DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector
The rules on the use of information and communication technology ("ICT") in the financial sector were traditionally country and institution-specific to a great extent and predominately focused on the financial impact of ICT risks. Several recent EU legislative acts and guidelines of the European Banking Authority ("EBA"), the European Insurance and Occupational Pensions Authority ("EIOPA")and the European Securities and Markets Authority ("ESMA"), such as the 2021 Guidelines on ICT and security risk management and the cloud outsourcing guidelines, have merely brought about a minimum harmonisation and only in some parts of the financial sector. This will change significantly as a result of DORA, an EU-led initiative aimed at harmonising rules across the region and across the financial sector. It will also directly impact certain ICT service providers active in the financial sector.
DORA stands for "Digital Operational Resilience Act". This Act consists in an EU Regulation (and an EU amendment directive) proposed by the European Commission in September 2020 as part of its digital finance package. DORA's main objective is to provide for a single set of reinforced and overarching rules for financial entities concerning the use of ICT, particularly ICT risk management, security and business continuity, digital operation resilience testing, and contracts with ICT service providers, as well as an oversight framework for critical ICT service providers.
A provisional agreement on DORA was reached in May 2022. On 10 November 2022, the European Parliament voted in favour of DORA. The final adoption of the regulation is expected by the end of this year or early next year at the latest. A two-year phase-in period applies. DORA is therefore expected to take effect by the end of 2024/early 2025.
Although most financial entities will have a form of ICT risk management in place and be familiar with certain of the requirements following from DORA, a gap analysis is in any case recommended. Our expectation is that most if not all financial entities will have to (in part) update their ICT risk management and contracts with ICT services providers to ensure compliance with DORA.
A. DORA's broad scope
DORA has a broad scope. It will apply to most entities engaged in financial services and regulated under an EU regime, including (but not limited to) credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, managers of alternative investment funds and management companies ("financial entities"), as well as ICT third-party service providers. Only limited exceptions apply.
DORA will notably apply to the use by financial entities of ICT services in a broad sense and is not limited to outsourcing arrangements. A wide range of technology-related contracts will therefore be impacted.
With respect to the applicability of DORA to ICT third party service providers, we note that ICT third-party service providers that are considered critical for the financial sector will become subject to direct oversight. It is expected that big tech companies providing cloud services could be deemed as critical. Critical providers will also have to comply with certain direct obligations under DORA. For instance, those based in a third country that provide services to financial entities in the EU will be required to establish a subsidiary in the EU, so that effective oversight can be ensured.
B. How will DORA fit into the existing regulatory framework?
The proposed regulation seeks to codify many requirements (e.g. the reporting of major ICT-related incidents) that are currently covered for the most part by guidelines issued by EU and national authorities, such as the EBA. In addition, it extends those requirements to all financial entities covered by DORA (with only limited exceptions). According to some sources, the European Commission has confirmed that some guidelines will need to be amended or possibly repealed in order to reflect the requirements of DORA once its provisions enter into force. Regulatory technical standards are expected to further detail the requirements laid down in DORA, most are scheduled to be published during the two-year phase-in.
We note in this context that DORA is not the only EU initiative dealing with ICT risks. The EU legislature is, for instance, finalising the second Network and Information Systems (NIS) directive, providing a horizontal cybersecurity framework across various critical sectors. The NIS 2 Directive may also apply to certain financial entities (credit institutions, trading venues and central counterparties). The EU legislature has however designated DORA as a lex specialis and, accordingly, only part of the NIS 2 Directive will be relevant for those financial entities.
C. Main changes that DORA will bring
1. Third-party risk management
A general principle of proportionality will apply with respect to ICT third-party risk management, taking into account the scale, complexity and importance of ICT-related dependencies and risks that arise from the contractual arrangements in place with ICT third-party service providers. Subject to this principle, financial entities will have to:
- adopt and regularly review an ICT third-party risk strategy and maintain a register of information relating to all ICT third-party supply contracts;
- make assessments when entering into new contractual arrangements and only exclusively enter into contracts with ICT third-party service providers that comply with high, appropriate and the latest information security standards; and
- comply with various reporting obligations regarding arrangements with ICT third-party service providers.
DORA will regulate the contents of contractual arrangements concluded between ICT third-party service providers and financial entities. An additional layer of contractual provisions will be required when these arrangements relate to critical or important functions of a financial entity. Topics that will have to be addressed in the contracts include oversight of sub-outsourcing, data requirements, audit rights, termination and exit strategies. Although outsourcing arrangements governed by the existing guidelines on outsourcing should already reflect similar topics, DORA may not fully match with these guidelines. Additional/other provisions may be required, for instance with respect to ICT testing and ICT incidents, in order for these arrangements to comply with DORA.
Moreover, as mentioned above, DORA's remit is not limited to outsourcing arrangements, but applies to all contracts relating to ICT services. It is also noteworthy that DORA does not provide for a grandfathering of existing contracts, and therefore both existing and new contracts related to ICT services will have to comply.
As the intragroup provision of ICT services will also be covered by DORA, contracts with group entities providing ICT services to financial entities located in the EU will also have to be reviewed and updated where necessary.
2. ICT governance, incidents and testing
DORA is not only about dealing with ICT third-party service providers. It also:
- includes requirements on governance and ICT risk management. This will require financial entities to review their internal organisation to ensure that ICT risks are addressed quickly, efficiently and comprehensively. A sound and comprehensive ICT risk management framework incorporating a digital operational resilience strategy will need to be documented;
- introduces a regulatory regime on how to manage, classify and report ICT-related incidents. Financial entities will have to carefully assess how to integrate these rules into the many existing reporting requirements. Although DORA attempts to streamline reporting on ICT-related incidents (for instance by incorporating into DORA the reporting regime under PSD2 for payment services providers), there will likely be additional reporting requirements under other regimes (such as the GDPR) that may overlap;
- requires most financial entities to establish, maintain and review a digital operational resilience testing programme under which independent parties (internal or external to the financial entities) will test ICT tools and systems. The most significant financial entities will be required to carry out advanced testing by means of threat-led penetrating testing, which will effectively mimic real life cyber-attacks; and
- establishes a framework in which financial entities may exchange cyber threat information and intelligence among themselves.
D. Entry into force and action required
The text adopted by the European Parliament specifies that the regulation's provisions will start to apply two years after it enters into force. If DORA is adopted by the end of this year or early next year, DORA will thus become applicable by the end of 2024 or early 2025.
Regulated professionals operating in the financial sector need to ascertain whether DORA applies to them and, if so, are advised to start preparing for its implementation.
In this respect, a two-year period granted by the regulation before its provisions take effect will not be excessive to start, run and finalise internal projects that are aimed at DORA compliance, especially given the need to involve multiple teams (at least, the IT security, legal, compliance, risk management teams and management) and external counterparties. As mentioned above, although most financial entities will have a form of ICT risk management in place and perhaps the larger financial entities will already be familiar with the rules ensuing from DORA, a gap analysis is in any case recommended to identify any areas in which action is required to ensure compliance with DORA. Furthermore, all financial entities in scope of DORA will have to be alert to the regulatory technical standards that will further define key requirements in DORA.