In September 2020 the European Commission proposed an entirely new regulatory framework for digital risk management for financial entities and certain ICT service providers. The proposal for a Regulation on digital operational resilience for the financial sector, also known as the Digital Operational Resilience Act or DORA, aims to improve ICT risk management in finance.
In contrast to other EU legislation in the field of cybersecurity (most notably the GDPR and NIS), DORA is not a principle-based piece of legislation but contains detailed lists of requirements designed to boost operational and security capabilities of financial entities. Although DORA builds upon previous EU and Member State legislation, supervisory authority guidance and well-known international security and ICT risk management standards, DORA represents the first attempt to harmonise qualitative requirements on ICT risk management at an EU-level.
Who does DORA apply to?
As one of the main goals of the Regulation is to harmonize the rules on ICT risk management, DORA’s scope of application is very broad. It covers all financial actors from credit institutions to AIFMs, payment institutions, insurance companies and statutory auditors, you name it.
Notably, DORA would also regulate critical third-party ICT providers. According to the proposal, critical ICT service providers will each have a Lead Overseer (either EBA, ESMA or EIOPA) supervising the provider’s procedures and arrangements to manage the ICT risks they could pose to financial actors. The powers of the Lead Overseer would range from asking for information to conducting investigations, to imposing periodic penalty payments on service providers. The proposed oversight framework is further tasked with supervising ICT concentration risk across the financial sector.
Financial entities regulated under DORA
|Payment institutions and electronic money institutions|
|Crypto-asset service providers|
|Central securities depositories|
|Trading venues and trade repositories|
|AIFMs and management companies|
|Data reporting service providers|
|Insurance and reinsurance undertakings and intermediaries|
|Institutions for occupational retirement pensions|
|Credit rating agencies|
|Statutory auditors and audit firms|
|Administrators of critical benchmarks|
|Crowdfunding service providers|
What are some of the key obligations under DORA?
DORA sets out a comprehensive framework for managing risks associated with increased digitalisation of the financial sector. Requirements for financial entities are divided into the following areas of cyber security and operational resilience:
ICT Risk Management
The management body of the financial entity bears the final responsibility for managing ICT risk. To that effect DORA sets out a list of duties and obligations to which management is subject, including an explicit obligation on members of management to develop and maintain their knowledge of ICT risk.
Financial entities are further required to identify their ICT risk landscape and have in place a comprehensive ICT risk management framework guiding and steering all work relating to ICT risk management. Financial entities other than microenterprises are required to implement an internationally recognized information security management system.
Classification and Reporting of ICT-related Incidents
Financial entities are required to put in place an ICT-related incident management process and develop capabilities to monitor, handle and follow-up on such incidents.
Incidents are to be classified according to factors outlined in the proposal, such as the geographical spread of the incident, the criticality of the services effected and the duration of the incident. Major incidents must be reported to the relevant competent authority in line with a three-tiered process set out in the proposal.
Digital Operational Resilience Testing
DORA outlines an obligation to implement a proportional and risk-based digital operational resilience testing programme. The programme must provide for the execution of a full range of appropriate tests, such as vulnerability assessments and scans, open source analyses and network security assessments.
Critical ICT systems and applications must be tested annually, and certain financial entities are required to carry out so-called advanced threat led penetration testing once every three years.
Information and Intelligence Sharing between Financial Entities
Financial entities may share with each other cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial entities, takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets and competition).
ICT third-party risk is considered an integral component of the ICT risk management framework. Financial entities are therefore required to adopt and regularly review a strategy on ICT third-party risk and to maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
The proposal also sets out key steps for procuring new ICT services, requirements for ending them and specific contractual provisions to be included in contracts with ICT third-party service providers. It further requires financial entities to perform ICT concentration risk assessments before entering into new contractual arrangements.
Examples of documents to be included in the ICT risk management framework
|Digital resilience strategy|
|Information security policy|
|Policies on access management|
|Policies on ICT change management|
|Policies for ”patches and updates”|
|ICT multi-vendor strategy|
|Strategy on ICT third-party risk|
|ICT Business Continuity Policy|
|ICT Disaster Recovery Plan|
|Communication plans enabling responsible disclosure of ICT-related incidents or major vulnerabilities|
|Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers|
How can we help?
Although DORA is yet only a proposal, financial entities are advised to start familiarising themselves with the vast range of proposed requirements. Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.
We at KPMG frequently provide cross-professional advice in the field of ICT risk management, cyber security and data protection and are used to bringing together different stakeholders in our client organisations. Please reach out to us if you’re interested in hearing more.