Legal Updates

On 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union.

Taking the form of a Regulation, DORA creates a harmonised regulatory framework strengthening the information and communication technology (ICT) security of financial entities. Its objective is to achieve a high common level of digital operational resilience across all EU member states.

On the same day, a Directive was adopted which will amend various other Directives, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD, to bring them in line with DORA.

DORA aims to prevent and mitigate cyber threats and ensure that firms can withstand, respond to and recover from all types of ICT-related disruptions and threats. It forms part of the European Commission’s digital finance package, adopted on 24 September 2020, which also included the proposals for the regulations on markets in crypto-assets (MiCA) and the pilot regime for market infrastructures based on distributed ledger technology.

Who does DORA apply to?

DORA will apply to a broad range of “financial entities”, including:

• Credit institutions;
• Investment firms;
• Central securities depositories;
• Central counterparties;
• Trading venues;
• Benchmark administrators;
• Fund management companies;
• Insurance and reinsurance undertakings;
• Insurance intermediaries;
• Payment institutions;
• Electronic money institutions;
• Crypto-asset service providers;
• Issuers of asset-referenced tokens; and
• Crowdfunding service providers.

Limited exclusions apply for certain smaller firms.

Significantly, DORA will also apply to third-party ICT service providers, such as cloud platforms and data analytics providers.

Key provisions for regulated firms

DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. In particular, it imposes requirements relating to:

• ICT risk management;
• ICT-related incident management, classification and reporting;
• digital operational resilience testing;
• information and intelligence sharing in relation to cyber threats and vulnerabilities; and
• measures for the management of ICT third-party risk, including requirements in relation to contractual arrangements.

Firms will be required to conduct concentration risk assessments of all outsourcing arrangements relating to the delivery of critical or important functions and the competent authority will have the power, as a measure of last resort, to order a firm to suspend or terminate a contract with a critical ICT third-party service provider.

Application to ICT service providers

Certain third party ICT service providers that are designated by the European Supervisory Authorities[1] (the ESAs) as ‘critical’ will be subject to a newly established oversight framework. This will bring these firms within the regulatory perimeter for the first time and subject them to far-reaching supervisory powers.

The relevant ESA will assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities. Based on that assessment the ESA will adopt a detailed individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider. The plan shall be communicated yearly to the critical ICT third-party service provider.

The ESAs will have broad powers to request information, conduct investigations and inspections, issue recommendations and, in the case of non-compliance, to impose financial penalties on critical ICT third-party service providers.

Next Steps

DORA will enter into force on 16 January 2023. It will apply from 17 January 2025.

The ESAs have been tasked with developing technical standards (Level 2 rules) applicable to all financial entities within the scope of DORA.

In preparing for DORA, firms should also have regard to the Central Bank’s “Cross Industry Guidance on Operational Resilience”, published in December 2021 (the Guidance), which can be accessed here. The Central Bank has stated that the Guidance is “compatible with/complementary to DORA”.

Firms within the scope of DORA are encouraged to start preparing for its application by identifying any gaps in their ICT governance and processes. Firm should also give consideration to which of their providers are likely to be considered critical and review their testing and recovery protocols against the standards set out in the new regulation.

Footnotes:

[1] The European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority.