In order to strengthen the financial sector’s resilience to internal and external disruptions to information and communication technology (ICT), the EU legislator has issued Regulation 2022/2554 on “digital operational resilience”, or DORA (Digital Operational Resilience Act) for short. It will apply to almost all financial companies in the EU from 17 January 2025. According to Article 2 DORA, the term “financial undertaking” is to be understood literally, not in the restricted sense of the German Banking Act (KWG). DORA contains provisions on the security of information systems and networks used by financial institutions to conduct their core business. Compliance with these regulations is intended to ensure the continuity of the financial business in every situation. Companies that violate security rules or reporting obligations under DORA face severe sanctions.
Motives behind DORA
The EU legislator’s motives for imposing ICT hardening requirements on the financial sector can be summarised in three points.
- With the digitalisation of the financial sector, its vulnerability to cyberattacks is increasing, as is the potential damage. In addition to deliberate attacks, IT problems caused by good intentions, such as software errors or system failures, pose a high risk.
- DORA also subjects external ICT service providers to monitoring by the three European Supervisory Authorities (ESAs) for banks (EBA), insurers (EIOPA) and securities (ESMA). The DORA Regulation is intended to harmonise existing regulations for financial players. These include, for example, the IT requirements for banks (BAIT), insurers (VAIT), capital managers (KAIT) and payment services (ZAIT).
Timetable
DORA came into force on 16 January 2023. After a two-year implementation phase, it must be applied in day-to-day business from 17 January 2025, including the prescribed penetration tests. To be ready to go by then at the latest, financial companies and ICT service providers need to hurry, time is short.
Scope of application
DORA applies to almost all financial institutions regulated in the EU and their external ICT service providers. The target group is larger than that of the two EBA guidelines on ICT risk management and outsourcing. The regulation provides for exemptions for micro-enterprises.
Subject matter
To increase the digital resilience of the financial sector, DORA regulates four fields of application.
ICT risk management
DORA assumes that financial organisations have an internal governance and control framework in place to keep ICT risks under control. This framework includes, as a minimum, strategies, guidelines and policies, procedures, protocols and tools to protect data, hardware and software and their locations. Overall responsibility for the means and measures of ICT risk management lies with the management board or managing director. They keep their ICT expertise up to date through regular training, among other things. Competent authorities must be provided with complete and up-to-date information on ICT risks upon request. The governance and control framework must be documented and reviewed at least once a year.
Dealing with ICT incidents
DORA requires financial organisations to establish a regular process for identifying, handling and reporting ICT incidents. Incidents and risks must be recorded and followed up, causes identified, documented and rectified in order to prevent further incidents. The process begins with the classification of ICT risks and incidents. Financial institutions must report serious incidents, as defined in Article 3 of the regulation, to the competent authority. Reports of unrealised risks are encouraged but optional.
In coordination with the European Network & Information Security Agency (ENISA) and the ECB, the European Supervisory Authorities are drafting technical standards on the content and form of the procedures, forms and templates that financial organisations should use to report serious ICT incidents or risks. By January 2025, they will also examine the possibility of centralising and thus simplifying the ICT reporting system on an EU platform. The respective reporting office is required to confirm each receipt and, where possible, provide prompt feedback, for example in the form of anonymised findings from parallel cases.
Resilience test
According to DORA, ICT risk management includes a methodologically sound, comprehensive test programme to assess and increase digital operational resilience. An independent party is to be commissioned with the resilience test. Provided there are no conflicts of interest and sufficient funds are available, the testers may come from within the company itself. In addition, financial institutions should develop guidelines and procedures for prioritising, classifying and remedying the problems identified in the test.
The arsenal for testing operational ICT systems and tools ranges from vulnerability scans, open source analyses, network security assessments and scenarios to compatibility, performance and penetration tests. Financial companies should subject their ICT to a threat-led penetration test (TLPT) at least every three years. This involves an autonomous test team simulating a realistic cyber attack.
Cooperation with ICT service providers
The co-operation of financial companies with external ICT service providers classified as critical is subject to supervision by the ESAs. The assessment of criticality is also the responsibility of these authorities and is based on four criteria:
- Systemic consequences of the failure of the ICT service provider for the stability, continuity or quality of the financial business
- systemic relevance of the financial institutions it supports
- its relevance for other companies in the financial sector with which a financial institution works closely
- the degree of substitutability of the service provider
In the event that risks materialise at an ICT provider that lead to the failure or deterioration of a critical service, Article 28 DORA requires financial undertakings to have an exit strategy. Article 35 obliges ICT service providers classified as critical to provide information, documents, co-operation in investigations or inspections and reporting to the European Supervisory Authorities upon request. Refusing, restricting or delaying co-operation with the ESAs can result in fines. Once a year, the ESAs publish a Europe-wide list of critical ICT service providers. Not being on the list could prove to be a competitive disadvantage in the long term. ICT service providers can therefore apply to be included on the list in order to voluntarily submit to European supervision.
Crucial points of DORA compliance
Financial organisations and their ICT service providers should not underestimate the effort required to adapt to DORA. These are the biggest hurdles:
Complexity
Europe is longing for a reduction in bureaucracy, DORA is running in the opposite direction. What it demands of its addressees has to be painstakingly worked out from the extremely verbose, convoluted and redundant text. This takes time and provokes misunderstandings. In addition, the timetable is tight in view of the abundance and complexity of the requirements, so expert assistance is essential.
Costs
DORA compliance will result in high costs, particularly for smaller financial companies.
Dependency on external parties
Many financial organisations rely on ICT services from external providers for their core business. Under DORA, they must ensure that their service providers also fully comply with the regulation. This increases the workload and is likely to prove difficult in practice.
Monitoring and reporting
DORA results in extensive internal and external reporting obligations for financial companies. They should therefore check whether they have the necessary channels and mechanisms in place and close any gaps in good time for the start of applicability.
How we support your DORA project
Consileon advises financial organisations and their ICT service providers in all phases of DORA compliance, from the initial assessment to live operation. The scope of your project depends, among other things, on the size of your organisation, the current level of IT security and the number of external service providers. Our project support is divided into three steps.
- Needs analysis. Here we clarify what conditions your company needs to create internally in order to comply with DORA and what resources, skills and systems it needs to do so.
- Impact assessment, also known as an impact analysis. This analyses how DORA will affect your business areas, teams and systems. This gives you planning certainty.
- Introduction of the security standards, control mechanisms and software you need to apply the findings from the first two steps.