The EU Parliament recently adopted the Digital Operational Resilience Act (DORA) and the directive on digital operational resilience with a large majority. This vote paves the way for DORA to become EU law by the end of 2022. The regulation has changed significantly from the proposal first published by the EU Commission in September 2020 (see our blog), which was followed by compromise texts of the Parliament and Council setting the starting point for the trilogue negotiations in January 2022 (see our blog) and coming to the provisional agreement reached by the co-legislators in June 2022. The text voted on now by the Parliament marks the formal adoption of the agreed text. Once the Council confirms the Parliament’s vote and the text is published in the Official Journal, which is expected to happen before the end of 2022, DORA will enter into force.
DORA marks a cornerstone of the EU financial regulatory framework, which barely touches on operational risks relating to information and communications technologies (ICT), by introducing a comprehensive set of rules concerning the ICT risk management of financial sector firms to strengthen their digital operational resilience and prevent and mitigate cyber threats.
Below are our six key observations on the text adopted by the EU Parliament:
- The scope of applicable rules is finely graduated: no automatic intra-group exemption in place, operators of payment systems out of scope, focus on principle of proportionality.
- DORA will override the application of NIS2 in case of overlapping rules.
- The incident reporting regime is harmonised: The PSD2 reporting regime will cease to apply.
- The rules on outsourcing arrangements with ICT TPPs are extended.
- Financial entities must test their operational resilience on a regular basis.
- The Oversight regime on critical ICT TPPs is expanded to third-countries.
1. The scope of applicable rules is finely graduated: no automatic intra-group exemption in place, operators of payment schemes out of scope, focus on principle of proportionality
The scope of and exemptions from DORA have been highly debated throughout the legislative procedure. While it was always clear that DORA will apply to a broad range of financial entities including credit institutions, payment and e-money institutions, crypto asset providers, CCPs or CSDs, this was not set in stone for operators of payment systems which are currently (only) covered by the oversight regime of the European Central Bank (ECB) and national central banks. The current draft now provides that in the context of the review of Directive (EU) 2015/2366 (PSD 2), it will be assessed whether there is the need for increased cyber resilience of payment systems and whether it is appropriate to extend the scope of DORA to operators of payment systems.
In addition, DORA applies to ICT third party service providers (ICT TPPs), i.e. undertakings providing ICT services. The definition of those ICT services remains broad, covering digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.
Financial entities providing ICT services to other financial entities and therefore belonging to the group of ICT TPPs will not be excluded from the scope of DORA. However, they will be exempted from the oversight framework applicable to ICT TPPs. The same holds true for intra-group ICT service providers which are not per se considered less risky compared to ICT services provided by providers outside of a financial group financial.
The list of entities which do not fall under DORA is explicitly determined and covers financial entities which are subject to a very light regulatory framework under sector-specific Union law including, for example, broadly speaking, exempted managers of AIF or exempted insurance and reinsurance undertakings. Interestingly, exempted payment and e-money institutions are still caught by DORA although the lighter ICT requirements will apply to them. The same holds true for financial entities which qualify as micro enterprises.
2. DORA will override the application of NIS2 in case of overlapping rules
DORA aims to establish a common framework for the digital operational resilience of financial entities and to reduce the existing regulatory complexity. The Directive 2016/1148/EU (NIS Directive) was the first horizontal cybersecurity framework at EU level and applies also to three types of financial entities that will now be subject to DORA - namely credit institutions, trading venues and central counterparts. The upcoming NIS2 Directive (NIS2), which was adopted by the Parliament the same day as DORA, keeps these three types of financial entities in scope. This might lead to an overlap of rules e.g. on ICT-related incident and cyber threat reporting and risk management obligations. To solve this, DORA introduces a lex specialis rules stating that it will override the application of NIS2 in these cases as it provides a higher level of harmonisation of the various digital resilient components than NIS2. Still, to ensure cohesion between the horizontal cybersecurity framework and the digital resilience framework for financial entities, the competent supervisory authorities shall exchange information on incidents with NIS authorities.
3. The incident reporting regime is harmonised: The PSD 2 reporting regime will cease to apply
DORA further aims to harmonise the fragmented reporting obligations for financial institutions regarding ICT- and cybersecurity related incidents to supervisory authorities across Europe. All EU based financial entities will have to report major ICT-related incidents to their financial supervisory authority. To avoid potentially duplicative reporting obligations for payment service providers falling under the scope of DORA, the requirement for incident reporting pursuant to PSD 2 will cease to apply. All operational or security payment-related incidents, irrespective of whether they are ICT-related, will be reported under DORA going forward. This will affect credit institutions, e-money institutions, payment institution and account information service providers. The timeframe for ICT-related notifications is not determined by DORA. But DORA obliges the European supervisory authorities (ESAs, consisting of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)) together with the European Union Agency for Cybersecurity (ENISA) and the ECB to come up with time-limits for the initial incident report and ensure consistency of these time-limits with those set out in the upcoming NIS2.
When it comes to significant cyber threats, DORA introduces a voluntary notification regime towards supervisory authorities in case the financial entities deem the threat to be of relevance to the financial system, service users or clients.
Reporting rules to clients both in case of ICT-related incidents having an impact on the financial interest of clients and significant cyberthreats will be mandatory. And for ICT-related incidents the clients must be informed without undue delay as soon as the financial entity becomes aware of it.
4. Financial entities must test their operational resilience on a regular basis
Supplementary to the comprehensive ICT risk and incident management requirements, DORA will introduce detailed rules on digital operational resilience testing. As a general requirement, financial entities must establish and maintain a sound and comprehensive testing programme. Such programme shall include a range of assessments, methodologies, practices and tools and provide for the execution of tests such as vulnerability assessments and scans, open-source analyses, network security assessments, physical security reviews, scenario-based tests, compatibility testing, performance testing and end-to-end testing.
Financial entities will also be required to conduct advanced testing by means of thread-led penetration testing (TLPT), except for those financial entities to which a simplified ICT risk management framework will apply under DORA and micro enterprises. CRR credit institutions subject to the direct prudential supervision of the ECB under Regulation (EU) 1024/2013 (SSM Regulation) shall only use external testers for the purposes of TLPT. As a general rule, advanced testing by means of TLPT shall be carried out at least every three years.
TLPT shall cover several or all critical or important functions of the financial entity and shall be performed on live production systems supporting such functions. In view of potential (unintended) consequences of the TLPT, effective risk management controls will have to be applied by the financial entity, the tester and, as the case may be, ICT TPPs included in the scope of the TLPT in order to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations. Under certain circumstances, instead of a direct participation of an ICT TPP in the TLPT carried out by a financial entity, the financial entity and the ICT TPP may agree that the ICT TPP enters into contractual arrangements with an external tester to conduct a pooled TLPT involving several financial entities.
5. The rules on outsourcing arrangements with ICT TPPs are extended
Where financial entities have in place contractual arrangements for the use of ICT services provided by third-parties, they will have to observe additional requirements addressing the management of third-party risk. In this context, it is worth noting that the requirements do not refer to “outsourcing” as existing regulation does, but more broadly capture all ICT services provided by a third-party to a financial entity.
Financial entities will have to adopt a dedicated strategy on ICT third-party risk, also taking into account a potential multi-vendor strategy, and all contractual arrangements on the use of ICT services will have to be reflected in a register maintained by the financial entity. Before and when entering into a specific contractual arrangement, the financial entity will have to conduct a due diligence on the ICT service provider and also assess associated risks with the conclusion of such arrangement, including, for instance, concentration risk. Financial entities may not enter into a contractual relationship where they cannot satisfy themselves that the ICT service provider complies with appropriate information security standards. Further, financial entities will have to perform inspections and audits. Where the use of ICT services entails high technical complexity, this also means that financial entities have to verify that auditors possess appropriate skills to effectively perform audits and assessments. Specifically with regard to ICT services supporting critical or important functions, financial entities shall have in place exit strategies. DORA also provides for a set of key contractual provisions which have to be reflected in the contractual arrangements.
While the above means that the regulatory obligations will lie with the financial entities, the implementation of those comprehensive regulatory obligations will certainly impact the business activities of ICT TPPs considerably, too.
6. The Oversight regime on critical ICT TPPs is expanded to third-countries
Critical ICT TPPs will be subject to an oversight regime by the Lead Overseers, i.e. the ESAs, which provides e.g. for audit, information request and inspection rights. To ensure enforceability of penalty payments to compel critical ICT third-party providers to comply with applicable rules, critical ICT TPPs must establish a subsidiary in the Union within 12 months after their designation as critical. If not, financial entities may not use their services. It has been clarified that the requirement to set up a subsidiary should not prevent the critical ICT TPPs from supplying ICT services from facilities and infrastructures located outside the Union. DORA also does not require data storage or processing in the EU. However, while oversight activities should be generally conducted on premises located in the EU including the subsidiary established by third-country ICT TPPs, the Lead Overseers should also be able to exercise their oversight powers in third countries subject to cooperation arrangements concluded with the relevant third-country authority and framed by relevant conditions such as the consent of the critical ICT TPPs.
What’s next?
Now that the final text has been adopted by the EU Parliament and only the vote of the Council is outstanding, firms should start preparing for the tasks to implement DORA. DORA will be applicable 24 months after entry into force which means that supervisors will expect companies to be in compliance with all new requirements approximately by the end of Q4 2024. The tight implementation period is further complicated by the fact that DORA will be accompanied by a magnitude of Level 2 rules including, among others, RTS or ITS on the ICT incident reporting framework or rules and scope for the advanced resilience testing, which shall apply 12-18 months after DORA entered into force.
One thing is clear: increased digitalisation and interconnectedness have made financial services more vulnerable to ICT risks and cyber threats. Preventing and mitigating these risks will be one of the top priorities for in-scope companies attracting the attention of regulators going forward.