DORA – The picture is becoming clearer

July 2023

The Digital Operational Resilience Act (DORA), establishing the EU’s new regulatory framework for the management of digital risks in financial markets, entered into force in January 2023 and must be applied from 17 January 2025.

DORA aims to address increasing threats from cyberattacks¹ and the rising dependence of the financial industry on digital technology². It does so by creating a new holistic regulatory framework for digital and operational resilience, harmonising the EU’s current patchwork of financial regulations on information and communication technologies (ICT).

The scope of DORA is exceptionally broad. It covers banks, insurers and investment firms, but also payments, exchanges, market infrastructure, ratings agencies and other financial entities. In addition, it brings ICT Third Party Providers (ICT TPPs), such as cloud vendors, under the direct oversight of financial supervisors for the first time.

DORA will require many firms to make structural and strategic changes such as:

• Assigning the ultimate responsibility and accountability for digital operational resilience to the management body
• Defining strategies for digital operational resilience and for the use of multiple ICT Third Party Providers (ICT TPPs)
• Creating enhanced and harmonised frameworks for ICT risk governance and digital resilience and for the management of ICT TPPs
• Assigning the responsibility for managing and overseeing ICT risk to a control function in the 2^nd Line of Defence

Changes like these will call for effective coordination between departments, making strong senior leadership and a supportive culture vital to ensure consistency across the organisation.

The detailed implications of DORA are becoming increasingly clear, with the first major policy package launched for public consultation on 19 June 2023. It comprises the following four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS):

• A draft RTS on ICT risk management framework and a draft RTS on simplified ICT risk management framework
• A draft RTS on criteria for the classification of ICT-related incidents
• A draft ITS to establish the templates for the register of information
• A draft RTS to specify the policy on ICT services supporting critical or important functions performed by ICT TPPs

This package was developed by the Joint Committee of the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs). It builds on existing European and international standards, which should give many financial entities a head start on implementation.

1. ICT risk management

The draft RTS add colour to some of the requirements already identified in the DORA Chapter II, Section II. Instead of defining a complete ICT risk management framework, it provides more detailed information on some aspects in the areas of protection, prevention, detection, and response than those covered in the existing ESAs Guidelines. This gives financial entities a good idea of the adaptations they will need to make to the current frameworks. Only smaller financial entities can benefit from a simplified ICT risk management framework.

2. ICT-related incident reporting

The draft RTS propose criteria for classifying ICT-related incidents as well as a classification approach and materiality thresholds for determining major ICT-related incidents and significant cyber threats. To aid comparability, the draft RTS aim to make DORA’s new requirements as consistent as possible with existing incident reporting frameworks such as those of the Network and Information Security Directive 2 (NIS2) and the Payment Services Directive 2 (PSD2). That should help financial institutions to minimize adaptations to their existing ICT-related incident reporting.

3. ICT third party risk management

The draft ITS establish templates for the register of information, covering all contractual arrangements with ICT TPPs at individual, consolidated and sub-consolidated levels. Compared to the outsourcing guidelines from the ESA's, extended information requirements are required. This is likely to lead to some effort on the part of banks and other financial entities.

The draft RTS specify the content of the policy regarding the life cycle management of third-party arrangements for the use ICT services supporting critical or important functions. It was developed with an eye to existing outsourcing guidelines from the ESA's. This should help financial institutions that have already implemented existing guidelines to make the required changes.

DORA will make digital resilience a board-level priority. Senior executives need to respond with strong leadership and a strategic approach to digital resilience. True, the new rules follow a risk-based approach and will be applied proportionately. However, only the smallest firms will benefit from formal reductions in scope.

Firms should act now to begin analysing the necessary changes to their risk management activities.

• Adapting implementation plans that take the recently published policy package – and other upcoming technical standards – into account.
• Ensuring that ICT risk management framework fulfills requirements regarding policies, procedures, protocols and tools.
• Verifying that the incident reporting processes meet the required classification approach and materiality thresholds.
• Identifying responsibilities and reporting processes and set up appropriate data quality controls to meet the requirements of the register of information.
• Verifying whether a policy for managing contractual arrangements with ICT TPPs that support critical or important functions is in place, and whether it covers all phases of the life cycle.

Banks should also respond to the public consultation on the RTS and ITS (open until 11 September 2023), for example by commenting on the simplicity, clarity and proportionality of requirements. DORA represents a major change to European financial regulation; active engagement is critical.