This article aims to provide an overview of the new Digital Operational Resilience Act (“DORA”) for the financial sector. The article also intends to identify and analyse a sample of the crucial points in DORA that give rise to both challenges and opportunities in the business and internal processes of financial entities. It is important for both financial entities and providers of information and communication technology services (“ICT services”) to financial entities to grasp at an early stage the changes that DORA will entail for everything from internal governance and supplier agreements to reporting of incidents and testing of ICT systems.
DORA aims to harmonise and strengthen requirements relating to management of operational risks and, in particular, risks relating to ICT services in financial entities. Due to greater digitalisation in the sector and the consequent greater vulnerability to cyber attacks, for example, most European authorities and international bodies have noted that the previous regulations are inadequate when it comes to meeting today’s challenges. Operational risks have previously been managed mainly by imposing capital adequacy requirements for those risks. However, regulating capital adequacy is of little help when it comes to preventing the risks and reducing the effects of deficiencies in an entity’s essential functions as a result of operational and/or system disruptions.
The regulations introduced through DORA are therefore of a more qualitative nature. The requirements established relate to ICT risk management, ICT incident management, testing and third-party risk management. A European supervisory framework is also established for third-party service providers that are categorised as critical, along with new supervisory and sanctioning provisions for financial entities and rules on joint exchange of information.
SCOPE AND RELATIONSHIP TO OTHER REGULATIONS
With a few exceptions, DORA covers all financial entities and establishes requirements for security in those entities’ network and information systems, i.e. electronic communications networks that allow transmission of signals by any means, regardless of the type of information being transmitted. That security is generally ensured through the use of ICT services, i.e. digital services provided through ICT systems on an ongoing basis. The European supervisory authorities have provided the following breakdown of services in a survey on the use of ICT services in the financial sector[1]:
- software and applications services (IT development: packaged software and its licensing and installation);
- network infrastructure services (excluding telecommunications services);
- data centres (physical spaces);
- ICT consultancy services and customised services;
- information and cybersecurity services (including control and surveillance, penetration tests, etc.);
- cloud services (including all delivery models, e.g. private cloud, public cloud, hybrid cloud, etc.); and
- data analysis and other data services (e.g. data provision, storage, processing and reporting).
Consequently, ICT services should be understood to include all the entity’s digital services and processes, including cloud services. However, DORA does not define the term “ICT system”, although that term has previously been defined by the European Banking Authority as an “ICT set-up as part of a mechanism or an interconnecting network that supports the operations of a financial institution”.
This article will focus on the main rules of DORA, although there are some entities that are exempt either due to their size or because they benefit from relief from parts of DORA’s scope of applicability, including what are referred to as “micro-enterprises”.
Certain ICT security requirements are also contained in the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”)[2].
However, the scope of the NIS2 Directive is not as broad and it is left to the Member States’ authorities to define which operators will be regarded as “providers of key public services” and will thus fall within the scope of the Directive. Only certain banks, trading venues, central counterparties and central securities depositories have so far been specifically included in this category in the Swedish implementation.
The regulations of the NIS2 Directive overlap with the DORA regulations in many cases. As a consequence, DORA states that, in these cases, the regulations constitute lex specialis in relation to the NIS2 Directive. There is also significant overlap with regard to certain provisions of DORA on the one hand and some of the European supervisory authorities’ guidelines (e.g. guidelines on outsourcing and information and communication security) on the other. It remains unclear whether such guidelines will continue to be applied in parallel with DORA or whether they will be repealed or have the relevant sections adjusted. However, we should expect an overhaul in this regard, at any rate in the long term.
[1] ESA Report on the landscape of ICT third-party providers in the EU – Overview of the high-level exercise (ESA 2023/22, 19/09/2023).
[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148.
ICT RISK MANAGEMENT
Governance and organisation
DORA introduces an obligation for financial entities to implement an internal governance and control framework (“ICT risk management framework”) that describes the entity’s management of ICT risks, i.e. all risks that, were they to occur, could jeopardise the security of an entity’s network and communication systems. The ICT risk management framework must form an integral part of the entity’s risk management and must include strategies, guidelines and procedures necessary to protect the entity’s ICT assets (which, as opposed to ICT systems, include physical assets and infrastructures) from damage and unauthorised access. It should therefore be possible to use the entities’ existing risk management frameworks as a starting point for incorporating the considerations to be taken into account in accordance with DORA.
The board of directors is responsible for compliance with DORA in organisational terms. However, the management and monitoring of the entity’s ICT risks must be attended to on an ongoing basis by an independent second-line control function in accordance with the three lines of defence model. This requirement may appear burdensome for smaller entities and DORA contains no detailed provisions on how the organisation must be structured. In view of the proportionality aspect of the regulations and by obtaining guidance based on how smaller entities are dealt with in existing rules on internal governance and control at credit institutions and insurance companies, for example, it is likely to be possible for smaller entities with less complex business to combine different control functions, as long as the entity itself is able to explain why the organisation chosen is suitable. Outsourcing of the control function is also permitted provided that the financial entity retains control of the function through suitable arrangements (e.g. relevant monitoring mechanisms in the outsourcing agreement). The ICT risk management framework must be reviewed at least once a year or more frequently in the event of ICT-related incidents, instructions from the supervisory authority or conclusions from testing and audit processes. It must also be inspected by the entity’s internal audit function on a regular basis.
As part of the ICT risk management framework, a financial entity must have pre-prepared crisis communication plans intended for customers, the general public and counterparties.
ICT systems
In its work on management of ICT risks, the financial entity must use up-to-date ICT systems, ICT protocols and ICT tools that are suitable, reliable and that have sufficient capacity for processing the data required to carry on the business.
Entities must also identify and classify business functions supported by ICT systems in an appropriate manner to enable them to assess exposures to and dependencies on individual systems as well as those systems’ mutual dependencies on one another. As part of this identification, entities are also required to identify dependencies on third-party providers of ICT systems.
Financial entities also need to have documented strategies, guidelines and procedures to protect ICT systems which include encryption, automated mechanisms for isolating information assets in the event of cyber attacks, appropriate strategies for software patches and updates and restriction of rights of access, etc. There must also be mechanisms for detecting abnormal activities and identifying what are referred to as “single points of failure”.
ICT-RELATED INCIDENTS
DORA requires financial entities to have a process for detecting, managing and reporting ICT-related incidents. In order to avoid a double reporting obligation, the reporting requirement under the Payment Services Act will cease to apply to financial entities covered by DORA, even if the incidents are not ICT-related. Nevertheless, it is unclear how the reporting requirements under DORA relate to reporting of events of substantial significance in accordance with the Swedish Financial Supervisory Authority’s general guidelines (FFFS 2021:2). It may however be noted that some double reporting would still remain if the general guidelines are retained.
The process for dealing with ICT incidents in accordance with DORA must include early warning indicators, prioritisation procedures and a description of the procedures for mitigating the impact of an incident. When it comes to the classification of incidents (which has a bearing on how different incidents will be prioritised), DORA establishes certain factors that must be taken into consideration with regard to their severity:
- the number of customers/financial counterparties/transactions affected;
- the impact on the entity’s reputation;
- the duration (including operational downtime);
- geographical extent (particularly if there is a cross-border impact);
- extent of data loss;
- the criticality of the services concerned for the entity’s business; and
- economic impact.
Some materiality thresholds and reporting deadlines for the above points will be specified by the European supervisory authorities through technical standards (consultation is ongoing, see the draft here).
Financial entities are also required to report serious ICT-related incidents, along with the measures adopted by the entity to mitigate the effects of the incident, to the supervisory authority. The ability to voluntarily report certain cyber threats that an entity has identified is also introduced if the entity considers the threat to be relevant to the financial system or the customers. Standardised templates for the form and content of both obligatory and voluntary reports will be produced by the European supervisory authorities.
Testing
Financial entities must carry out testing of their ICT systems as a preventive measure. Consequently, it is also important for the entitles to have a satisfactory overview of these systems. Testing means that the entity must identify weaknesses, deficiencies and gaps in its resilience and quickly take corrective action. The testing must form part of the ICT risk management framework and must be risk-based and suitable. Suitable tests referred to in DORA include vulnerability analyses, analyses of open source code and penetration testing, etc.
The vast majority of entities covered by DORA must carry out advanced tests with the aid of threat-led penetration testing at least once every three years. That testing must focus on the entity’s critical or important functions and, as a general rule, must be carried out by external persons. Technical standards relating to requirements for threat-led penetration testing will come from the supervisory authorities.
The requirements for testing may seem burdensome, even though their scope cannot yet be fully determined. However, DORA provides the option, under certain conditions, for financial entities to carry out joint testing of ICT systems that are used by multiple financial entities.
DEALING WITH ICT THIRD-PARTY RISKS
It is common for financial entities to outsource the use of ICT services in their operations. One fundamental principle of such outsourcing, even prior to DORA, is that the financial entity is always ultimately liable for compliance with existing regulations. Consequently, DORA requires the inclusion of strategies for outsourcing in the ICT risk management framework, record-keeping on the use of different third-party providers, reporting of outsourcing arrangements, risk assessments prior to entry into outsourcing agreements, monitoring of the third-party provider’s delivery of the ICT service and certain contractual provisions that are considered to be of particular importance. The supervisory authorities will draw up standard contractual clauses that the financial entities will be required to “consider” using.
The risk assessment for ICT third-party risks must ascribe particular importance to any concentration risks. Factors to be taken into consideration in the assessment include whether the third-party provider can be easily replaced or whether several critical or important functions are outsourced to the same, or closely-related, third-party providers. Financial entities must also assess the suitability of the supply chain, e.g. a complex chain could affect the entity’s (or the supervisory authority’s) ability to effectively monitor the agreed supply. Consequently, it is increasingly important for entities to exercise satisfactory governance over their outsourcing arrangements and to maintain a transparent register of both counterparties and counterparties’ subcontractors.
THIRD-PARTY SERVICE PROVIDERS
The European supervisory authorities are required by DORA to introduce a classification of third-party service providers that are considered critical for financial entities. The assessment must be carried out from the point of view of system stability, i.e. based on aspects such as the system impact that an interruption in the provision at the third-party provider would have on the stability, continuity or quality of the provision of financial services in a broad sense.
Third-party service providers that are classified as critical will have a lead supervisory authority appointed to them and, in cases where they form part of a group, they themselves must appoint a legal entity from within the group to act as a focal point for communication with the lead supervisory authority. The Commission has been granted authorisation to adopt delegated acts based on technical standards produced by the European supervisory authorities in order to specify the criteria that will form the basis for the appointment of critical third-party service providers (see the technical standards here). The European supervisory authorities must publish an annual list of the providers included in the supervisory framework. That supervision must consist of aspects such as checking whether the third-party service provider has sound, effective rules and procedures for dealing with the ICT risk it could pose for financial entities. To enable it to carry out its task, the supervisory authority has the right to request information from, conduct investigations into and carry out inspections of third-party service providers.
Third-party service providers that will not be classified as critical are also affected by DORA. Financial entities will be required to impose more and more numerous and more detailed requirements on their outsourcing arrangements. A service provider may also be required to participate in its customers’ security tests and training initiatives. Consequently, it is becoming increasingly clear that an entity needs to take ICT security seriously in order to be an ICT service provider to a financial entity. It may also be helpful to consider how the contractual provisions required by DORA can best be incorporated into the ICT service provider’s general terms and conditions for its ICT services (i.e. in a way that is both practicable in commercial terms and that provides satisfactory quality in terms of security).
ARRANGEMENTS FOR EXCHANGE OF INFORMATION
In accordance with DORA, financial entities may take part in joint arrangements for exchange of information and intelligence on cyber threats, provided that the purpose of such arrangements is to improve the entities’ digital operational resilience and that they take into account the sensitivity of the information, data protection and rules on competition. A financial entity is required to notify the supervisory authority if it takes part in any such arrangement.
SUPERVISION AND SANCTIONS
The Swedish Financial Supervisory Authority will be the authorised Swedish supervisory authority in accordance with DORA. Administrative sanctions that the Swedish Financial Supervisory Authority will be able to impose as a result of the regulations include injunctions to cease actions that the Supervisory Authority considers to be in breach of DORA and measures, including of a financial nature, to ensure that a financial entity complies with legal requirements. However, the sanctions must be effective and proportionate and must serve as a deterrent. It is not clear whether any national, supplementary legislation regarding the ability to impose sanctions will be introduced or whether the Financial Supervisory Authority’s ability to intervene in accordance with existing legislation is considered sufficient.
A LOOK INTO THE FUTURE
The first drafts of technical standards are currently being referred for consultation and will be sent to the Commission for adoption on 17 January 2024. The next round of technical standards will be adopted by the Commission on 17 July 2024 and we can therefore probably expect drafts to be referred for consultation in the first quarter of 2024.
DORA imposes extensive requirements for risk management in financial entities’ digital processes. At the same time, the regulations are not completely new. Financial entities have been working with regulatory requirements for outsourcing and ICT security for several years and that should provide a satisfactory basis for the work of implementing DORA.
Lindahl is following developments with great interest. You are welcome to contact any of us if you have any questions concerning the application of DORA in your business.