On September 24, 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The new rules, passed on November 10, 2022 by the European Parliament, harmonize and strengthen digital operational resilience requirements for the EU financial services industry.
This legislative proposal builds on information and communication technology (ICT) risk management requirements already developed by other EU institutions and consolidates several recent EU initiatives into one regulation. DORA aims to establish a much clearer basis for EU financial regulators and supervisors to broaden their scope of action in ensuring not only that companies remain financially resilient, but also that they are able to maintain resilient operations in the event of a severe operational disruption.
This article outlines the most important aspects of DORA, and the practical implications these reforms will have for businesses. These aspects include:
- The inclusion of “critical third-party ICT providers,” including cloud service providers (CSPs), in the regulatory perimeter. These would be supervised by one of the European Supervisory Authorities (ESAs), which would have the power to request information, conduct off-site and on-site inspections, issue recommendations and requests, and impose fines in certain circumstances.
- To harmonize local rules in the EU, set European standards for digital operational resilience testing, but exclude automatic cross-border recognition of threat-driven penetration testing (TLPT) for now.
- Harmonize rules for ICT risk management in the financial services sectors, based on existing guidelines.
- Harmonize the classification and reporting of ICT incidents and pave the way for the creation of a single European center for the reporting of major ICT incidents by financial institutions.
The DORA proposal comes at a time when regulators around the world are taking a closer look at how they can strengthen the operational resilience of the financial sector and its constituent firms.
However, based on the current text, we believe that companies should consider the following actions:
- Third-party ICT service providers will need to assess whether they are considered “critical.” Those that are may need to establish new regulatory teams and analyze how they can best comply with the developing oversight framework.
- Larger companies should closely monitor the ESAs, which specify the criteria requiring companies to perform TLPTs. Those newly entering the scope will need to develop a strategy to make the most of these advanced tests.
- Large companies will already be implementing many of the DORA requirements for ICT risk management, but they need to assess whether their response and recovery strategies and plans adequately address the expanded rules in these areas.
- All companies will need to develop or modify their incident reporting processes in accordance with the new rules. Companies may want to consider aligning them with their internal reporting processes to optimize resource allocation.
I. Critical third-party service providers are brought into the regulatory perimeter, with expanded powers for supervisors (ESAs)
Regulators have been thinking for some time about how to manage the growing exposure of financial services (FS) to third-party service providers. The legislation passed will allow a third-party ICT provider such as CSPs to be designated as “critical” based on criteria such as the number and systemic nature of financial entities that rely on the third-party ICT provider and the degree of substitutability of the third-party service provider. Once designated as critical, oversight of the critical third-party service provider will be handled by one of the ESAs, which can conduct on-site and off-site inspections, issue recommendations, and, most importantly, impose fines of up to 1% of daily global revenue for non-compliance or require financial sector firms to terminate their agreement with the critical third-party service provider.
Most financial services firms will welcome the introduction of a monitoring framework, as it will provide them with greater legal certainty as to what is allowed, as well as a level of assurance as to the security of their cloud assets. Overall, this will likely increase companies’ confidence and willingness to move some of their business to the cloud, aided by the Commission’s development of voluntary standard contractual clauses. However, businesses may have to navigate potentially complex location rules, as EU companies will not be allowed to use the services of a third-party service provider that is not “established” (meaning it has no commercial presence) in the EU but would be considered critical if it were.
The framework for oversight of critical third-party service providers does not, however, remove or reduce financial services firms’ own regulatory responsibilities with respect to third-party service providers. The DORA contains – in line with existing EBA and EIOPA guidelines – third-party risk management requirements for firms using third-party ICT service providers, including audit rights and mandatory contractual clauses.
II. Digital operational resilience testing: an EU-wide approach that could help companies optimize costs
Threat-driven penetration testing (TLPT) frameworks have been developed at the national level for a number of years, and are already mandatory at the EU level for certain types of financial market infrastructures. DORA expands this framework in two ways:
- First, the threshold criteria identifying firms for which these tests become mandatory, and the pan-European application of TLPTs will likely increase the number of firms covered by mandatory and regular testing. The exact criteria will be specified by the ESAs in secondary legislation, but companies in countries that do not yet have TLPTs, or companies that were not covered by their jurisdiction’s TLPT, may now need to develop an approach (aligned with their ICT risk management frameworks). This will involve working with a third-party penetration tester, informing the board of how these tests are conducted (on live production systems, which requires careful planning and execution), and using these tests as part of a broader approach to risk management. It is important to note that the testing may require the participation of the companies’ third-party ICT service providers, which could make the exercise more complex.
- Second, it builds on the voluntary TIBER-EU framework developed by the ECB, which has introduced some cross-border recognition of tests, thereby reducing the need for cross-border firms to perform the same tests twice. DORA builds on this framework and calls on the ESAs to develop standards and procedures for the mutual recognition of tests in EU member states. This could mean that, as long as TLPT tests are conducted according to a set of criteria (which will likely be very similar to the requirements contained in TIBER-EU), these tests could more easily be recognized by other EU supervisors in jurisdictions where a firm operates, potentially avoiding the need for duplication. Firms that already conduct TLPTs and have operations in more than one EU jurisdiction will likely face relatively lower compliance costs in the future, and may eventually no longer need to rely on bilateral agreements for test recognition. For those companies already engaged in this activity, the testing function could be further centralized and optimized, and could ultimately become less complex to manage.
III. ICT incident reporting: simpler, more efficient?
Businesses have pointed to the recent proliferation of ICT incident reporting requirements, arguing that the multitude of requirements, deadlines, thresholds and associated fines for non-compliance can hinder their effective management of ICT incidents. DORA will alleviate some of these concerns, as it will harmonize the reporting templates, as well as the conditions triggering a reporting obligation, that financial sector firms will have to follow and provide to their national competent authorities (NCAs – which will be their financial sector supervisors). However, the regulation does not align with, or replace, certain other incident reporting requirements, such as those in the GDPR.
Eventually, the reporting obligation could shift from NCAs to a European hub, in order to streamline information collection and ensure greater supervisory convergence. Before that happens, however, companies will have to adapt to new EU reporting rules, including providing root cause analysis reports no later than one month after a major ICT incident occurs. Taken together, these measures will give EU regulators a better idea of the types of vulnerabilities that are most common in companies and possibly help them take additional action, using their expanded ICT management rules and powers.
IV. ICT risk management rules: a foundation for EU supervisors to build on
The simplified and strengthened rules for ICT risk management in companies emphasize the importance of board involvement. Building on existing guidelines, such as the European Banking Authority’s guidelines on ICT and security risks, the board will need to determine the appropriate tolerance for the risk and impact of ICT disruptions and review the company’s business continuity and disaster recovery plans.
ICT risk management requirements are organized around the following:
- Identifying business functions and the information assets that support them.
- Protecting and preventing these assets.
- Detecting anomalous activities.
- Developing response and recovery strategies and plans, including communication to customers and stakeholders.
While the first three points are relatively familiar to most companies, even if implemented with varying degrees of maturity, the last one should focus minds. The European Commission, recognizing the importance of maintaining business services or functions and the financial sector’s increasing reliance on technology to manage them, will require companies to devote time and resources to developing ways to restore their critical functions in the event of a severe disruption. To do so, firms will need to think carefully about substitutability, including investing in backup and recovery systems, and assess whether – and how – certain critical functions can be performed by other systems or delivery methods while primary systems are checked and restored.