On September 24, 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The new rules, passed on November 10, 2022 by the European Parliament, harmonize and strengthen digital operational resilience requirements for the EU financial services industry.
This legislative proposal builds on information and communication technology (ICT) risk management requirements already developed by other EU institutions and consolidates several recent EU initiatives into one regulation. DORA aims to establish a much clearer basis for EU financial regulators and supervisors to broaden their scope of action in ensuring not only that companies remain financially resilient, but also that they are able to maintain resilient operations in the event of a severe operational disruption.
This article outlines the most important aspects of DORA, and the practical implications these reforms will have for businesses. These aspects include:
The DORA proposal comes at a time when regulators around the world are taking a closer look at how they can strengthen the operational resilience of the financial sector and its constituent firms.
However, based on the current text, we believe that companies should consider the following actions:
Regulators have been thinking for some time about how to manage the growing exposure of financial services (FS) to third-party service providers. The legislation passed will allow a third-party ICT provider such as CSPs to be designated as "critical" based on criteria such as the number and systemic nature of financial entities that rely on the third-party ICT provider and the degree of substitutability of the third-party service provider. Once designated as critical, oversight of the critical third-party service provider will be handled by one of the ESAs, which can conduct on-site and off-site inspections, issue recommendations, and, most importantly, impose fines of up to 1% of daily global revenue for non-compliance or require financial sector firms to terminate their agreement with the critical third-party service provider.
Most financial services firms will welcome the introduction of a monitoring framework, as it will provide them with greater legal certainty as to what is allowed, as well as a level of assurance as to the security of their cloud assets. Overall, this will likely increase companies' confidence and willingness to move some of their business to the cloud, aided by the Commission's development of voluntary standard contractual clauses. However, businesses may have to navigate potentially complex location rules, as EU companies will not be allowed to use the services of a third-party service provider that is not "established" (meaning it has no commercial presence) in the EU but would be considered critical if it were.
The framework for oversight of critical third-party service providers does not, however, remove or reduce financial services firms' own regulatory responsibilities with respect to third-party service providers. The DORA contains - in line with existing EBA and EIOPA guidelines - third-party risk management requirements for firms using third-party ICT service providers, including audit rights and mandatory contractual clauses.
Threat-driven penetration testing (TLPT) frameworks have been developed at the national level for a number of years, and are already mandatory at the EU level for certain types of financial market infrastructures. DORA expands this framework in two ways:
Businesses have pointed to the recent proliferation of ICT incident reporting requirements, arguing that the multitude of requirements, deadlines, thresholds and associated fines for non-compliance can hinder their effective management of ICT incidents. DORA will alleviate some of these concerns, as it will harmonize the reporting templates, as well as the conditions triggering a reporting obligation, that financial sector firms will have to follow and provide to their national competent authorities (NCAs - which will be their financial sector supervisors). However, the regulation does not align with, or replace, certain other incident reporting requirements, such as those in the GDPR.
Eventually, the reporting obligation could shift from NCAs to a European hub, in order to streamline information collection and ensure greater supervisory convergence. Before that happens, however, companies will have to adapt to new EU reporting rules, including providing root cause analysis reports no later than one month after a major ICT incident occurs. Taken together, these measures will give EU regulators a better idea of the types of vulnerabilities that are most common in companies and possibly help them take additional action, using their expanded ICT management rules and powers.
The simplified and strengthened rules for ICT risk management in companies emphasize the importance of board involvement. Building on existing guidelines, such as the European Banking Authority's guidelines on ICT and security risks, the board will need to determine the appropriate tolerance for the risk and impact of ICT disruptions and review the company's business continuity and disaster recovery plans.
ICT risk management requirements are organized around the following:
While the first three points are relatively familiar to most companies, even if implemented with varying degrees of maturity, the last one should focus minds. The European Commission, recognizing the importance of maintaining business services or functions and the financial sector's increasing reliance on technology to manage them, will require companies to devote time and resources to developing ways to restore their critical functions in the event of a severe disruption. To do so, firms will need to think carefully about substitutability, including investing in backup and recovery systems, and assess whether - and how - certain critical functions can be performed by other systems or delivery methods while primary systems are checked and restored.