The Digital Operational Resilience Act (DORA) framework seeks to harmonise, update and extend the currently fragmented rules on ICT risks that apply to certain financial institutions, such as banks and insurers, to virtually all types of financial institutions. All financials within the scope of DORA will have to put in place sufficient safeguards to protect against cyber and other ICT risks, both from an internal (governance and risk management) perspective as well as from an external (contracting) perspective. DORA will become applicable in exactly one year from now. We will start the countdown to 17 January 2025 with three key aspects of DORA.
-
1. Far-reaching scope: DORA applies to virtually all financial entities, and covers essentially all ICT risks and services
As part of the Digital finance package, DORA covers almost all financial institutions regulated in the EU. Banks, insurance companies, investment firms, payment institutions, investment fund managers, pension funds, crypto-asset service providers, insurance intermediaries, central counterparties (CCPs), central securities depositories (CSDs) and crowdfunding service providers are all included. There are only a few exceptions. This highlights DORA's role in establishing a unified regulatory approach to digital resilience across the EU financial sector. While the larger institutions are already familiar with ICT-risk supervision, DORA introduces new requirements for both these larger institutions as well as the other institutions within the scope of DORA. It is worth noting that, although not explicitly stated, the scope of DORA extends to non-EU branches of EU-based financial entities. Furthermore, DORA will apply in an intragroup setting in a largely similar manner as it will apply to financial entities’ relationships with third party service providers.
The requirements introduced by DORA are also broad in scope. The regulation covers a wide range of ICT-related topics and uses broad definitions, resulting in an extensive impact. As a result of these definitions, DORA will apply not only to cybersecurity risks, but to all ICT risks, including physical ICT risks. In seeking to mitigate risks arising from the use of service providers, all ICT services (excluding true ‘one-offs’ and analogue telephone services) and all contracts related to these services will have to comply with the DORA standards on third-party risk management. These standards are clearly inspired by existing outsourcing guidelines: EBA outsourcing guidelines, ESMA cloud outsourcing guidelines and EIOPA cloud outsourcing guidelines. They extend to any ICT contract, whether outsourcing or not, and include existing contracts.
-
2. Governance: the management body bears ultimate responsibility for managing ICT risks
DORA requires financial entities to fulfil various internal and external requirements. One of the main requirements is to ensure the effective and prudent management of ICT risks. To this end, DORA requires the management body to define, approve and oversee the implementation of all arrangements related to the ICT risk management. This responsibility comprises of setting clear roles for all ICT-related functions, approving and reviewing ICT-related policies, audits and budget and putting in place reporting channels to be duly informed of arrangements with third party service providers and major incidents. It is not only the management body in its executive/management function subject to these exceptions. The management body also includes the non-executive directors in one-tier boards and the supervisory board in two-tier set-ups.
This underscores the importance of cybersecurity and ICT risks as a boardroom topic, reinforcing the trend that technology or ICT expertise is increasingly seen as vital at the highest levels of management. While the management body can delegate tasks, the ultimate responsibility and accountability remains with them. The management body is expected to play an active role in implementing the ICT risk management framework. Finally, all members of the management body have to follow regular specific training in order to maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations.
-
3. Third party risks: detailed requirements for new and existing contracts with ICT service providers are introduced
DORA emphasises the need for comprehensive management of risks arising from the use of third-party ICT service providers (including intra-group services). Financial entities will be are required to implement third-party ICT risk strategies management policies, conduct due diligence on potential service providers, and ensure that contractual arrangements include provisions for (among other things) termination rights, data protection, cooperation with regulators and, for critical or important functions, audit and exit strategies. Furthermore, financial entities will be required to maintain detailed registers of the contractual arrangements entered into.
These requirements are inspired by, but not identical to the requirements contained in existing outsourcing guidelines that apply to certain financial institutions. A key difference is that these requirements generally apply to outsourcing contracts, whereas the DORA standards apply to all ICT contracts. Unfortunately, and contrary to these guidelines, DORA also does not distinguish between existing contracts and new contracts entered into after 17 January 2025. As it currently stands, all ICT contracts will have to comply as of 17 January 2025. It is widely expected that updating ICT contracts to comply with DORA will be the bottleneck to timely implementation. Consequently, there is no time to waste in developing a strategy on service provider outreach and drafting contractual provisions. Finally, and quite unprecedented in financial sector regulation, DORA empowers the European Supervisory Authorities to directly oversee designated ‘critical’ third-party service providers. However, the primary burden of implementing DORA in contractual arrangements with such service providers will remain with the financial entity.
-
Counting down to DORA blog series
- 17 May 2024: Mapping & classification of ICT services ‘supporting’ critical or important functions
- 11 April 2024: Governance of ICT risks and board member responsibility
- 14 March 2024: ICT services comparison with the ESMA and EBA outsourcing guidelines
- 17 February 2024: Mapping and classification of ICT services
- 17 January 2024: Counting down to DORA – three key aspects
- 8 December 2023: Comparison of ESMA outsourcing guidelines, EBA outsourcing guidelines and DORA
- 21 November 2022: The forthcoming EU legal framework on Digital Operational Resilience in the financial sector
- Digital Operational Resilience Act (DORA)