The DORA framework introduces rules designed to ensure that financial entities can withstand and recover from technology issues such as cyber events and technical failures. DORA’s primary focus, as articulated in the preamble, is to mitigate systemic vulnerabilities across the entire financial system which exist due to the “high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems”. Preserving consumer trust and confidence is also at the heart of the reforms.
DORA establishes uniform requirements for the security of the network and information systems of in-scope financial entities, and crucially, also regulates “critical” ICT third-party service providers themselves. DORA forms part of the EU’s Digital Finance Package, which sets out a digital finance strategy and legislative proposals for a competitive EU financial sector that aims to provide consumers with access to innovative financial products, while ensuring consumer protection and financial stability. Notably, whereas current operational resilience regulations concern “outsourcing” arrangements, DORA regulates more broadly “the use of ICT Services” which widens the scope of third party arrangements that are subject to regulation.
In-scope Financial Entities
The first chapter of DORA lists the types of entities that DORA will apply to. These include:
account information service providers;
electronic money institutions;
crypto-asset service providers;
central securities depositories;
managers of alternative investment funds;
data reporting service providers;
insurance and reinsurance undertakings;
insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
institutions for occupational retirement provision;
credit rating agencies;
administrators of critical benchmarks;
crowdfunding service providers;
securitisation repositories; and
ICT third-party service providers.
Notably, this includes entities that are currently out of scope under the existing EBA Outsourcing Guidelines; such as crypto-asset service providers, insurance and re-insurance companies and ITSPs.
Principle of proportionality
Chapter 1 of DORA endorses the “proportionality principle” which is established in existing regulations including the EBA Outsourcing Guidelines. This means that financial entities must implement the rules in a way that is proportionate to their size, nature, scale and the complexity of their services, activities and operations, as well as their overall risk profile. National regulatory authorities, in turn, must consider the proportionality principle when performing their duties.
The 5 pillars of DORA
The DORA framework is structured within five pillars:
- ICT Risk Management
- Similar to the existing requirements under the EBA Guidelines on ICT and security risk management (“EBA ICT Risk Guidelines”), Chapter 2 of DORA sets out the obligation on the management body of a financial entity to manage its ICT risk by implementing an “ICT risk management framework”. This will need to be documented and reviewed at least once per year, continuously improved as well as subject to internal audit.
- The ICT risk management framework should, amongst other things, cover: measures to ensure the protection of ICT systems; mechanisms to detect anomalous activities (with testing); and appropriate ICT business continuity plans, notably with regard to critical or important functions.
- Draft Level 2 regulatory technical standards set out further detail on ICT risk management tools, methods, processes and policies that financial entities can implement. These are currently being consulted on, with the final draft expected to be published by 17 January 2024.
- ICT-related Incident Management, Classification and Reporting
Under DORA, financial entities will be required to have an ICT-related incident management process to detect, manage and notify ICT-related incidents.
- Management of incidents: financial entities are required to have an ICT-related incident management process under DORA which will need to, amongst other things: put in place early warning indicators; establish procedures to identify, track, log, categorise and classify ICT-related incidents; assign roles and responsibilities for different ICT-related incident types and scenarios; set out plans for communication to internal and external stakeholders; and mitigate impacts and ensure that services become operational and secure in a timely manner.
- Classification of incidents: financial entities will need to classify ICT-related incidents according to their priority and severity and determine their impact in accordance with a criteria specified in DORA. This is different from the existing classification requirements under the EBA ICT Risk Guidelines, which require incidents to be classified according to “a priority, based on business criticality” as opposed to a specified criteria. The classification criteria under DORA has been further specified in the consultation for the draft Level 2 regulatory technical standards.
- Reporting regime: DORA creates a harmonised reporting regime for financial entities regarding ICT related incidents, overriding other existing reporting requirements. Under DORA, financial entities will be required to report “major ICT-related incidents” to the relevant competent authority. The draft Level 2 regulatory technical standards specify the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents.
- Digital Operational Resilience Testing
- Financial entities will be required to have a digital operational resilience testing programme as part of their ICT risk management framework. This should provide for the execution of appropriate tests, which may include vulnerability assessments and scans, open source analyses, network and physical security assessments, gap analyses, scanning software solutions, source code reviews (where feasible), end-to-end testing and penetration testing.
- Some financial entities (as selected by the applicable local regulator) will be expected to conduct threat led penetration testing (“TLPT”) at least once every three years on several or all critical or important functions, as well as on live production systems. DORA imposes various risk management controls regarding TLPT in relation to the financial entity, the tester and any ITSPs.
- ICT Third-Party Risk (Section 1) and Oversight Framework (Section 2)
- Managing ICT Third-Party Risk: Chapter 5 of DORA sets out the actions financial entities will need to take prior to entering into a contract for the provision of ICT services. This includes assessing whether it covers critical or important functions, assessing the risks, assessing whether supervisory conditions are met, undertaking due diligence and assessing conflicts of interest.
- Key Contractual Requirements: In Chapter 5, DORA requires all contracts for the provision of ICT services to financial entities to contain certain contractual provisions. The contractual requirements vary depending on whether they apply to all contractual arrangements on the use of ICT services, or contractual arrangements for the provision of ICT services supporting critical or important functions only. The contractual requirements are broadly aligned with the requirements set out in the EBA Outsourcing Guidelines, except that they are, in some respects, more granular in their requirements.
- Oversight Framework: Chapter 5 introduces the new concept of an oversight framework which does not exist under existing outsourcing regulations. ITSPs that are designated as “critical” will be subjected to additional regulatory scrutiny through an “oversight framework”, overseen by European Supervisory Authorities (i.e. the European Banking Authority, the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) (“ESAs”). The oversight framework empowers ESAs to request information from, investigate, inspect (for example, to assess the critical ITSP’s physical security, risk management processes and governance arrangements) and issue recommendations and penalties (up to 1% of annual worldwide turnover) to critical ITSPs.
- Information sharing
Chapter 6 of DORA provides for financial entities to exchange amongst themselves cyber threat information and intelligence. The purpose of this is to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages. DORA also intends for such sharing to take place within trusted communities of financial entities and for there to be protection of the potentially sensitive nature of the information shared. There is capacity for public authority involvement in these sharing arrangements, and financial entities will be required to notify competent authorities of their participation in such information-sharing arrangements.
Key Takeaways for Financial Entities
- Scope of Entities: Firms which are currently not in scope of the EBA Outsourcing Guidelines should consider whether they now fall within scope of DORA, and if so, consider how they can ensure their compliance with the new rules under DORA.
- New Governance Requirements: Financial entities will need to undertake a gap analysis in respect of new DORA requirements and existing outsourcing regulations and update their internal policies and procedures governing their outsourcing operations, to be in line with the new governance requirements DORA introduces, e.g. in relation to classification of incidents, reporting of major ICT-related incidents, and digital operational resilience testing.
- Remediation of Contracts: Some contractual requirements, currently only applicable to critical outsourcing arrangements under the EBA Outsourcing Guidelines, will now be applicable to all ICT services (regardless of how critical they are). As a result, financial entities will need to consider which supplier contracts, previously deemed as non-critical outsourcing arrangements under the EBA Outsourcing Guidelines, will now fall within scope of DORA’s contractual requirements and therefore require remediation. DORA also introduces new contractual requirements which are not contained in the EBA Outsourcing Guidelines. Financial entities will need to consider which supplier contracts will need to undergo an uplift, to incorporate these additional contractual requirements.
Key Takeaways for ITSPs
- New Oversight Framework: DORA subjects ITSPs, who are designated as “critical”, to an oversight framework overseen by European Supervisory Authorities (i.e. the European Banking Authority, the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) (“ESAs”). The oversight framework empowers ESAs to request information from, investigate and inspect critical ITSPs. ITSPs will be designated as critical if they do not fall within certain exceptions and meet the designation criteria under DORA. Such criteria has been further specified in a consultation on a draft proposed delegated act. ITSPs will not be designated as critical until this delegated act has been adopted.
- Actions Upon “Critical” Designation: If designated as critical, an ITSP will need to: set up a subsidiary in an EU Member State (if not already) within 12 months of its designation as critical, and notify all the financial entities it provides services to, that it has been designated as critical.
- New Contractual Requirements: ITSPs should consider what updates to their policies and procedures will be required in light of the key contractual requirements for the provision of ICT services to financial entities. In particular, ITSPs should consider how the more stringent contractual requirements, which apply to a financial entity’s critical or important functions, will impact them. These additional requirements relate to, amongst other things, sub-outsourcing, audit and exit strategies.
The UK approach to regulating the use of critical third parties
The UK has introduced a regime to regulate ‘critical third parties’ (“CTP”). The UK Financial Services and Markets Act (“FSMA”) grants HM Treasury the power to designate service providers that provide services to firms and financial market infrastructure entities, as critical. Under this regime, financial service regulators would have the power to impose duties on these service providers designated as CTPs. On 7 December 2023, the FCA, PRA and Bank of England published a Consultation Paper CP26/23 on the proposed regime. There are interesting comparisons that can be drawn between this regime and DORA’s approach to regulating the EU equivalent of CTPs.
DORA entered into force on 16 January 2023. DORA will now have a 24-month implementation period, during which Level 2 technical standards and delegated acts will be developed by the ESAs, setting out more detailed rules on the application of DORA. Financial entities should be fully DORA compliant by 17 January 2025.
This article is part one of a series of articles on the topic of DORA. Part 2 will give insights on the Level 2 Regulation. We will be following the consultation of DORA very closely. Please get in touch with us if you have any questions or would like to discuss.
Authored by John Salmon, Louise Crawford, Bianca Okoye, and Joseph Scott.