Blog

Considering the increasing impact and dependency on technology in the financial sector, the EU Commission sets an ambitious approach for strengthening and harmonizing the digital operational resilience framework.

DORA, part of the Digital Finance Package, goes beyond NIS Directive, covering a wide range of financial entities, aiming to:

• ensure the financial sector can mitigate new risks rising from ICT and digitalization;
• introduce new requirements such as digital testing, management of ICT third-party risks, oversight of critical ICT third-party service providers;
• allow financial entities to set-up arrangements to exchange cyber threat information and intelligence.

Background

While many stakeholders focus on the key components of the new EU Cybersecurity Strategy, including the proposed Directive on measures for high common level of cybersecurity across the Union (NIS II) and the proposed Directive on the resilience of critical entities, less attention is given to the Digital Finance Package, under which the Commission aims to set out a new, ambitious approach to encourage responsible innovation to benefit consumers and businesses.

Despite the fact that Digital Finance Package includes several landmark proposals (e.g. proposal for a regulation on markets in crypto assets, a proposal for a regulation on a pilot regime on distributed ledger technology (DLT) market infrastructure etc.), the proposal for a Regulation on digital operational resilience for the financial sector (DORA) is notably an important milestone for achieving better stability of the EU financial system.

The Network and Information Security (”NIS”) Directive was the first piece of EU-wide legislation on cybersecurity and represents the current framework providing legal measures to boost the overall level of cybersecurity. NIS has however proven its limitations in this digital area.

It is true that NIS Directive provides general requirements for the security of network and information systems across sectors, including for some operators in the financial sector. Nonetheless, the EU financial services regulatory landscape includes provisions also tackling the Information and Communication Technology (”ICT”) and security risk components, in particular for financial market infrastructures, which apply rules by far more demanding than those laid down in the NIS Directive. In other parts of the financial sector acquis, rules on ICT and security risk are more general or even inexistent.

Due to the fact that technology companies have become a central component of the financial sector, meaning that the financial services sector is a prime target for cyberattacks such as hacking, ransomware and identity theft, DORA aims to support the development of digital finance while ensuring that all participants in the financial system have the necessary safeguards to mitigate cyber-attacks.

Entities covered by DORA

DORA will apply to a wide range of financial entities regulated at Union level, respectively credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, issuers of asset-referenced tokens and issuers of significant asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, crowdfunding service providers, securities repositories and ICT third-party service providers.

New requirements

ICT risks are broadly defined as any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialized, may compromise the security of the network and information systems, of any technology-dependent tool or process, of the operation and process’ running, or of the provision of services.

DORA establishes, inter alia, requirements applicable to financial institutions regarding:

• internal governance and control frameworks for financial entities– for ensuring an effective and prudent management of all ICT risks, the management body has the obligation to define, approve, oversee and be accountable for the implementation of all arrangements related to ICT risk management framework;
• management of ICT risks – in order to keep pace with the rapidly evolving cyber threat landscape, financial entities are required to have a sound, comprehensive and well-documented ICT risk management framework, which must be reviewed at least once a year as well as upon occurrence of major ICT-related incidents. Financial entities shall have and maintain updated ICT systems, protocols and tools, develop backup policies and recovery methods, put in place a dedicated and comprehensive ICT Business Continuity Policy, implement mechanisms to promptly detect anomalous activities;
• ICT-related incident reporting – one main requirement for financial institutions is to establish and implement a management process to monitor and log ICT incidents, such incidents being afterwards classified, whilst only major ICT-related incidents being reported to the competent authorities;
• digital operational resilience testing–financial entities shall establish, maintain and review, with due consideration to their size, business and risk profiles, a sound and comprehensive digital operational resilience testing programme, significant entities being required to conduct advanced testing. Financial entities shall ensure that tests are undertaken by independent parties, whether internal or external;
• ICT third-party risk – in order to ensure a sound monitoring of ICT third-party risk, financial entities shall be required to observe several key elements in their relationship with ICT third-party providers, remaining fully responsible for complying with and discharge of all obligations. To this end, contracts that govern this relationship will be required to includeat least a complete description of services, indication of locations where data are to be processed, full service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data, inspection and audit by the financial entity or an appointed third-party, clear termination rights and dedicated exit strategies etc. Notably, critical ICT third-party service providers shall be also subject to an oversight framework by ESA, to ensure that such service providers are adequately monitored, such being also subject to more strict obligations, including to keep suitable risk management procedures, to permit general investigations of its contracts and policies, and to facilitate on-site inspections by the lead overseer or even be restricted from entering into further subcontracting arrangements. The lead overseer may impose a periodic penalty payment to compel critical ICT third-party service providers to comply with certain obligations, for a period of maximum 6 months, in amount of 1% of the average daily worldwide turnover in the preceding busines year;
• information sharing – financial entities are allowed to set-up arrangements to exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools. Notably, this must be done by financial institutions through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.

Next steps

DORA legislative proposal is under assessment by the European Parliament and the Council of the EU, both legislators being able to introduce additional amendments, following that after adoption to be directly applicable in the EU Member States.