The Digital Operational Resilience Act for Financial Services: Harmonised rules, broader scope of application

Share this post:

The Digital Operational Resilience Act – what and why

As part of the European Commission’s Digital Finance Package, the new Digital Operational Resilience Act, or in short DORA, will come into force in the coming period. The aim of DORA is to establish uniform requirements across the EU that improve the cybersecurity and operational resilience of all regulated European financial entities and of crucial third parties that provide these institutions with ICT-related services.

The need for introducing DORA seems obvious. Digital innovation in the financial service sector has really taken off in the last decade, accelerated by the rise of fintech companies. And subsequently the corona pandemic was also a catalyst for further digitization. The downside of this increasing use of digital services is that financial entities became more vulnerable to disruptions and cyberattacks. To underline this: the Dutch National Bank has indicated that more than 15% of the Dutch pension funds and insurers had suffered significant financial damage in 2021 from security incidents and data breaches. In addition, more than 5% of the institutions had to deal with a successful (!) cyber-attack during that period[1].

To countermanage this dependency regulations are already present on national and European level, but they show gaps and overlaps, with inconsistencies across locally implemented rules. To mention a few: EBA guidelines on outsourcing arrangements, Basel principles for operational resilience and the Network Information Security (NIS) directive.
With DORA, the EU aims to strengthen the resilience of the financial sector with specific and prescriptive requirements, applicable across all EU member states, without transposition in national laws. The harmonisation of requirements on ICT risk management will create a level playing field as the same rules will apply to every financial institution in the EU.

Scope: not only financial entities but also their third-party service providers

What is unique about DORA is that it does not only apply to financial entities, like banks, insurance companies, investment firms, stock exchanges, etc. For the first time, a group of non-financial service providers is also brought under the supervision of the financial supervisors, namely the so-called ICT third-party service providers. These organisations provide ICT-related services to the financial entities, like cloud computing services, software, data analytics services and data centres.

The Digital Operational Resilience Act – key pillars

The proposed Digital Operations Resilience Act is a regulation, consisting of 56 articles[2] and is structured around five key pillars:

1. ICT risk management requirements (Articles 5 to 14)
   Financial entities must have a sound, comprehensive, well-documented ICT risk management framework in place as part of their overall risk management system, including a business continuity policy and a disaster recovery procedure, to ensure a high level of digital operational resilience. This framework shall be reviewed at least yearly, as well as upon the occurrence of major ICT related incidents, and following conclusions derived from relevant digital operational resilience testing or audit processes.
   The management body of the financial entity shall approve, oversee and be accountable for the implementation of all arrangements related to the ICT risk management framework.
2. ICT-Related incidents management, classification and reporting (Articles 15 to 20)
   Financial entities must implement an ICT-related incident management process to detect, manage and notify ICT-related incidents, including early warning indicators as alerts. They must be able to classify the incidents and determine their impact based on a given list of criteria.
   As currently the reporting requirements are fragmented across the different member countries and authorities, DORA is aiming for a centralisation of the reporting and a harmonisation of the incident reporting content by standard templates.
   Note: in accordance with national and European sectoral legislation, the reporting obligations to the competent authorities may be outsourced to a third-party service provider.
3. Digital operational resilience testing (Articles 21 to 24)
   As an integral part of the ICT risk management framework, financial entities must establish a comprehensive digital operational resilience testing programme. This programme should be proportional to the institutions’ size, business, and risk profile.
   The financial entities shall ensure that all critical ICT systems and applications are tested at least yearly, undertaken by independent parties, whether internal or external.
   Advanced threat-led penetration testing, to cover the critical functions, should be executed at least every three years. DORA also has the specific provision that in case third-party service providers are involved, they should be part of the testing programme.
4. Managing of ICT third-party risk (Articles 25 to 39)
   According to DORA, ICT third-party risk and the strategy on this, is considered as an integral component within the ICT risk management framework of the financial entities, to be regularly reviewed. Furthermore, Dora provides minimum requirements that agreements with third parties must meet, with additional rules for outsourcing of so-called important or crucial functions.
   The so-called critical ICT third-party service providers will be brought under direct supervision of a Lead Overseer (one of the European financial supervisory authorities EBA, ESMA or EIOPA), supervising their procedures and arrangements to manage the ICT risks they could pose to financial entities.
   Financial entities are required to maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers and report at least annually to the competent authorities information on new arrangements on the use of ICT services.
5. Information sharing arrangements (Article 40)
   Financial entities are encouraged to exchange amongst themselves cyber threat information and intelligence, including tactics, procedures, and cyber security alerts, to enhance the industry’s digital operational resilience.
   The exchange should take place within trusted communities of the financial entities and performed via arrangements protecting the potentially sensitive nature of the information shared (business confidentiality, personal data protection, competition policy).

Timetable and next steps

On 28 November 2022, the European Union Council has formally adopted DORA. This was the final step in the legislative process and it will now be passed into law by each EU member state. At the same time, the European Supervisory Authorities will develop technical standards that all applicable financial entities must adhere to. They will have a period of 24 months to implement the regulation and become fully compliant by 2024.

So what should financial entities do?
Although 2024 still seems far away, in view of the potentially far-reaching implications, they already should start preparations on short notice. On a high level, it could look like this:
The first action is to get a clear and complete understanding of the new requirements. Depending on the size and complexity of the organization, one or more members of senior management should be appointed to oversee DORA compliance.
Next step is to carry out a preliminary self-assessment to determine the possible impact. If the financial entity makes use of services from third-party service providers, they also have to be involved from this point on.
Based on the outcome of this gap analysis, an implementation programme must be set up and executed, with all involved departments and service providers, and with a road map ending, based on the current expectations, no later than 2024.

In conclusion, DORA is undoubtedly a challenge for many financial entities. But as it is a first attempt to come to a harmonised set of regulations on European level, thereby broadening the scope by taking third parties also within reach, it is a structural step forward in the increasingly fierce battle against cybercrime.

How can IBM help?

IBM with Promontory (a business unit of IBM Consulting) have a proven track record in IT Risk Management, Risk & Compliance and Cyber ​​Security, serving many of the top banks in the world.

IBM delivers services that combine IBM’s integrated technology with Promontory’s deep regulatory expertise and financial service industry knowledge. Using scalable operations and intelligent workflows, IBM helps clients achieve priorities, manage risk, fight financial crime and fraud, and meet changing customer demands while satisfying supervisory requirements.

For more information, please contact:

Marcel Scheffers
Financial Services Leader Consulting NL
E-mail: marcel.scheffers1@ibm.com

Marjolijn Herman
Associate Partner, Director Promontory Financial Group
E-mail: Marjolijn.herman@ibm.com

Henk Jan Nijmeijer
Managing Consultant – Core banking & Financial Markets
E-mail: nijmehj@nl.ibm.com

[1] DNB: resultaat jaarlijkse onderzoeken naar cybercriminaliteit

[2] EU Commission: DORA Proposal