DORA – Enhancing digital resilience for the financial sector and its ICT service providers is more important than ever
Nicole Wolters Ruckert
Catherine Di Lorenzo
David van Boven
11 May 2021
ICT requirements in the financial sector are not entirely new, but DORA offers a higher level of harmonisation of ICT requirements (in particular by consolidating in one text the requirements applicable to all actors of the financial sector in the wider sense) and, to a certain extent, a higher level of regulatory intrusion than the currently existing requirements.
In this article we set out: (i) why supervisory authorities stress the importance of cyber security in the financial sector, (ii) current ICT requirements, (iii) the DORA requirements, and (iv) how your organisation can prepare for DORA.
Increased regulatory attention to cyber risks in the financial sector
The necessity of digital operational resilience in the financial sector is highlighted by the fact that the financial sector has been in the top three sectors with the most personal data breaches each year since 2016, according to the Dutch data protection authority (the Dutch DPA) annual reports.
Highlighting the need for digital resilience in the financial sector, several authorities have drawn attention to the heightened cybersecurity risks during the Covid-19 pandemic. The European Banking Authority (EBA), the European Securities and Market Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) published a report on the exacerbated risks and vulnerabilities in the EU financial system. According to the Financial Stability Board, cyber incidents pose a threat to the stability of the global financial system, and the remote working environments in light of the Covid-19 pandemic have heightened the need for attention. DORA does not specifically refer to Covid-19, but does warn for the general increased reliance of technology and the systemic cyber risks of the financial sector as reasons for the proposal.
Cybersecurity as a regulatory issue for the financial sector
DORA will not be the first EU-wide legislation to address cybersecurity concerns. For instance, the Directive on Security of Networks and Information System (the NIS Directive), which was adopted in 2016, is aimed at enhancing cybersecurity across the EU and across several sectors and includes an incident reporting obligation, but EU Member States have transposed the NIS Directive differently based on minimum harmonisation including with regard to reporting obligation thresholds. Furthermore, the Payment Services Directive II (PSDII) contains an obligation to report major operational or security incidents.
In addition, ICT requirements specific to the financial sector already exist, but are narrower in scope and only apply to certain regulated entities. For instance, the EBA guidelines on outsourcing arrangements (EBA Outsourcing Arrangements) and EBA Guidelines on ICT and security risk management (the ICT Guidelines) cover, among other things, banks and include the competent authority’s right to audit and inspections.
DORA: an uplift of ICT risk management across the financial sector
The scope of DORA is broad and includes, but is not limited to, banks, crypto-asset service providers, payment institutions, investment firms, insurance undertakings and, importantly, ICT third-party service providers.
DORA sets out a wide range of requirements. The most important are:
- ICT risk management requirements, such as implementing a sound, comprehensive and well documented ICT risk management framework. DORA provides for more formalisation and more detailed requirements than the ICT Guidelines but the principles remain, generally speaking, the same. Financial entities will therefore only have to review and upgrade their existing framework.
Also note that as regards notification of incidents, DORA provides more detailed guidance than the EBA Guidelines on the notification of major operational or security incidents under PSDII. DORA’s requirements include (i) a segregation of duties within ICT management functions and (ii) monitoring and logging ICT-related incidents, focusing on identifying, classifying and reporting cyber threats. The latter includes direct requirements to notify major ICT incidents on the same business day or within four hours from the beginning of the next business day to the competent authority and submitting to the competent authority an intermediate report, regular updates where relevant and a final report on the incident within one month from the initial notification at the latest.
- ICT risk testing requirements, including mandatory risk-based testing and regular audits of ICT systems and a range of assessment requirements for the tests and qualitative requirements on the testers. Note that enhanced requirements apply for significant financial entitie
- ICT third-party risk management requirements, including: (i) adopting an updated strategy on ICT third-party risks, (ii) pre-contractual assessments of ICT third-party service providers, (iii) mandatory contractual provisions such as audit and inspection rights, and (iv) a requirement to terminate ICT third-party service contracts in case certain conditions are met, including if the competent authority can no longer effectively supervise the entity as a result of the contractual arrangement. The responsibility to proportionately assess ICT third parties rests on financial entities. Financial entities will not have the possibility to use an ICT third-party service provider established in a third country that could be designated as a critical ICT third-party. In this respect, financial entities are required to perform a due diligence of ICT third-party service providers
(this review includes a General Data Protection Regulation (GDPR) assessment of third parties, such as the location of data processing services). In addition, a register of information on all contractual arrangements with third parties needs to be maintained, as this is also a key element. The contractual provision requirements may become similar to the Commission’s standard contractual clauses as set out in the GDPR. The required contractual provisions are also largely aligned with what we can already find in the EBA Outsourcing Guidelines.
- The establishment of a pan-EU oversight of critical ICT providers for the financial sector (the Oversight Framework). The competent authorities will annually designate critical ICT third parties. A designated lead overseer (which may be EBA, ESMA or EIOPA) can request information from the critical ICT third-party provider. Significantly, competent authorities will be able to impose fines on ICT third parties for non-compliance and will be able to carry out on-site inspections. In effect, certain ICT service providers will become regulated entities. Even if not regulated, it may have an impact, because ICT service providers will have to adapt contracting or service provision. Lastly, competent authorities may require financial entities to suspend use of services provided by a critical third-party service provider until risks which have been identified by the lead overseer have been addressed and may even ask them to terminate relevant contractual arrangements with a critical third-party service provider.
How to prepare for DORA
Even though DORA is a proposal, the above-mentioned requirements will form the basis of an adopted DORA. DORA is in a pretty well advanced form and, since it consolidates existing requirements for most of its provisions, one may expect little amendments between the proposal and the future text. However, the impact of DORA will vary between sectors. For instance, the banking sector will be more familiar with the requirements since the NIS Directive, PSDII, and the EBA Outsourcing Arrangement have already formulated similar requirements, such as incident reporting requirements and outsourcing requirements, respectively. The NIS Directive remains in effect and remains relevant for the financial sector. DORA is a lex specialis. It is important to prepare for DORA, this will allow for building compliance in time. We recommend to the following:
- assess how ICT risk management is currently organised within your organisation. If needed, consider prioritising ICT risk management;
- perform gap analyses of current ICT risk management; for instance, whether the existing testing programme has the relevant components of the ICT risk management set out by DORA; and
- implement what is missing based on the gap analyses.
- Review current legislation tools already available.
Schematically, the DORA requirements are set out as below:
ICT Risk Management
- Purpose: Establish appropriate processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents
- Requirements: A sound, comprehensive and well documented ICT risk management framework
- Impact: Financial entities directly, but indirectly impacts ICT third-party service providers
- Purpose: Assessing preparedness for ICT-related incidents, appropriate notification procedures and channels for notification to the competent authority must be in place authority must be in place deficiencies or gaps in the digital operational resilience.
- Requirements: A range of assessments and tests
- Impact: Financial entities directly, but indirectly impacts ICT third parties service providers.
ICT third-party risk management
- Purpose: Manage ICT third-party risk as an integral component of ICT risk within the ICT risk management framework.
- Requirements: A third-party risk management strategy (including due diligence of third parties and contractual requirements).
- Impact: Financial entities directly, but indirectly impacts ICT third-party service providers.
ICT third-party oversight regime
- Purpose: Assess whether critical ICT third-party service providers have in place comprehensive and sound arrangements to manage the ICT risks they may pose on financial entities
- Requirements: Critical ICT third-party service providers to provide information on request to the lead overseer and follow the latter’s recommendations. Suspension of services by financial entities if risks are identified in respect of an ICT third-party service provider they rely on
- Impact: Critical ICT third-party service providers directly but indirectly impacts financial entities (direct impact for the prohibition to use critical ICT third-party providers established outside the EU).