Executive Summary
- The EU Digital Operational Resilience Act
("DORA") entered into force in January 16, 2023, setting
forth security requirements for network and information
systems of organizations operating in the financial
sector;
- Obligations under DORA are to be further detailed by
Regulatory Technical Standards ("RTS")
and Implementing Technical Standards
("ITS"), aimed at harmonizing
requirements and facilitating
implementation;
- On June 19, 2023, the European Supervisory Authorities
("ESAs")1 published the first batch of drafts on RTS and
ITS under DORA, providing detail to certain obligations
around:
- ICT security tools, policies and
procedures;
- Policies on the use of third-party ICT
services concerning critical or important functions;
- Criteria for the classification of
ICT-related incidents; and
- Register of agreements with third-party ICT service
providers.
- The drafts will be open to public consultation
until September 11, 2023. The ESAs shall submit these draft
technical standards to the European Commission
("Commission") by January 17, 2024 for
adoption by the Commission.
- DORA will apply from January 17, 2025, and compliance must consider the content of the RTS and ITS.
Background
DORA enhances security requirements for network and information systems of organizations operating in the financial sector. Under DORA, ICT stands for information and communication technology. A key notion under DORA is ICT risk, which relates broadly to risks arising in relation to the use of network and information systems.
DORA applies to a large range of financial entities, including credit and payment institutions, electronic money institutions, investment firms, alternative investment funds managers, insurance undertakings, amongst others. It also directly applies to companies considered a critical ICT third-party providers, as well as indirectly to ICT third-party providers supplying in-scope entities. DORA creates many obligations for in-scope entities, including in relation to:
- ICT Risk Management, Testing, and Incident
Handling: in-scope entities will need to implement a
series of measures and policies in order to be compliant with DORA,
in particular regarding ICT security tools, policies and
procedures, cybersecurity governance and asset inventory, business
continuity, incident handling, backup and testing policies,
trainings, among others;
- Governance obligations: in-scope entities will
need to have a control function for ICT risk and management bodies
will have direct obligations with regard to the
approval and oversight of the cybersecurity program;
- ICT Third-Party Risk Management: building on existing guidance from EBA, ESMA and EIOPA, in-scope entities will be required to review or implement certain key documents and processes, such as a policy on the use of third-party ICT services concerning critical or important functions, a register of contracts with third-party ICT service providers, third-party due diligence, policies or playbooks regarding contractual requirements with third-party ICT service providers and an assessment of ICT concentration risk, among others.
What's New
On June 19, 2023, the European Supervisory Authorities ("ESAs")2 published the first batch of drafts on technical standards under DORA, providing details on certain obligations created by the new regime, including:
|
Obligation under DORA
|
Specifications under draft technical standards
|
ICT Risk Management
Under DORA, financial entities are required to enhance, design and implement ICT security tools, policies and procedures in line with industry standards.
|
Draft RTS requires the ICT risk management framework to, among other topics:
|
ICT Third-Party Risk Management
Under DORA, financial entities are required to manage risks in connection with providers of ICT-related services. This includes:
|
Draft RTS requires the policy on ICT services to, among other topics:
|
Draft ITS proposes a template for registering information under different contractual forms, with explanations and instructions for completion.
|
Incident Handling
Under DORA, financial entities are required to report major ICT-related incidents to their supervising competent authority.
|
Draft RTS sets out materiality thresholds for classifying incidents as "major". The threshold is met when at least two primary criteria or one primary criterion and two secondary criteria are met:
The criteria proposed are qualitative and binary (i.e. a yes/no answer).
Next Steps
The draft technical standards are open to public consultation until September 11, 2023. The ESAs shall submit these draft technical standards to the Commission by January 17, 2024 for adoption by the Commission.
Additionally, the ESAS shall propose a second batch of technical standards specifying the content of further obligations under DORA. This second batch shall be submitted to the Commission by July 17, 2024 and cover the following aspects:
- Threat-Led Penetration Testing: competent
authorities may identify certain financial institutions as
requiring thread-led penetration testing, the requirements of which
will be defined in RTS;
- Content and Timeline of Incident Reporting:
standards shall define the elements to be incorporated in the
report and the time limits for the initial notification and
follow-up reports;
- Subcontracting of critical or important functions: standards shall specify the elements a financial entity needs to assess when subcontracting ICT services supporting critical or important functions.
What Businesses Should Be Doing Now
The deadlines established in DORA for adoption of relevant standards will leave entities directly and indirectly under scope limited time (one year, at most) to ensure compliance. In-scope entities could benefit from early compliance efforts, such as examining processes and policies in place and conducting a gap assessment in view of the requirements established in DORA and the draft technical standards.
Footnote
Originally published 14 July 2023
