The Digital Operational Resilience Act (or DORA as it is known in EU policy circles) was one of the flagship legislative initiatives proposed as part of the EU’s Digital Finance Strategy (see our blog). The final text, which could be agreed before the summer break of 2022, aims to set a worldwide standard when it comes to the operational resilience of the financial sector and oversight of information and communication technology (ICT) providers servicing the sector. Below, we set out DORA’s objectives, discuss the implications of possible amendments to the proposal and preview the next steps.
What is DORA?
Proposed by the European Commission in September 2020 (see our blog), alongside a legislative proposal for an enabling framework for cryptoassets (see our blog), DORA aims to enhance the ICT risk management requirements applicable to financial entities in the EU, streamline ICT-related incident reporting requirements and reduce single market fragmentation, for instance in respect of digital operational resilience testing, and the cross-border acceptance of test results.
In addition, and most controversially, the proposal suggests a set of rules addressing the sound management of third-party ICT risk by financial entities, including requirements on key contractual provisions in (outsourcing) arrangements with ICT third-party service providers (ICT TPPs), and through the establishment of an oversight framework applicable to critical ICT TPPs.
With so many jurisdictions and international organisations, such as the FSB and IOSCO, looking at the operational resilience of the financial sector, and in particular the role of largely unregulated ICT TPPs servicing the financial sector, the Commission’s ambition is for the EU to be the first jurisdiction with a comprehensive regulatory framework in place (and thus influence others that follow). With the EU putting greater emphasis on technological and economic sovereignty, it is no surprise that it has taken swift action to address the fact that the EU’s financial sector is being serviced by many non-EU ICT TPPs.
The co-legislators (the Member States in the Council and the Parliament) have sensed this urgency and reacted accordingly. Little over a year after the Commission’s proposal, on 24 November, the Council adopted its position and, on 1 December, the Parliament adopted its position.
What key amendments to DORA are proposed by the co-legislators?
1. Scope of application
In addition to ICT TPPs, DORA would generally apply to a broad range of financial entities including authorised credit institution, payment institutions, crypto-asset service providers and CCPs. Three points about the scope are worth highlighting.
- Neither the Parliament nor the Council suggests payment schemes should be covered by the definition of financial entities despite various stakeholders pushing for their inclusion under the personal scope of DORA. The rationale behind this approach is that payment schemes are already subject to the Eurosystem oversight regime, so that no additional rules seem to be required for now. However, the Parliament considers that the Commission should potentially consider extending the scope of application as part of its review five years after DORA has entered into force.
- While payment schemes are not currently covered, the Parliament’s proposal intends to subject operators of securities settlement systems under the scope of DORA, something which was pushed for by French Socialist MEPs.
- One of the highly debated points during the legislative process thus far relates to whether DORA should be applicable to ICT intra-group service providers. While they have taken slightly different approaches, the Parliament and Council have both suggested that, while ICT intra-group service providers should not be entirely excluded from the scope of application, they should not be subject to the oversight framework for critical ICT TPPs since the provision of ICT intra-group service providers does not carry the same risks.
2. Increased focus on proportionality
In general, financial entities shall implement the new ICT requirements by taking into account their size, the nature, scale and complexity of their services and operations and their overall risk profile. Interestingly, also small and non-interconnected investment firms as well as exempted credit institutions, payment institutions, or e-money institutions shall be subject to governance, organisational and risk management requirements, however, lighter ICT requirements will apply to them compared to the other (non-exempted) financial entities. While the Parliament’s and Council’s positions have a great deal in common, they differ in implementation, e.g. concerning the specific ICT risk management requirements applicable to the exempted entities.
3. Harmonisation of reporting regime for major ICT related incidents and reporting of significant cyber threats
To reduce duplicative reporting for payment service providers falling within the scope of DORA, the Parliament and Council both suggest that the incident reporting requirements under Directive 2015/2366/EU (PSD2) should cease to apply. All operational or security payment-related and non-payment related incidents that are currently reported under PSD 2 should be reported under DORA irrespective of whether the incidents are ICT-related or not.
When it comes to significant cyber threats, the co-legislators were keen to ensure consistency with their respective approaches on the proposal for new Directive (EU) 2016/1148 (NIS2), which is also currently going through the legislative process (see our blog). The Parliament therefore suggests a voluntarily notification scheme, in consistency with its approach in NIS2 (and with industry’s calls), whereas the Council maintains the mandatory regime. The approach taken in the final agreement will most likely reflect that agreed in NIS2.
4. New rules for thread-led penetration testing (TLPT)
To achieve robust digital operational resilience, DORA will introduce the requirement for financial entities to regularly test their ICT systems and staff to determine the effectiveness of their preventive, detection and recovery capabilities. With regard to third countries, the Parliament has proposed a cooperation regime according to which the Commission and competent authorities should seek to establish a framework for mutual recognition of TLPTs results.
5. Extended rules on outsourcing arrangements with ICT TPPs
DORA provides for a list of key contractual provisions which should be considered when financial entities enter into agreements with ICT TPPs and which will apply on top of the EBA Guidelines on outsourcing. The Parliament has proposed additional requirements to be laid down in the contractual arrangements specifically where “critical or important functions” are provided by ICT TPPs, such as notice periods and reporting obligations of the ICT TPPs.
The term “critical and important functions” has been expanded and now includes also “critical functions” as defined under the BRRD which demonstrates that the management of ICT risks become also increasingly relevant for resolution purposes. This is also highlighted by the following proposed amendment of the Parliament: Credit institutions should ensure that the relevant ICT contracts are robust and fully enforceable in the event of the credit institution’s resolution and ensure that the contracts are “resolution-resilient” in line with supervisory expectations.
Importantly, according to the Parliament’s proposal, financial entities may decide not to terminate the contractual arrangements with an ICT TPP in case of disruptions until they are able to switch to another ICT TPP or change to in-house solutions in agreement with their competent authorities.
Also, in relation to outsourcing arrangements, the Parliament proposes an intensified focus on relationships with third-country ICT TPPs. For example:
- financial entities must ensure that the agreement with a third-country ICT TPP is governed by the law of an EU member state and that it guarantees that the Lead Overseer and the newly established Joint Oversight Body (see also section 6 below) can carry out their duties; and
- contractual arrangements with third-country ICT TPPs must take into account EU data protection rules and the effective enforcement of the DORA rules.
The Council’s position does not contain similar changes as outlined above, but generally limits the key contractual provisions to be considered in agreements to critical or important functions that are outsourced to ICT TPPs.
6. Restructuring of oversight framework
One of the key elements of DORA is the oversight framework for ICT TPPs, which would grant the Lead Overseer, i.e. one of the European Supervisory Authorities (ESAs), powers to issue recommendations, request information, carry out audits and inspections or impose sanctions on ICT TPPs.
As an overall observation, in contrast to the Council’s position, the Parliament has proposed numerous, very detailed and complex amendments to the oversight framework. In particular, a Joint Oversight Body consisting of national competent authorities should be established to conduct direct oversight of ICT TPPs. The Joint Oversight Body would support the Lead Overseer, which conducts and coordinates day-to-day oversight and investigative work over each critical ICT TPPs. The Parliament’s amendments also touch on coordination between the Joint Oversight Body and the Lead Overseer, the designation process of critical (third-country) ICT TPPs and the oversight powers of the Lead Overseer are further specified.
A major concern raised by industry stakeholders in the legislative process was the requirement for third-country ICT TPPs to establish a subsidiary in the EU so that financial entities are allowed use their services. Both co-legislators consider this requirement necessary to ensure that competent authorities have a contact point in the EU and can exercise their oversight duties and enforcement powers. That said, the Parliament has clarified that the local entity does not need to perform the contracted services, which still can be delegated to the third-country ICT TPPs.
It is worth noting that the Parliament considers that the power to conduct on-site inspections with regard to third-country ICT TPPs should not be limited to sites in the EU, provided that this is necessary for the Lead Overseer to carry out its duties under DORA, it has a direct connection to the provision of ICT services to EU financial entities and is relevant to an ongoing investigation.
What’s next for DORA?
With the co-legislators having adopted their positions, we now enter what are known in Brussels as “trilogue negotiations”, i.e. co-legislators enter into negotiations on the basis of their respective positions with the aim of reaching a final agreement, overseen by the Commission, which defends its initial proposal.
Given the fact that the co-legislators have been in close contact throughout the process and the fact that France is pushing for an agreement by the end of its Presidency in June 2022, we may expect to see a final text before the summer break of 2022. Once agreed, it will still have to go through the EU’s formal approval process, including translation/ legal scrubbing, before being published in the EU Official Journal.
While the Commission had initially proposed that DORA would apply 12 months following entry into force (asides from certain provisions on testing), the co-legislators have suggested that DORA should enter into force 24 months following that date. It will be interesting to see the final timeframe that is agreed, including the timeframes for regulatory technical standards (RTS) to be adopted under DORA.