Understanding the EU Digital Operational Resilience Act (DORA) applicable to financial entities

Written By Nicoletta Kouvara

The Digital Operational Resilience Act (EU) 2022/2554, known as the DORA, is a landmark EU regulation aimed at ensuring the operational resilience of in-scope financial entities against ICT-related incidents, that is, unplanned events that compromise the security of network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by financial entities.

As part of the EU Commission's FinTech Action Plan, which seeks to foster a competitive and innovative financial sector, DORA establishes harmonised rules essential for maintaining financial stability and market integrity in the digital era. This Regulation is crucial for safeguarding technological safety, enabling swift recovery from ICT disruptions, and ensuring the continuous provision of financial services across the European Union, thus preserving consumer and market confidence.

DORA is a transformative regulation aimed at bolstering the digital operational resilience of the EU’s financial sector. By mandating comprehensive ICT risk management, incident reporting, and third-party oversight, DORA seeks to protect financial stability in an increasingly digital world. Compliance with DORA is essential for financial entities to meet regulatory requirements and enhance their operational resilience and cybersecurity defence.

Scope of Application

DORA applies to a wide array of financial entities, including, credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (CASPs) authorised under the Markets in Crypto-Assets Regulation (EU) 2023/1114  (MICAR), issuers of asset-referenced tokens, central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. DORA also extends its scope to ICT third-party service providers that offer ICT services.

Despite its extensive coverage, DORA incorporates elements of proportionality to ensure that the regulatory burden is appropriate to the size and risk profile of the entities. Smaller entities, such as microenterprises and small, non-interconnected investment firms, as well as certain exempted payment and electronic money institutions, are subject to less stringent requirements. Additionally, certain advanced digital testing requirements apply only to the largest, most significant financial entities. This proportional approach ensures that while all relevant entities are covered, the regulatory expectations are scaled to their capabilities and risk exposures.

DORA extends beyond EU borders, impacting non-EU ICT service providers offering ICT services to EU financial entities. Non-EU ICT service providers which are designated as critical must establish a subsidiary in the EU within 12 months following their designation to comply with DORA requirements. This ensures that the entire supply chain, including external ICT service providers, adheres to a consistent level of cybersecurity and operational resilience.

Key components of DORA

Digital operational resilience is defined as the ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

  •  ICT Risk Management

Financial entities are required to develop and implement comprehensive policies and procedures for managing ICT risks. This includes conducting regular risk assessments, managing vulnerabilities, and ensuring the security of ICT systems. The objective is to establish robust mechanisms to identify, protect, detect, respond to, and recover from ICT incidents. Effective ICT risk management ensures the continued provision of financial services and maintains the operational integrity of financial entities.

  • Incident Reporting

DORA mandates that financial entities establish processes for timely reporting of significant ICT-related incidents to national competent authorities. This reporting framework includes criteria for classifying incidents and detailed procedures for notification. The goal is to enhance transparency and facilitate the early identification and mitigation of systemic risks, thereby improving the overall resilience of the financial sector.

  • Third-Party Risk Management

DORA places a strong emphasis on managing risks associated with ICT third-party service providers. Financial entities must perform thorough due diligence before engaging third-party providers and their subcontractors, ensuring that contractual agreements enforce compliance with DORA standards. Continuous monitoring of services provided by third-parties is essential to manage risks effectively and ensure that these services do not compromise the operational resilience of financial entities.

  • Information Sharing 

The regulation encourages financial entities to engage in information-sharing arrangements with relevant authorities and ICT third party providers. By sharing information on cyber threats, vulnerabilities, and incidents, financial entities and regulators can build a collective defence mechanism. This collaborative approach is vital for proactively addressing emerging threats and enhancing the overall security posture of the financial sector.

  • Testing and Resilience

Regular testing of ICT systems is mandated under DORA to ensure resilience against disruptions and cyber threats. Financial entities must conduct penetration testing, scenario-based testing, and other relevant assessments to identify and address weaknesses. Additionally, testing and improving business continuity and disaster recovery plans are essential to ensure that critical operations can continue during disruptions.

Implementation and Compliance

Financial entities must comply with DORA by January 17, 2025. DORA provides detailed technical standards and guidelines to assist entities in implementing the required measures effectively. National competent authorities will monitor compliance, and substantial penalties will be imposed for non-compliance to ensure adherence.

Under DORA, financial entities face significant penalties for non-compliance. These penalties include administrative penalties, which can be substantial and are determined based on the severity and nature of the breach. Additionally, the authorities can impose other corrective measures, including requiring specific actions to remedy the breach and potentially restricting or prohibiting certain activities until compliance is achieved.

Delegated Acts Under DORA

To further elaborate on the requirements and ensure effective implementation, several delegated acts have been adopted by the EU Commission under DORA including, among others, the following:

  • Delegated Regulation regarding criteria for Critical ICT Third-Party Service Providers: This delegated regulation specifies the criteria for designating ICT third-party service providers as critical for financial entities. This includes evaluating the systemic impact and the reliance of systemically important financial institutions on these providers.

  • Delegated Regulation regarding Regulatory Technical Standards on ICT risk management tools and policies: This Delegated Regulation establishes detailed regulatory technical standards for ICT risk management tools, methods, processes, and policies. These standards ensure consistent and high levels of cybersecurity across the financial sector.

  • Delegated Regulation regarding Incident Reporting Requirements: This Delegated Regulation covers specific criteria and thresholds for classifying ICT-related incidents and cyber threats are outlined. These regulations also detail the content and format of incident reports that financial entities must submit to authorities.

  • Delegated Regulation regarding Oversight Fees: To support the oversight framework, this delegated regulation empowers national competent authorities to charge fees to designated critical ICT third-party providers. These fees cover the costs incurred in conducting oversight tasks.

Benefits of DORA

DORA brings numerous benefits to the financial sector. By standardising ICT risk management practices, it enhances the resilience of financial systems against disruptions. Structured incident reporting and response mechanisms ensure quicker recovery from ICT incidents. Effective management of third-party risks reduces potential service disruptions caused by external providers. Furthermore, information sharing fosters a collective defence against cyber threats, improving the overall security posture of the financial sector.

Challenges in Implementation

Implementing DORA presents several challenges. Significant investment in ICT infrastructure and training is required. Establishing robust mechanisms for continuous monitoring and reporting is essential. Ensuring compliance among ICT third-party service providers requires diligent oversight and coordination.  Furthermore, the contractual arrangements with ICT third-party service providers must comply with the DORA requirements.

More Information

Aptus Legal offers comprehensive support for DORA compliance by providing expert guidance on regulatory requirements, developing tailored ICT risk management strategies, and establishing robust incident reporting protocols. We assist with drafting and negotiating contractual arrangements with ICT third-party service providers to ensure they comply with DORA standards.

For more information, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com.

Nicoletta Kouvara
Previous

EU Data Act: A new era for data regulation
Next

Wealth Management and Succession Planning: The Modern Appeal of Cyprus International Trusts