rejected based on feedback received from the initial consultation.

Information Sharing Arrangements

The Regulation allows financial entities to share information among themselves if it relates to cyber threat information and intelligence. This includes indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools. The aim of this Chapter is to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats' ability to spread, supporting financial entities' range of defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages.

Competent Authorities

The Regulation does not establish a new regulator or centralised body to ensure compliance with these rules. Instead the existing ESAs, with extended resources, will enforce the rules and be granted new powers to enable enforcement. The Regulation endows the pre-existing "Joint Committee" with new cooperation missions.

Conclusion

This is a sweeping Regulation that applies to most of the European financial sector. Although its requirements are extensive, it builds on concepts already familiar to financial services firms.

In certain jurisdiction, such as France, all current requirements especially on the ICT Provider’s side are still not met according to the National prudential Authority (ACPR) (see the public statement: here) requiring even a greater effort to meet Dora’s new requirements.

The new oversight requirements on ICT service providers along with penalties up to 1% of the average daily worldwide turnover of the failing critical ICT third-party service provider in the preceding business year shall mark a dramatic change of practice and behaviour on their side. However, there is thinking that the existing requirements on regulated financial institutions to include audit and access rights in outsourcing agreement is not enough, and the Commission is keen to oversee the sector more consistently.