EU adopts landmark IT resilience laws – a look at the Digital Operational Resilience Act (DORA)

Addendum - January 2023

• On 27 December 2022 DORA was published on the Official Journal of the EU and will enter into force on 16 January 2023.
• It shall apply from 17 January 2025.

The European Union (EU) has formally adopted new regulation that will place additional cybersecurity and resilience requirements on financial institutions and their critical suppliers.

The Digital Operational Resilience Act (DORA) builds on existing institutional EU requirements that manage information and communication risks. It comes as the UK Government pursues similar legislation in the form of the UK Financial Services and Markets Bill, and other regulators globally follow suit.

Duncan McDonald, Global Head of Compliance Services at NCC Group explains what’s involved with the new regulation, who it will impact and how it will interact with the existing EU framework.

What is DORA?

In response to ongoing digital transformation and an evolution of new associated risks, DORA aims to harmonise Information and Communication Technology (ICT) risk requirements across the EU, by creating one unified approach between regulators and across the financial services industry.

The goal of the Act is to set uniform requirements for the security of network and information systems of almost all financial entities operating in the EU, as well as critical third parties which provide ICT-related services to them, such as cloud platforms, managed service providers or data analytics services.

The regulation aims to ensure all participants in the financial system have the necessary safeguards in place to mitigate cyberattacks and other risks, such as supplier failure, service deterioration and concentration risk.

Who will DORA impact?

The regulation will apply to the 20 types of EU ‘financial entity’, including banks, insurers, crypto asset service providers and investment firms. In addition, the European Supervisory Authorities (ESAs) – who are responsible for the supervisions of EU financial markets – will be able to designate critical ICT third-party service providers (henceforth “critical providers”) based on criteria such as sustainability and the potential systemic impact they could cause if they experienced a large operational failure.

Many companies that have not previously been subject to specific ICT regulations are now within the scope of DORA and it won’t just be limited to financial institutions in the EU. The comprehensive regulation will impact any financial institutions or critical providers that need access to, or operate within, the EU market.

What are the requirements for businesses?

When implemented, DORA will require all financial institutions regulated at EU level to ensure that they can withstand all types of ICT-related disruptions and threats. This means implementing measures across five core areas:

1. ICT risk management – Financial institutions will be required to set up and maintain resilient ICT systems and implement comprehensive business continuity policies, mitigating against cyber risks, service deterioration, supplier failure and concentration risk. Furthermore, institutions will need to ensure they are continuously monitoring risks emanating from the reliance on critical providers. Additionally, they will need contracts with service providers which include clauses for performance monitoring, accessibility controls, service level description, and indication of locations of services.
2. Incident reporting – Financial institutions will be required to establish and implement a management process to monitor and log ICT-related incidents, be able to classify the incident according to the criteria detailed in the regulation and ensure reporting of incidents to the relevant authorities.
3. ICT third-party risk management – Financial institutions will be required to demonstrate robust controls around third-party risk management. The three areas include: 1/ Defining a strategy and associated policy signed off by senior stakeholders. 2/ Conducting due diligence and risk assessments on critical providers prior to contract award and including provisions for right to audit within contracts. 3/ Creating a mapping between critical providers and the business functions which they support.
4. Resilience testing – Elements within the ICT risk management framework should be periodically tested for preparedness. Any weaknesses, deficiencies or gaps must be identified and promptly eliminated.
5. Information sharing – To reflect other EU regulations DORA states that financial institutions should conduct information sharing such as threat intelligence and cyber security information sharing with regulators and other financial institutions. This will support early identification of new threats across the industry, allow financial institutions to implement mitigating controls and help reduce the impact of threats to all financial institutions. The aim is to strengthen response and resilience across the industry.

Overseeing regulatory bodies will have powers to conduct inspections and issue recommendations to regulated entities such as using a specific cybersecurity tool, or not sub-contracting critical functions to ‘third parties’ outside the EU.

In addition, critical providers will be required to maintain an operational presence within the EU as a base to deliver their services from and will be closely assessed by regulatory bodies. This will enable regulatory bodies to determine whether they have comprehensive, sound and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks to the financial entities which they provide services to.

How will it interact with the Network and Information System (NIS) Directive and other EU legislation?

The NIS Directive was the first piece of EU-wide cybersecurity legislation, brought in to boost the cyber resilience of critical national infrastructure. The European Council recently adopted NIS2, replacing and strengthening the previous NIS Directive. The EU acknowledges that there will be some financial firms and critical suppliers that would be regulated under both DORA and NIS2 and promotes coordination where possible. For example, DORA competent authorities may, on a voluntary basis, consult the NIS2 competent authorities to help foster a coordinated approach for the treatment of critical providers. Incident reporting should also be consistent and coordinated, unless there’s a justification to deviate.

More broadly, the European Commission recently published a proposed EU Cyber Resilience Act that shares many of the same objectives as DORA and NIS2, such as information sharing and operational resilience. Under the plans, additional cybersecurity requirements will be established for the design, development and production of software and hardware products connected to the internet. This may affect some critical providers if they produce or sell such products in the EU.

What should financial institutions and third-party providers do to prepare?

Financial institutions

There are ten steps that all financial institutions can initiate now in order to minimise the impact of the regulation.

1. Review and understand the requirements of DORA and how they apply to your organisation.
2. Review existing management programs and their individual applicability to the five requirements within DORA to identify whether their scope can be expanded to help achieve compliance. Most institutions will have a number of the control areas already in place. Therefore, expanding their remit may help increase effectiveness of controls and reduce the overall implementation effort, time, cost and ensure that the compliance process is as efficient as possible.
3. Work with existing risk management processes and stakeholders to ensure the requirements of the new regulation are added in effectively.
4. Build the DORA requirements into existing incident management plans, processes and policies in order to ensure that they’re consistently applied to the standard operating procedures of the business.
5. Identify and map out how and where critical providers support business operations. For existing suppliers, consider amending contract provisions to fall in line with the regulation and ensure they’re included as standard for all new suppliers. For the critical service providers, consider flowing testing of controls downstream to their service providers.
6. Work with procurement teams to ensure that supplier performance monitoring is geared up to identify service deterioration and concentration risk within the supply chain. Those existing internal policies which are primarily concerned with cybersecurity, should be reviewed and updated to encompass and mitigate these risks.
7. Review current resilience testing processes against the regulation for completeness and to ensure that the full scope is covered.
8. Review the information sharing processes which exist internally and determine whether these meet DORA requirements.
9. Where gaps are identified, start to build mitigation plans to adhere to the regulation.
10. Implement a ‘Resilience by Design’ approach for new solutions, which includes prevention of supply chain failure (through cyber resilient solutions) as well as mitigation of the risk and impact of supply chain failure (through cloud, software and technology escrow solutions).

Critical ICT third-party service providers

Suppliers to financial institutions should first ascertain whether they are likely to be designated as a critical ICT third-party service provider, based on the criteria set out in the regulation. If a supplier is likely to be categorised as such, they will fall into the scope of DORA and should look at taking the following five steps:

1. Review and understand the requirements of DORA.
2. Confirm which elements of the regulation are applicable to the services which you provide and produce a responsibilities matrix which can be provided to your customers.
3. Stress test services to determine whether they provide the required levels of resilience in line with the regulation and existing contractual requirements.
4. Review supply chains to determine whether any suppliers are in scope of the regulation and produce a responsibilities matrix.
5. Stress test critical suppliers further down the chain.

Even those ICT third-party service providers not categorised as critical are likely to be required by their customers to provider greater levels of reassurance and should take this opportunity to review their own resilience. Therefore, it is highly recommended that they also follow a similar approach.

What happens next?

Once DORA comes into effect, which is expected to take place imminently, there will be a 24-month implementation period. During this time, the ESAs will lay down the detailed regulatory framework. With the ESAs given up to 18 months to publish some aspects of the framework, the timelines for compliance will be very tight.

Affected entities should therefore not delay their preparations. The sooner organisations start to plan their journey to DORA compliance, the easier the journey will be. Waiting until the last minute has proven to be a painful way of managing risk and becoming compliant with new regulation. We saw some of these challenges for those organisations who waited to implement GDPR back in 2018.

DORA is a step in the right direction to build enhanced resilience within the EU financial system and improve overall security posture to meet the everchanging cyber threat landscape. As with any new piece of regulation, it may cause short term uncertainty for some businesses. However, these kind of steps are in-tune with a long-term goal of encouraging resilience by design that we are seeing across the globe.