Josef Bergt
2023
Introduction
In an era where digitalization is rapidly transforming the financial landscape, the European Union has made a significant stride with the introduction of the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This groundbreaking regulation marks a pivotal shift in the way cybersecurity, Information and Communication Technology (ICT) risks, and digital operational resilience are managed within the European financial sector. This article aims to dissect the multifaceted aspects of DORA, its implications for financial institutions, and the broader ramifications for the financial markets.
Comprehensive Scope of DORA
DORA, a comprehensive regulatory framework, applies universally to nearly all supervised institutions and entities within the European financial sector. Its scope is vast, amalgamating various requirements related to cybersecurity, ICT risks, and digital operational resilience under a singular, cohesive umbrella. This inclusiveness ensures a standardized approach across the sector, fostering a more secure and resilient financial environment.
Preparatory Steps by Regulators
Competent national supervisory authorities are actively preparing for the full implementation of DORA. This preparation involves the adjustment of supervisory and administrative practices and the integration of IT processes and systems in line with DORA's requirements. The respective national regulatory bodies in general will become the national reporting hub for ICT incidents in the financial sector, a role that underscores the commitment to analyzing potential sector-wide risks.
Key Areas of Focus in DORA
DORA aims to bolster the digital operational resilience of the entire European financial sector in six key areas:
This comprehensive approach is designed to enhance the sector's preparedness and response capabilities to digital threats and challenges.
Timeline for DORA's Application
DORA is set to become applicable from January 17, 2025. This timeline provides institutions and entities ample time to align their practices and frameworks with the new regulations.
Joint Efforts by European Supervisory Authorities
The three European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA) – are collaboratively developing technical regulatory standards, implementation standards, and guidelines. These collaborative efforts are crucial in further specifying the application of DORA across all sectors.
DORA Amendment Directive
In tandem with DORA, the DORA Amendment Directive (Directive (EU) 2022/2556) was also published, aiming to maintain consistency with DORA's requirements across various European sectoral directives. This includes the integration of TLPT under DORA into the Supervisory Review and Evaluation Process (SREP) of the Capital Requirements Directive (CRD). The directive amends several European directives, ensuring a harmonized approach across the board.
Implementation
The EU Digital Finance Package enacts the Markets in Crypto Assets Regulation (MiCAR), the revised EU Funds Transfer Regulation (FTR), and the DORA package among others, thereby digitalizing the financial market in a comprehensive and coordinated manner.
Background of DORA
The European Parliament and Council adopted DORA on December 14, 2022, and it was published in the Official Journal of the European Union on December 27, 2022. Coming into force on January 17, 2023, it will be applicable from January 17, 2025. The European Commission initially proposed DORA on September 24, 2020, as part of a package aimed at digitalizing the financial sector. This package also includes legislation on a pilot regime for market infrastructures based on Distributed Ledger Technology (Regulation (EU) 2022/858), among others.
Current and Completed Consultations on DORA
Presently, there are no public consultations on DORA. However, upcoming consultations by the ESAs on various technical regulatory standards (RTS) and implementation technical standards (ITS) related to DORA are scheduled. These consultations cover a range of topics, including Threat Led Penetration Testing, ICT third-party risk management, and the reporting of significant ICT incidents.
Key Takeaways on DORA
DORA represents a significant regulatory milestone in the quest for enhanced digital operational resilience within the European financial sector. Its comprehensive scope, which includes a wide array of institutions and entities, coupled with a focus on key areas such as ICT risk management and cyber threat reporting, positions it as a critical framework in the face of evolving digital challenges. The collaborative efforts of European supervisory authorities in developing and refining the regulatory standards under DORA further underscore its importance and the collective commitment to a more resilient financial sector.
Expansion of DORA's Scope and Applicability
DORA, as a cross-sector European regulation, serves the purpose of consolidating and harmonizing the provisions of existing sectoral European regulations and directives. This harmonization represents a significant advancement in regulatory coherence and efficiency.
Entities Covered Under DORA
The range of entities covered by the European Regulation DORA (Article 2(1)) is extensive, including but not limited to:
Exceptions to DORA's Application
However, there are exceptions (Article 2(3) DORA) to this broad applicability, including:
DORA's Implementation Timeline
The provisions of DORA will become applicable from January 17, 2025. This timeline underscores the forward-looking nature of the regulation, providing ample time for the entities to prepare and align their operations with the new requirements.
Definition of "ICT-related Incident"
Under DORA, an "ICT-related incident" (Article 3(1)(8)) is defined as an unplanned event or a series of connected events that compromise the security of network and information systems. These incidents have adverse effects on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the financial institution.
ICT Services Definition
"ICT services" (Article 3(1)(21) DORA) encompass digital and data services provided through ICT systems to one or more internal or external users. This includes hardware as a service and hardware services, along with technical support by the hardware provider through software or firmware updates, excluding conventional analog telephone services.
Supervision of Critical ICT Third-Party Service Providers
Critical ICT third-party service providers are subject to the supervision of European supervisory authorities. This supervision is distinct from the oversight of financial institutions. These providers, as non-financial entities, do not need to seek authorization from financial supervisory authorities, nor can such authorization be revoked. The supervisory scope is limited to the assessment framework established in Article 33(3) DORA, focusing primarily on the management of ICT risks posed by these providers to financial institutions. The powers of the supervisory authorities are also limited (Article 35 DORA), such as not having the authority to remove business leaders or appoint special representatives.
EU's Heterogeneous Landscape in Supervising ICT Providers
The current landscape within the EU regarding the supervision of critical ICT third-party service providers is notably heterogeneous. This disparity poses a potential systemic risk to the European financial market, given the cross-border dependencies on critical ICT third-party service providers (see Recital 30 to DORA). The EU's approach aligns with its strategy to deepen the single market with uniform rules and is expected to reduce the burden for cross-border financial institutions.
Enhanced Oversight and Responsibilities Under DORA
Beginning in January 2025, European supervisory authorities will have expanded rights regarding critical ICT third-party service providers, including:
In extreme cases, national supervisory authorities will have the power to suspend or demand the termination of services from these providers.
Ongoing Responsibility of Financial Institutions
Financial companies must continuously monitor the use of ICT third-party services within their own operations. However, the supervision of critical ICT third-party service providers by authorities is geared towards the broader financial market. Therefore, the supervision of a critical ICT third-party service provider does not absolve financial companies of their regulatory obligations. Instead, these companies remain fully responsible for compliance.
From 2025, financial companies will benefit from the system-wide supervision by authorities, which includes access to a summary of unimplemented or partially implemented recommendations by critical ICT third-party service providers.
Criteria for Identifying Critical ICT Third-Party Service Providers
The classification of a service provider as "critical" is not based on the supervisory experience with the provider or its public reputation. Instead, the classification is determined based on its role in the financial market, assessed through a detailed catalog of criteria established by the EU Commission. Factors considered include:
For classification, authorities primarily rely on financial institutions' information registers. The ESAs have developed criteria for determining criticality and submitted their joint opinion to the EU Commission in September 2023. The final criteria will be published by the EU Commission in a delegated act.
Costs of Supervision
The costs of supervision will be borne by the companies classified as critical ICT third-party service providers. This also applies to providers who voluntarily submit to the supervisory framework.
Focus on Cloud Service Providers
While cloud service providers are a primary focus of DORA, not every cloud provider will automatically fall under the supervisory framework of European authorities. Instead, the evaluation of financial institutions' information registers in 2025 will determine whether cloud service providers will be subject to supervision. Each case will be assessed individually.
Reporting ICT-related Incidents
An ICT-related incident must be reported if it meets specific classification criteria. The classification process and criteria, based on requirements in Article 18 of DORA, will be further detailed in a Regulatory Technical Standard (RTS). The consultation paper for the RTS was publicly consulted from June 19 to September 11 and will be finalized in 2024.
In general, national competent supervisory authorities will act as the central reporting hub for all financial institutions under its supervision.
Voluntary Reporting of Cyber Threats
According to Article 19(2) of DORA, the reporting of cyber threats is voluntary. Financial institutions may voluntarily report significant cyber threats if they believe the threat is relevant to the financial system, service users, or customers.
Testing Methodology and Procedures for TLPT
The key testing methodology and procedures for Threat-led Penetration Testing (TLPT) should align with the TIBER-EU framework (Article 26(11) DORA; Threat Intelligence-Based Ethical Red Teaming for the European Union Financial System). With DORA, such tests become a supervisory instrument and part of a financial company's ICT risk management framework. Consequently, the respective supervisory authority (or the ECB for significant credit institutions) will integrate these tests into supervisory processes. This includes identifying financial companies required to conduct TLPT, determining test frequency, validating test scope, and incorporating test results into ongoing supervision.
All financial companies within DORA's scope are subject to general testing requirements (Articles 24 and 25 DORA). A robust and comprehensive program for testing digital operational resilience is an integral part of the ICT risk management framework.
The requirement for extended tests based on TLPT (Articles 26 and 27 DORA) applies only to selected financial companies identified by the competent supervisory authority based on criteria specified in Article 26(8) DORA. These criteria include impact-related factors, concerns about financial stability, the systemic character of the financial company at the EU or national level, and the company's specific ICT risk profile, maturity, and relevant technological features.
These criteria will be specified by an RTS developed by the ESAs in collaboration with the competent authorities. The public consultation of the RTS draft is planned from December 2023 to February 2024, with the final draft to be submitted to the European Commission in July 2024.
Source: DORA; BaFin on DORA
Executive Summary:
Anschrift
Rechtsanwaltskanzlei Bergt & Partner AG
Buchenweg 6
Postfach 743
9490 Vaduz
Liechtenstein
Telefon
+423 235 40 15
office@bergt.law