The Digital Operational Resilience Act (DORA): Strengthening Resilience in the EU Financial Sector
The Digital Operational Resilience Act (DORA) is a significant regulatory development in the European Union (EU) that aims to enhance the digital resilience of financial services firms. This regulation, which is expected to be finalized soon, will have far-reaching implications for financial institutions operating within the EU. DORA seeks to consolidate and upgrade information and communications technology (ICT) risk requirements, ensuring that all participants in the financial system adhere to a common set of standards to mitigate ICT risks and strengthen operational resilience.
In this article, we will delve into the key aspects of DORA and its impact on the financial sector. We will explore the four domains covered by the regulation, namely ICT risk management and governance, incident response and reporting, resilience testing, and third-party risk management. Additionally, we will discuss the importance of information sharing and the proportionate enforcement of requirements. Let's dive in!
ICT Risk Management and Governance
One of the fundamental pillars of DORA is the establishment of robust ICT risk management and governance frameworks within financial entities. The regulation places the responsibility for ICT management on the management body, including board members, executive leaders, and senior managers. These individuals are expected to define effective risk management strategies, actively participate in their execution, and stay abreast of the evolving ICT risk landscape.
Financial entities will be required to develop comprehensive ICT risk management frameworks that encompass various elements. This includes mapping their ICT systems, identifying and classifying critical assets and functions, and documenting dependencies between assets, systems, processes, and providers. Continuous risk assessments, documentation of cyber threats, and steps to mitigate identified risks will also be essential. Entities must also implement appropriate cybersecurity measures, including policies and technical controls, to protect their ICT infrastructure.
Additionally, financial entities will need to establish robust business continuity and disaster recovery plans to ensure the resilience of their ICT systems. These plans should include measures for data backup and recovery, system restoration, and communication with affected stakeholders. The regulation will provide further guidance on the required elements of an entity's risk management framework through Regulatory Technical Standards (RTSs).
Incident Response and Reporting
DORA emphasizes the importance of incident response and reporting in mitigating the impact of ICT-related incidents. Financial entities will be required to establish systems for monitoring, managing, logging, classifying, and reporting such incidents. The severity of the incident will determine the reporting requirements, which may include notifications to regulators and affected clients and partners.
Entities will need to file three types of reports for critical incidents: an initial report notifying authorities, an intermediate report on progress towards resolving the incident, and a final report analyzing the root causes. The regulation will provide guidelines on incident classification, reporting thresholds, and reporting timelines. Efforts are also underway to establish a central hub and common report templates to streamline reporting across the EU.
Information sharing is encouraged, but not mandatory, under DORA. Financial entities are encouraged to participate in voluntary threat intelligence sharing arrangements. However, it is important to ensure that any shared information complies with relevant data protection guidelines, such as the General Data Protection Regulation (GDPR).
To enhance operational resilience, financial entities will be required to conduct regular resilience testing of their ICT systems. These tests aim to evaluate the strength of existing protections and identify vulnerabilities. Basic tests, such as vulnerability assessments and scenario-based testing, will be conducted annually. However, entities deemed critical to the financial system will also undergo advanced testing, including threat-led penetration testing (TLPT), every three years.
The European Supervisory Authorities (ESAs) will develop Regulatory Technical Standards (RTSs) outlining the methodologies and requirements for these tests. In the interim, financial entities can refer to frameworks such as the Threat Intelligence-Based Ethical Red-Teaming (TIBER-EU) framework for guidance. The results of resilience testing and plans for addressing identified weaknesses will be reported to and validated by the relevant competent authorities.
Third-Party Risk Management
DORA extends its scope beyond financial entities to include critical ICT third-party service providers. Financial entities are expected to play an active role in managing third-party ICT risks when outsourcing critical and important functions. Contractual arrangements with third-party providers must include provisions for exit strategies, audits, and performance targets related to accessibility, integrity, and security.
Entities will be prohibited from entering into contracts with ICT providers who fail to meet these requirements. The European Commission is exploring the possibility of standardizing contractual clauses to ensure compliance with DORA. Financial institutions will also need to map their third-party dependencies and avoid excessive concentration of critical functions with a single provider or small group of providers.
Critical ICT third-party service providers will be subject to direct oversight by the relevant ESAs. The Lead Overseer, assigned by one of the ESAs, will be responsible for supervising these providers. This oversight mechanism will extend the regulatory perimeter to include non-financial firms, such as cloud service providers, ensuring that they meet the requirements set forth by DORA.
Information Sharing and Proportionate Enforcement
While DORA encourages information sharing among financial entities, it is not mandatory. Financial institutions are encouraged to participate in voluntary threat intelligence sharing arrangements to enhance their collective resilience. However, any shared information must comply with data protection regulations, ensuring the privacy and security of sensitive data.
DORA adopts a proportionate enforcement approach, taking into account the size and complexity of financial entities. Smaller entities will not be subject to the same stringent requirements as major financial institutions. This approach aims to strike a balance between fostering resilience and avoiding undue burden on smaller entities.
The Digital Operational Resilience Act (DORA) represents a significant step towards enhancing the digital resilience of the EU financial sector. By consolidating and upgrading ICT risk requirements, DORA ensures that financial entities have robust frameworks in place to mitigate ICT risks and strengthen their operational resilience. The regulation covers key domains such as ICT risk management, incident response and reporting, resilience testing, and third-party risk management.
Financial entities must prioritize the development of comprehensive ICT risk management frameworks, establish effective incident response and reporting systems, conduct regular resilience testing, and actively manage third-party ICT risks. The regulation promotes information sharing and encourages a proportionate enforcement approach to ensure the resilience of the financial sector while considering the specific characteristics of each entity.