Key takeaways

  • DORA – The Digital Operational Resilience Act (DORA) is a European Union regulation that came into force on January 16, 2023 and will take effect on January 17, 2025. Its goal is to enhance information technology security for financial entities (including banks), insurance companies and investment firms, ensuring the financial sector in Europe remains resilient during severe operational disruptions.
  • Comprehensive information and communications technology (ICT) risk management – Financial entities must develop and maintain a thorough ICT risk management framework. This includes setting up resilient ICT systems, identifying and managing ICT risks, and implementing protection and prevention measures. Key functions to address are identification, protection, detection, response, recovery, and continuous learning and improvement.
  • Mandatory reporting of ICT-related incidents – Companies are required to establish processes for monitoring and logging ICT-related incidents. Major incidents need to be reported to the relevant authorities using a standardized template. This reporting helps in maintaining transparency and ensuring quick resolution of issues that affect operations and clients.
  • Operational resilience testing – Regular testing of ICT systems is mandatory to identify weaknesses and implement corrective measures. Significant or cyber-mature financial entities must conduct advanced threat-led penetration testing every three years, in addition to annual reviews, ensuring robust preparedness against potential threats.
  • Information sharing – DORA encourages financial entities to share information on cyber threats among themselves. This collaborative approach aims to enhance awareness of ICT risks, minimize their spread, and improve defensive capabilities and threat detection techniques across the sector.
  • Management of third-party risk – Financial entities need to manage ICT third-party risks as part of their overall risk management strategy. Contracts with third-party providers should cover service descriptions, data processing locations, performance targets, data protection measures, and clear termination and exit strategies. Critical ICT service providers are subject to additional oversight by European Supervisory Authorities.
  • Implementation and compliance – Organizations must assess whether they fall under DORA’s scope and conduct a gap analysis of their current information security management frameworks. They should develop and implement plans to address identified gaps, including policies for handling and reporting ICT-related incidents, and ensure compliance with resilience testing requirements. This proactive approach will help in meeting DORA’s requirements by the January 2025 deadline.

The main requirements of DORA, each of which are further explained in this post, are:

  1. Information and communications technology (ICT) risk management
  2. Reporting of ICT-related incidents
  3. Operational resilience testing
  4. Information sharing
  5. Management of third-party risk

To whom does DORA apply?

DORA applies to a whole host of “financial entities” including:

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers
  • Central securities depositories
  • Central counterparties
  • Trading venues
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitisation repositories
  • Trade depositories
  • Managers of alternative investment funds
  • Management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • Institutions for occupational retirement provisions
  • Credit rating agencies

In addition to applying to financial entities, DORA also applies to ICT third-party service providers (e.g., data analytics services, data centres and cloud-computing platforms, but excluding providers of hardware components).

Certain ICT service providers, if deemed to be critical ICT service providers, are subject to additional oversight. Whether or not an entity falls within scope of being a “critical ICT third-party service provider” will be based on an analysis done by the European Supervisory Authorities. In our next blog post, we will further elaborate on what DORA means for ICT service providers.

1. ICT risk management

DORA sets out the requirement for financial entities to have in place a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, enabling financial entities to quickly, efficiently and systematically address any ICT risks, while maintaining a high level of digital operational resilience.

An ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented, including methods to address ICT risks and attain specific objectives by, amongst other things:

  • Explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives.
  • Establishing the risk tolerance level for ICT risks, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruption.
  • Setting out clear information security objectives, including key performance indicators and key risk metrics.
  • Detailing the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from such incidents.

Financial entities shall, in order to address and manage ICT risks, use and maintain updated ICT systems, protocols and tools which are:

  • Appropriate in magnitude of operations supporting the conduct of their activities.
  • Reliable.
  • Equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes as needed.
  • Technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.

In short, ICT risk management means that financial entities are required to:

  • Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
  • Identify, on a continuous basis, all sources of ICT risk.
  • Implement protection and prevention measures that promptly detect anomalous activities.
  • Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.

These risk management requirements revolve around specific functions in ICT risk management, such as:

  • Identification and detection.
  • Protection and prevention.
  • Response and recovery.
  • Learning, evolving and communication.

Each of these are further detailed below.

Identification and detection

Financial entities are required to, amongst other matters:

  • Identify, classify and adequately document all ICT-supported business functions, roles and responsibilities, information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risks, along with reviewing the adequacy of the classification and relevant documentation regularly, at least on an annual basis.
  • On a continuous basis, identify all sources of ICT risks (in particular, the risk exposed to and from other financial entities) and assess cyber threats and ICT vulnerabilities.
  • Identify all assets and ICT assets (including those on remote sites), network resources and hardware equipment, and map those which are regarded as being critical.

DORA sets out a duty on all financial entities (other than microenterprises) to perform a risk assessment upon each major change in their network and information system infrastructure, the process or procedures affecting their ICT-supported business functions, and information or ICT assets.

Financial entities also need to put in place mechanisms which promptly detect anomalous activities, including ICT network performance issues and related incidents, as well as potential material single points of failure.

Protection and prevention

Financial entities need to continuously monitor and control the security and functioning of their ICT systems and tools, and minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.

Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems –particularly for those supporting critical or important functions – and maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

In order to achieve these objectives, financial entities shall use ICT solutions and processes, which, amongst other matters:

  • Ensure the security of the means of transfer of data.
  • Minimize the risk of corruption or loss of data, unauthorized access and technical flaws which may hinder business activity.
  • Confirm that data is protected from risks arising from the data management, including poor administration, processing-related risks and human error.  

Response and recovery

Financial entities will be required to put in place, and periodically test, a comprehensive business continuity policy that should be done through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to, amongst other things:

  • Ensure the continuity of the financial entity’s critical or important functions.
  • Quickly, appropriately and effectively respond to – and resolve – all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions.
  • Estimate preliminary impacts, damages and losses.
  • Set out communication and crisis management actions to ensure that updated information is transmitted to all relevant internal staff and external stakeholders.

Amongst a number of other requirements, including the need to (upon request) report an estimate of aggregated annual costs and losses caused by ICT-related incidents to competent authorities, DORA further stipulates the need for financial entities to keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans were activated.

Learning, evolving and communication

DORA requires financial entities to learn from – and evolve as a result of – any vulnerabilities, cyber threats and ICT-related incidents. If an incident has occurred, a financial entity shall carry out a post-ICT-related incident review aimed at determining whether the established procedures were followed and whether the actions taken were effective, including with respect to:

  • The promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity.
  • The quality and speed of performing a forensic analysis (where appropriate).
  • The effectiveness of incident escalation within the entity.
  • The effectiveness of internal and external communications.

Financial entities, other than microenterprises, shall (upon request) communicate to the competent authority those changes implemented to their ICT security framework as a result of an ICT-related incident review.   

2. Reporting of ICT-related incidents

DORA sets out a general requirement for financial entities to establish and implement a management process to monitor and log ICT-related incidents. Following this, DORA sets out an obligation to classify ICT-related incidents based on certain criteria, including:

  • The number of users or financial counterparts affected by the ICT-related incident.
  • The duration of the ICT-related incident.
  • The data losses the ICT-related incident entails, such as loss of integrity, confidentiality or availability.
  • The geographical spread regarding the areas affected by the ICT-related incident.

ICT-related incidents deemed “major” must be reported to the competent authorities. The reporting should be processed using a common template and following a harmonised procedure. Financial entities should submit initial, intermediate and final reports and inform their users and clients if the incident has, or may have, an impact on their financial interests.

3. Operational resilience testing

An organization’s ICT risk management framework needs to be reviewed at least annually to ensure preparedness and identify weaknesses, deficiencies or gaps. Any corrective measures should be promptly implemented.

DORA allows for a proportionate application of digital operational resilience testing requirements taking into consideration the size, business and risk profiles of financial entities. Financial institutions which are deemed to be significant or cyber-mature also will be required to carry out advanced threat-led penetration testing every three years, in addition to their annual testing.

4. Information sharing

Financial entities are allowed to set up arrangements to share cyber-threat information amongst themselves in order to raise awareness of ICT risk, minimise its spread, and support the defensive capabilities and threat-detection techniques of financial entities.

5. Management of third-party risk

Managing ICT third-party risk is an integral component of the ICT risk management framework. As part of their risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk, which shall include a policy on ICT services provided by ICT third-party service providers.

Agreements with an ICT third-party service provider should contain, amongst other matters:

  • A complete description of services.
  • An indication of locations where data is to be processed.
  • Full service-level descriptions accompanied by quantitative and qualitative performance targets.
  • Relevant provisions on accessibility, availability, integrity, security and protection of personal data.
  • Guarantees for access, recovery and return in the case of failures of the ICT third-party service providers.
  • Notice periods and reporting obligations of ICT third-party service providers.
  • Rights of access, inspection and audit by the financial entity or an appointed third party.
  • Clear termination rights and dedicated exit strategies.

While much can still be said about the management of third-party risk and the obligations on financial entities, it is important not to forget how DORA, which is principally aimed at strengthening the IT security of financial entities, will affect ICT third-party service providers.  Cooley will unpack the effects of DORA on ICT third-party service providers in a separate blog post.

What does this mean in practice?

Businesses and organisations that operate in the financial sector will need to assess whether they fall within scope of DORA. If it is determined that they are in scope, they should conduct a gap analysis on the basis of their existing information security management framework, identify any specific tasks and targets that are to be implemented, and develop an implementation plan.

In addition to carrying out such assessment, mechanisms and policies detailing the entity’s handling and reporting of ICT-related incidents should be created. In order to comply with the testing requirements, policies, processes and controls for the testing of ICT systems also should be devised.

In a later blog post, we will explain in more depth the obligations that ICT companies may have to comply with if they provide services to financial entities that fall under DORA’s scope.

Authors

Patrick Van Eecke

Yasmin Roland

Posted by Cooley