Digital Frontier: Understanding DORA's Impact on European Financial Resilience

Josef Bergt

2023

Introduction

In an era where digitalization is rapidly transforming the financial landscape, the European Union has made a significant stride with the introduction of the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This groundbreaking regulation marks a pivotal shift in the way cybersecurity, Information and Communication Technology (ICT) risks, and digital operational resilience are managed within the European financial sector. This article aims to dissect the multifaceted aspects of DORA, its implications for financial institutions, and the broader ramifications for the financial markets.

Comprehensive Scope of DORA

DORA, a comprehensive regulatory framework, applies universally to nearly all supervised institutions and entities within the European financial sector. Its scope is vast, amalgamating various requirements related to cybersecurity, ICT risks, and digital operational resilience under a singular, cohesive umbrella. This inclusiveness ensures a standardized approach across the sector, fostering a more secure and resilient financial environment.

Preparatory Steps by Regulators

Competent national supervisory authorities are actively preparing for the full implementation of DORA. This preparation involves the adjustment of supervisory and administrative practices and the integration of IT processes and systems in line with DORA's requirements. The respective national regulatory bodies in general will become the national reporting hub for ICT incidents in the financial sector, a role that underscores the commitment to analyzing potential sector-wide risks.

Key Areas of Focus in DORA

DORA aims to bolster the digital operational resilience of the entire European financial sector in six key areas:

• ICT risk management
• Reporting mechanisms for ICT incidents and major cyber threats
• Testing of digital operational resilience, including Threat-led Penetration Testing (TLPT)
• ICT third-party risk management
• A European supervisory framework for critical ICT third-party service providers
• Information sharing and cyber crisis and emergency exercises

This comprehensive approach is designed to enhance the sector's preparedness and response capabilities to digital threats and challenges.

Timeline for DORA's Application

DORA is set to become applicable from January 17, 2025. This timeline provides institutions and entities ample time to align their practices and frameworks with the new regulations.

Joint Efforts by European Supervisory Authorities

The three European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA) – are collaboratively developing technical regulatory standards, implementation standards, and guidelines. These collaborative efforts are crucial in further specifying the application of DORA across all sectors.

DORA Amendment Directive

In tandem with DORA, the DORA Amendment Directive (Directive (EU) 2022/2556) was also published, aiming to maintain consistency with DORA's requirements across various European sectoral directives. This includes the integration of TLPT under DORA into the Supervisory Review and Evaluation Process (SREP) of the Capital Requirements Directive (CRD). The directive amends several European directives, ensuring a harmonized approach across the board.

Implementation

The EU Digital Finance Package enacts the Markets in Crypto Assets Regulation (MiCAR), the revised EU Funds Transfer Regulation (FTR), and the DORA package among others, thereby digitalizing the financial market in a comprehensive and coordinated manner.

Background of DORA

The European Parliament and Council adopted DORA on December 14, 2022, and it was published in the Official Journal of the European Union on December 27, 2022. Coming into force on January 17, 2023, it will be applicable from January 17, 2025. The European Commission initially proposed DORA on September 24, 2020, as part of a package aimed at digitalizing the financial sector. This package also includes legislation on a pilot regime for market infrastructures based on Distributed Ledger Technology (Regulation (EU) 2022/858), among others.

Current and Completed Consultations on DORA

Presently, there are no public consultations on DORA. However, upcoming consultations by the ESAs on various technical regulatory standards (RTS) and implementation technical standards (ITS) related to DORA are scheduled. These consultations cover a range of topics, including Threat Led Penetration Testing, ICT third-party risk management, and the reporting of significant ICT incidents.

Key Takeaways on DORA

DORA represents a significant regulatory milestone in the quest for enhanced digital operational resilience within the European financial sector. Its comprehensive scope, which includes a wide array of institutions and entities, coupled with a focus on key areas such as ICT risk management and cyber threat reporting, positions it as a critical framework in the face of evolving digital challenges. The collaborative efforts of European supervisory authorities in developing and refining the regulatory standards under DORA further underscore its importance and the collective commitment to a more resilient financial sector.

Expansion of DORA's Scope and Applicability

DORA, as a cross-sector European regulation, serves the purpose of consolidating and harmonizing the provisions of existing sectoral European regulations and directives. This harmonization represents a significant advancement in regulatory coherence and efficiency.

Entities Covered Under DORA

The range of entities covered by the European Regulation DORA (Article 2(1)) is extensive, including but not limited to:

• Credit institutions under the CRR (Capital Requirements Regulation)
• Payment institutions
• Account information service providers
• Electronic money institutions
• Securities firms
• Crypto asset service providers authorized under the MiCAR, and issuers of asset-referenced tokens
• Central securities depositories
• Central counterparties
• Trading venues
• Transaction registers
• Managers of alternative investment funds
• Management companies
• Data reporting service providers
• Insurance and reinsurance companies
• Insurance, reinsurance, and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• Securitization repositories
• ICT service providers

Exceptions to DORA's Application

However, there are exceptions (Article 2(3) DORA) to this broad applicability, including:

• Managers of alternative investment funds as defined in Article 3(2) of Directive 2011/61/EU
• Insurance and reinsurance companies as per Article 4 of Directive 2009/138/EC
• Occupational pension institutions operating pension schemes with fewer than 15 participants
• Natural or legal persons exempt under Articles 2 and 3 of Directive 2014/65/EU
• Insurance, reinsurance, and ancillary insurance intermediaries that are micro, small, or medium-sized enterprises
• Post office giro institutions as defined in Article 2(5)(3) of Directive 2013/36/EU

DORA's Implementation Timeline

The provisions of DORA will become applicable from January 17, 2025. This timeline underscores the forward-looking nature of the regulation, providing ample time for the entities to prepare and align their operations with the new requirements.

Definition of "ICT-related Incident"

Under DORA, an "ICT-related incident" (Article 3(1)(8)) is defined as an unplanned event or a series of connected events that compromise the security of network and information systems. These incidents have adverse effects on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the financial institution.

ICT Services Definition

"ICT services" (Article 3(1)(21) DORA) encompass digital and data services provided through ICT systems to one or more internal or external users. This includes hardware as a service and hardware services, along with technical support by the hardware provider through software or firmware updates, excluding conventional analog telephone services.

Supervision of Critical ICT Third-Party Service Providers

Critical ICT third-party service providers are subject to the supervision of European supervisory authorities. This supervision is distinct from the oversight of financial institutions. These providers, as non-financial entities, do not need to seek authorization from financial supervisory authorities, nor can such authorization be revoked. The supervisory scope is limited to the assessment framework established in Article 33(3) DORA, focusing primarily on the management of ICT risks posed by these providers to financial institutions. The powers of the supervisory authorities are also limited (Article 35 DORA), such as not having the authority to remove business leaders or appoint special representatives.

EU's Heterogeneous Landscape in Supervising ICT Providers

The current landscape within the EU regarding the supervision of critical ICT third-party service providers is notably heterogeneous. This disparity poses a potential systemic risk to the European financial market, given the cross-border dependencies on critical ICT third-party service providers (see Recital 30 to DORA). The EU's approach aligns with its strategy to deepen the single market with uniform rules and is expected to reduce the burden for cross-border financial institutions.

Enhanced Oversight and Responsibilities Under DORA

Beginning in January 2025, European supervisory authorities will have expanded rights regarding critical ICT third-party service providers, including:

• The authority to request information.
• Conducting general investigations and audits, including on-site inspections.
• Issuing recommendations on ICT security, such as patching, updates, encryption, terms of service, and subcontracting arrangements, including the prohibition of further subcontracting.
• Publicly disclosing when a supervised company fails to comply with these recommendations and if sanctions have been imposed.

In extreme cases, national supervisory authorities will have the power to suspend or demand the termination of services from these providers.

Ongoing Responsibility of Financial Institutions

Financial companies must continuously monitor the use of ICT third-party services within their own operations. However, the supervision of critical ICT third-party service providers by authorities is geared towards the broader financial market. Therefore, the supervision of a critical ICT third-party service provider does not absolve financial companies of their regulatory obligations. Instead, these companies remain fully responsible for compliance.

From 2025, financial companies will benefit from the system-wide supervision by authorities, which includes access to a summary of unimplemented or partially implemented recommendations by critical ICT third-party service providers.

Criteria for Identifying Critical ICT Third-Party Service Providers

The classification of a service provider as "critical" is not based on the supervisory experience with the provider or its public reputation. Instead, the classification is determined based on its role in the financial market, assessed through a detailed catalog of criteria established by the EU Commission. Factors considered include:

• The systemic impact on the stability, continuity, or quality of financial services if the provider were to experience a significant operational disruption.
• The systemic nature or significance of the financial institutions using the provider.
• The financial industry's dependence on the provider.
• The substitutability of the provider's services.

For classification, authorities primarily rely on financial institutions' information registers. The ESAs have developed criteria for determining criticality and submitted their joint opinion to the EU Commission in September 2023. The final criteria will be published by the EU Commission in a delegated act.

Costs of Supervision

The costs of supervision will be borne by the companies classified as critical ICT third-party service providers. This also applies to providers who voluntarily submit to the supervisory framework.

Focus on Cloud Service Providers

While cloud service providers are a primary focus of DORA, not every cloud provider will automatically fall under the supervisory framework of European authorities. Instead, the evaluation of financial institutions' information registers in 2025 will determine whether cloud service providers will be subject to supervision. Each case will be assessed individually.

Reporting ICT-related Incidents

An ICT-related incident must be reported if it meets specific classification criteria. The classification process and criteria, based on requirements in Article 18 of DORA, will be further detailed in a Regulatory Technical Standard (RTS). The consultation paper for the RTS was publicly consulted from June 19 to September 11 and will be finalized in 2024. 

In general, national competent supervisory authorities will act as the central reporting hub for all financial institutions under its supervision.

Voluntary Reporting of Cyber Threats

According to Article 19(2) of DORA, the reporting of cyber threats is voluntary. Financial institutions may voluntarily report significant cyber threats if they believe the threat is relevant to the financial system, service users, or customers. 

Testing Methodology and Procedures for TLPT

The key testing methodology and procedures for Threat-led Penetration Testing (TLPT) should align with the TIBER-EU framework (Article 26(11) DORA; Threat Intelligence-Based Ethical Red Teaming for the European Union Financial System). With DORA, such tests become a supervisory instrument and part of a financial company's ICT risk management framework. Consequently, the respective supervisory authority (or the ECB for significant credit institutions) will integrate these tests into supervisory processes. This includes identifying financial companies required to conduct TLPT, determining test frequency, validating test scope, and incorporating test results into ongoing supervision.

All financial companies within DORA's scope are subject to general testing requirements (Articles 24 and 25 DORA). A robust and comprehensive program for testing digital operational resilience is an integral part of the ICT risk management framework.

The requirement for extended tests based on TLPT (Articles 26 and 27 DORA) applies only to selected financial companies identified by the competent supervisory authority based on criteria specified in Article 26(8) DORA. These criteria include impact-related factors, concerns about financial stability, the systemic character of the financial company at the EU or national level, and the company's specific ICT risk profile, maturity, and relevant technological features.

These criteria will be specified by an RTS developed by the ESAs in collaboration with the competent authorities. The public consultation of the RTS draft is planned from December 2023 to February 2024, with the final draft to be submitted to the European Commission in July 2024. 

Source: DORA; BaFin on DORA

Executive Summary:

• DORA is a comprehensive EU regulation focusing on ICT risks, and digital operational resilience in the financial sector.
• It applies to almost all supervised institutions and entities within the European financial sector.
• National regulatory bodies are preparing for DORA by integrating IT processes and systems.
• Key focus areas of DORA include ICT risk management, cyber threat reporting, and testing of digital operational resilience.
• DORA becomes applicable from January 17, 2025.
• The European Supervisory Authorities are developing technical standards and guidelines to further define DORA's application.
• The DORA Amendment Directive aims to maintain consistency across various European sectoral directives.
• DORA was adopted as part of the EU's package for digitalizing the financial sector.
• Upcoming public consultations on DORA are planned, covering various technical and regulatory aspects.
• DORA harmonizes and consolidates regulations across various European financial sector directives.
• A wide range of financial entities are covered by DORA, including credit institutions, payment institutions, crypto service providers, insurance companies, and more.
• There are specific exceptions to DORA's applicability, such as small insurance intermediaries and certain alternative investment fund managers.
• DORA's provisions will be implemented from January 17, 2025.
• "ICT-related incidents" under DORA refer to events impacting network and information system security, affecting data and service integrity.
• DORA's definition of "ICT services" encompasses a wide range of digital and data services, including hardware services and support.
• Critical ICT third-party service providers are subject to a distinct supervisory framework, focusing on the management of ICT risks impacting financial institutions.
• Supervisory authorities have limited powers over these providers, emphasizing risk management rather than direct operational control.
• There is variation in the supervision of critical ICT third-party service providers across EU member states, reflecting different levels of regulatory powers and approaches.
• The EU's strategy seeks to harmonize rules and reduce administrative burdens in the single market, especially concerning the supervision of critical ICT third-party service providers.
• From January 2025, European authorities will have expanded oversight over critical ICT third-party service providers, including the right to request information, conduct audits, issue recommendations, and disclose non-compliance.
• Financial companies must continuously monitor their use of ICT third-party services, remaining fully responsible for regulatory compliance.
• The classification of critical ICT third-party service providers is based on their role in the financial market, not on past experiences or public reputation.
• The costs of supervision are borne by the classified critical ICT third-party service providers.
• Cloud service providers are a focus of DORA, but their inclusion in the supervisory framework will be decided individually.
• Reporting of ICT-related incidents is mandatory if specific classification criteria are met, as detailed in an upcoming RTS.
• In general, competent national supervisory authorities serve as the central reporting hub for ICT-related incidents.
• Voluntary reporting of significant cyber threats is encouraged.
• TLPT tests align with the TIBER-EU framework and are integrated into financial companies' supervisory processes.
• General testing requirements apply to all financial companies under DORA, with extended TLPT tests for selected companies based on specific criteria.