Two EU legislative acts relating to digital operational resilience in the financial industry were recently published in the Official Journal of the European Union.
Regulation EU 2022/2554 (DORA) and Directive EU 2022/2556 (DORA Amending Directive) will enter into force on 16 January 2023.
As a regulation, DORA will be directly effective from 17 January 2025 without transposing measures. EU member states must implement the DORA Amending Directive from the same date.
Background
The financial sector requires resilient information communication technology (ICT) to operate. There is a growing international political, regulatory and supervisory focus on mitigating risks to the financial industry stemming from ICT reliance. DORA is one aspect of the EU's Digital Finance Package, which includes legislative proposals on markets in crypto-assets (MiCA), distributed ledger technology such as blockchain and a digital finance strategy.
Objective of DORA
DORA aims to consolidate and upgrade ICT risk requirements in the EU financial sector, to guard against cyber-attacks and ensure that in-scope financial entities such as banks, insurance companies and investment firms are subject to uniform rules mitigating ICT-related operational risk.
Existing Central Bank Guidance
While DORA is newly adopted EU legislation, in December 2021, the Central Bank of Ireland published (i) cross-industry operational resilience guidelines (Operational Resilience Guidelines) and (ii) guidance for the governance, risk management and business continuity management of outsourcing activities (Outsourcing Guidance) for regulated financial service providers in Ireland. Prior to that in 2016, the Central Bank of Ireland published cross-industry guidance in respect of Information Technology and Cybersecurity Risks which should be read in conjunction with the Operational Resilience Guidelines and the Outsourcing Guidance. Please see our Operational Resilience Guidelines and Outsourcing Guidelines briefings for further information.
NIS2
DORA aligns with broader measures for common cybersecurity levels across the European Union to improve the public and private sectors' resilience and incident response capacities. The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity. Its expanded version, the recently adopted NIS2 Directive (NIS2D), relates to the resilience of a broad category of entities, including financial entities identified as operators of essential services. While NIS2 will enhance existing cybersecurity risk management measures and reporting obligations for multiple sectors and member state governments, DORA is financial sector-specific legislation. For further information on NIS2, please see our recent article here.
DORA Amending Directive
The DORA Amending Directive will amend other Directives to align with DORA, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD.
In-scope entities
1. Financial Entities
In-scope financial entities must effectively manage their ICT risks. Such entities must have the ability to withstand, respond to and recover from various ICT-related threats and disruptions. In-scope financial entities include those in the following sectors:
- Banking (e.g. credit institutions, payment institutions, electronic money institutions, investment firms and crypto-asset service providers).
- Financial markets infrastructure (e.g. central securities depositories, central counterparties (CCPs), trading venues, trade repositories and data reporting service providers).
- Funds (e.g. alternative investment fund managers (AIFMs) and UCITS management companies).
- Insurance (e.g. insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries).
- Other (e.g. credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories).
2. ICT third-party service providers
ICT third-party service providers designated as "critical" by any of the European Supervisory Authorities (ESA) will be subject to a new supervisory framework when providing services to in-scope financial entities. ICT third parties not designated as "critical" may voluntarily opt-in to be subject to this oversight. The European Commission will adopt further regulation on the assessment criteria for designation by an ESA of a "critical" ICT third party.
Limited exceptions apply.
Key Elements of DORA
- Governance and control
DORA sets out requirements for financial entities relating to governance structures, systems and controls. The management of an in-scope financial entity will have to define, approve, oversee and be accountable for the firm's ICT risk management framework.
- ICT risk management framework
The ICT risk management framework must be sound, comprehensive and well-documented. It must be reviewed and should outline:
- how it fits within the firm's overall risk management framework;
- how it supports the firm's business strategy and objectives;
- clear roles and responsibilities for ICT-related functions;
- a communication strategy for ICT-related events;
- the firm's tolerance level for ICT risk;
- firm's information security objectives;
- the firm's information and ICT assets;
- a map of ICT asset configuration and interdependencies; and
- critical ICT processes.
- ICT security
ICT security must be monitored and reviewed. Firms must identify ICT-related issues and employ mechanisms to detect potential ICT threats or problems.
- ICT incident management, classification and reporting
DORA promotes a consistent and integrated process to detect, manage and notify ICT-related incidents. Standardised reporting templates must be used, and relevant incidents must be reported to the competent authority within prescribed timeframes. Contact with service users or customers may be necessary, depending on the circumstances.
- Testing
DORA requires comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices and processes. Independent parties must conduct testing of financial entity ICT. Critical ICT systems and applications should be tested by in-scope firms at least every 12 months. Some financial entities will be required to complete threat-led penetration testing no less than every three years.
- Sharing information
DORA will oblige financial entities to share cyber-threat-related information and intelligence.
- ICT third-party risk management
ICT third-party risk is a key part of the ICT risk management framework. Under DORA, ICT third-party service providers designated as "critical" will be subject to oversight by an ESA. Third-country critical ICT third-party providers must establish an EU subsidiary within 12 months of a "critical" designation to continue providing services within the EU. Contractual arrangements with ICT third parties will be important in this context.
Conclusion
Regulated firms in Ireland have followed the Irish Central Bank (and, where relevant, European Central Bank) guidance on outsourcing and/or operational resilience for some time. Many DORA requirements already feature in the risk-related frameworks of Irish-regulated firms. Nonetheless, for financial entities DORA will capture, we recommend conducting a scoping exercise and gap analysis against existing processes and practices (e.g. governance and control frameworks, risk policies, processes, procedures and ICT service provider contractual arrangements) to prepare for its implementation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.