• 1000

In September 2020 the European Commission proposed an entirely new regulatory framework for digital risk management for financial entities and certain ICT service providers. The proposal for a Regulation on digital operational resilience for the financial sector, also known as the Digital Operational Resilience Act or DORA, aims to improve ICT risk management in finance.

In contrast to other EU legislation in the field of cybersecurity (most notably the GDPR and NIS), DORA is not a principle-based piece of legislation but contains detailed lists of requirements designed to boost operational and security capabilities of financial entities. Although DORA builds upon previous EU and Member State legislation, supervisory authority guidance and well-known international security and ICT risk management standards, DORA represents the first attempt to harmonise qualitative requirements on ICT risk management at an EU-level.

Who does DORA apply to?

As one of the main goals of the Regulation is to harmonize the rules on ICT risk management, DORA’s scope of application is very broad. It covers all financial actors from credit institutions to AIFMs, payment institutions, insurance companies and statutory auditors, you name it. 

Notably, DORA would also regulate critical third-party ICT providers. According to the proposal, critical ICT service providers will each have a Lead Overseer (either EBA, ESMA or EIOPA) supervising the provider’s procedures and arrangements to manage the ICT risks they could pose to financial actors. The powers of the Lead Overseer would range from asking for information to conducting investigations, to imposing periodic penalty payments on service providers. The proposed oversight framework is further tasked with supervising ICT concentration risk across the financial sector.

Financial entities regulated under DORA

Credit institutions
Payment institutions and electronic money institutions
Investment firms
Crypto-asset service providers
Central securities depositories
Central counterparties
Trading venues and trade repositories
AIFMs and management companies
Data reporting service providers
Insurance and reinsurance undertakings and intermediaries
Institutions for occupational retirement pensions
Credit rating agencies
Statutory auditors and audit firms
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories

What are some of the key obligations under DORA?

DORA sets out a comprehensive framework for managing risks associated with increased digitalisation of the financial sector. Requirements for financial entities are divided into the following areas of cyber security and operational resilience:

ICT Risk Management

The management body of the financial entity bears the final responsibility for managing ICT risk. To that effect DORA sets out a list of duties and obligations to which management is subject, including an explicit obligation on members of management to develop and maintain their knowledge of ICT risk.

Financial entities are further required to identify their ICT risk landscape and have in place a comprehensive ICT risk management framework guiding and steering all work relating to ICT risk management. Financial entities other than microenterprises are required to implement an internationally recognized information security management system. 

Classification and Reporting of ICT-related Incidents

Financial entities are required to put in place an ICT-related incident management process and develop capabilities to monitor, handle and follow-up on such incidents.

Incidents are to be classified according to factors outlined in the proposal, such as the geographical spread of the incident, the criticality of the services effected and the duration of the incident. Major incidents must be reported to the relevant competent authority in line with a three-tiered process set out in the proposal.

Digital Operational Resilience Testing

DORA outlines an obligation to implement a proportional and risk-based digital operational resilience testing programme. The programme must provide for the execution of a full range of appropriate tests, such as vulnerability assessments and scans, open source analyses and network security assessments. 

Critical ICT systems and applications must be tested annually, and certain financial entities are required to carry out so-called advanced threat led penetration testing once every three years.

Information and Intelligence Sharing between Financial Entities

Financial entities may share with each other cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial entities, takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets and competition).

Vendor Management

ICT third-party risk is considered an integral component of the ICT risk management framework. Financial entities are therefore required to adopt and regularly review a strategy on ICT third-party risk and to maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.

The proposal also sets out key steps for procuring new ICT services, requirements for ending them and specific contractual provisions to be included in contracts with ICT third-party service providers. It further requires financial entities to perform ICT concentration risk assessments before entering into new contractual arrangements. 

Examples of documents to be included in the ICT risk management framework

Digital resilience strategy
Information security policy
Policies on access management
Policies on ICT change management
Policies for ”patches and updates”
ICT multi-vendor strategy
Strategy on ICT third-party risk
ICT Business Continuity Policy
ICT Disaster Recovery Plan
Backup policy
Communication plans enabling responsible disclosure of ICT-related incidents or major vulnerabilities
Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers

Contact us

How can we help?

Although DORA is yet only a proposal, financial entities are advised to start familiarising themselves with the vast range of proposed requirements. Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.

We at KPMG frequently provide cross-professional advice in the field of ICT risk management, cyber security and data protection and are used to bringing together different stakeholders in our client organisations. Please reach out to us if you’re interested in hearing more.  

Armida Rantanen

Legal counsel

+358 44 363 3313

Anna Rossi

Legal counsel

+358 40 578 5138

Eeva Rakkolainen

Legal counsel

+358 50 544 4325