What is the EU’s Digital Operational Resilience Act?
The European Union is implementing a significant new regulation for the financial sector. The new European law, the Digital Operational Resilience Act (DORA), expands the substantial regulatory monitoring of ICT risks in financial services. It aims to reduce the risks related to outsourcing to third-party service providers and enhance the digital resilience of financial institutions within the EU.
The DORA covers most of the regulated financial institutions in the EU, including, amongst others, banks, insurance companies and intermediaries, investment companies, pension funds, crypto-asset service providers and fund managers. All financial institutions included in the scope of this regulation’s ICT infrastructure will be affected.
Additionally, DORA will apply to businesses that fall under the “critical ICT third-party service providers” category, covering services like cloud computing, audit, software, data analytics and data centres.
Objectives of the Digital Operational Resilience Act
- Identify ICT risks and improve digital resilience
- Simplify the reporting of ICT incidents
- Allow supervisors access to incident-related ICT information
- Ensure the evaluation of preventive and resilience measures
- Allow for the acceptance of testing results across borders
- Regulate the monitoring of ICT third-party providers
- Monitor critical ICT third-party service providers
The act specifies a set of criteria, templates and guidelines that will influence how financial institutions manage ICT and cyber risks. As a result, all relevant sectors will adopt a single, consistent supervisory approach.
The five key pillars of DORA
- ICT risk management framework. Financial institutions must have an effective, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which is regularly reviewed and audited.
- ICT-related incident reporting. Financial institutions must develop an incident management process to identify, control and notify ICT-related incidents. The reporting requirement to the appropriate authorities has strict timelines for incidents that qualify as “major.” Financial institutions must review and update their existing internal incident reporting systems and, where applicable, outsourcing arrangements to comply with these notification requirements.
- Digital operational resilience testing. Financial institutions must implement robust and extensive testing plans to ensure digital operational resilience. Any weaknesses, deficiencies or gaps must be recognised and swiftly eliminated or minimised by counteractive measures. Moreover, the requirements for testing digital operational resilience must align with the business’s size, nature and risk profile of the entities.
- ICT third-party risk management. To control ICT third-party risks, the DORA establishes principles-based guidelines for monitoring the risks related to outsourced tasks. It mandates that outsourcing agreements adhere to specific minimum contracting requirements. Furthermore, the regulation establishes a framework for overseeing crucial third-party service providers by European Supervisory Authorities (ESAs).
- Information sharing. Financial institutions are encouraged to share information and intelligence about cyber threats through agreements that safeguard the potentially sensitive nature of the shared data.
Applications of the act
The DORA has full legal force and applies to all EU Member States. Below are the financial entities regulated under the DORA:
- Credit institutions
- Payment institutions and electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues and trade repositories
- AIFMs and management companies
- Data reporting service providers
- Insurance and reinsurance undertakings and intermediaries
- Institutions for occupational retirement pensions
- Credit rating agencies
- Statutory auditors and audit firms
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
Timeline
The EU Council formally adopted DORA on 28 November 2022. This was the final step in the legislative process, and each EU member state will now pass it into law. In addition, the European Supervisory Authorities will develop technical standards that all relevant financial entities must follow. They will have 24 months to implement the regulation. Therefore, the DORA is expected to enter into force in early 2025.
Next steps
Understanding the new requirements comes first. Financial institutions must assess and improve their current ICT landscape’s resilience level to comply with the act. Reviewing and updating internal policies, processes, governance and control frameworks is crucial to ensure compliance with DORA requirements.
Additionally, financial institutions must define, develop and enforce an ICT-related incident management process to identify, track, log, categorise, classify and report ICT-related incidents. A further requirement is to ensure all contracts and outsourcing agreements align with DORA principles.
How can we help?
Our experts can help you adapt, improve and comply with new policies in this rapidly changing regulatory climate. With our cutting-edge technology, in-depth regulatory knowledge and understanding of the financial services sector, we assist clients in managing risk, combating financial crime and fraud and meeting evolving customer needs.
Contact our team to learn more about our services.