What is DORA?
The financial services sector relies heavily on information and communications technology (ICT) to operate and deliver its products and services. While this brings benefits for businesses and consumers, it also exposes the sector to risks associated with cyber threats and ICT disruptions that could potentially affect the stability of the EU financial system.
To address this risk, the EU has enacted the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA). DORA establishes
What are the main obligations on financial entities?
What should we do now?
DORA is a lengthy, complex law with very prescriptive requirements. Financial entities are likely to already have the foundations in place to meet some of the requirements of DORA, but they will need to undertake a gap analysis of their current ICT risk management framework and practices against the requirements of DORA and create and execute an implementation plan to ensure compliance. For many organisations, there will be a lot to do to achieve compliance by 17 January 2025.
We can help clients by advising on the requirements of DORA, including the remediation of ICT vendor contracts to meet the requirements of Article 30 and strategies towards achieving compliance. As part of this, our clients can also benefit from deploying DACB Nexus, our vendor risk management solution. It provides leading-edge technical functionality and support to drive cost efficiencies in any large-scale remediation projects (including contract reviews) and is able to introduce a highly-efficient, automated counter-party management platform to drive BAU cost-savings and demonstrate regulatory compliance going forward.
Please do get in touch.
Our DORA experts
Read our articles
Get in touch
If you have any questions about DORA that you would like to discuss with a member of our team, do not hesitate to get in touch.
Data Protection – Taking Personal Responsibility
FCA issues its Report on synthetic data in financial services
ICO issues call for views on 'consent or pay' business models
Bank of England and Prudential Regulation Authority provide update on delivery of safe and responsible AI
EU - UK Data Transfers: UK Parliament launches Inquiry into UK Data Adequacy
Jade Kowalski
Peter Given
Tim Ryan
Mathew Rutter
Alistair Cooper
© 2024 DAC Beachcroft LLP. All Rights Reserved. Legal and Regulatory Privacy Policy
The EU Digital Operational Resilience Act — what is it and what to do now
(article published in the Privacy & Data Protection Journal)
a harmonised and comprehensive framework for ICT risk management, covering five core areas (as described below). DORA seeks to improve the digital resilience of the EU financial sector.
Who does DORA apply to?
DORA applies to a very wide range of EU-regulated financial entities, such as banks, insurers, investment firms and payment institutions, as well as to certain critical ICT third-party service providers, such as cloud computing and data centre providers.
DORA's prescriptive requirements apply to financial entities. In relation to critical ICT third-party service providers, DORA creates an oversight framework for those entities (in contrast to the prescriptive list of requirements applicable to financial entities).
When will DORA apply?
The European Supervisory Authorities (the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority) are working on regulatory technical standards and implementing technical standards which provide further detail around DORA's requirements. These standards are expected to be finalised during 2024.
Who enforces DORA?
#
Pillar
Description
1.
ICT risk management and governance
Financial entities must have a comprehensive, well-documented ICT risk management framework, which enables them to address ICT risk effectively and ensure a high level of digital operational resilience.
The framework must include appropriate strategies, policies, procedures and tools (including technical measures) to protect information and ICT assets, and ensure resilience, continuity and availability of ICT systems. Entities must also map and classify their ICT systems.
The framework must also include a digital operational resilience strategy, setting out how the framework should be implemented.
Financial entities must also have a governance and control framework in place to ensure effective and prudent management of ICT risk, and DORA places specific requirements and responsibilities on the financial entity's management body (the management body bears ultimate responsibility for managing the financial entity’s ICT risk).
2.
ICT-related incident management and notification
Financial entities must establish and implement a process to detect, manage, classify and notify ICT-related incidents. An ICT-related incident is an unplanned event that compromises the security of an ICT system and has an adverse impact on the data or the services provided by the financial entity.
Major ICT-related incidents, which have a high adverse impact on the ICT systems that support critical and important functions of the financial entity, must be reported to the relevant regulator. DORA, together with technical standards to be issued under DORA, set out greater detail on the timing and format of the notification.
Where a major ICT-related incident impacts the financial interests of the financial entity's clients, the entity must notify their clients of the incident and the measures they have taken to mitigate the effects of the incident. This must be done without undue delay.
4.
ICT third-party risk management
Financial entities must establish a digital operational resilience testing programme, to regularly assess their preparedness for handling ICT-related incidents, and to identify weaknesses, gaps and deficiencies in their digital operational resilience.
The testing programme should apply a risk-based approach, taking into account the specific risks to the financial entity.
DORA specifies various possible tests, such as vulnerability scans, network security assessments, source code reviews, and scenario-based tests.
DORA also requires certain specified financial entities to conduct advanced testing by means of threat-led penetration testing, which simulates realistic cyberattacks on the entity's ICT systems, at least every three years.
3.
Digital operational resilience testing
Financial entities must manage the ICT risks arising from their outsourcing or use of ICT third-party service providers as an integral part of their ICT risk management framework.
As part of this, financial entities must adopt and regularly review a strategy on ICT third-party risk and maintain a register of information in relation to the contractual arrangements with the ICT third-party service providers, distinguishing between services that relate to critical and important functions and those that do not.
Before entering into a contract with an ICT third-party service provider, the financial entity must take certain pre-contractual steps prescribed by DORA, such as appropriate due diligence. DORA also prescribes the minimum provisions that must be included in the contract with the ICT third-party service provider, and mandates that the full contract should be documented in one written document.
5.
Cyber-threat intelligence sharing
DORA also sets out a framework through which financial entities are encouraged (but not obliged) to share cyber-threat intelligence and information.
Aidan Healy
Watch our DORA webinar
Download a copy of the slides here.