DORA: Regulation on digital operational resilience and its impacts on financial entities
Regulation in the area of information and communication technology is to be unified into a single legislative act. The European Commission is preparing a set of measures including a Regulation on digital operational resilience for the financial sector (“DORA”). Read on to find out what the new legal initiative will bring and what obligations it will impose on financial entities.
Digital operational resilience act (DORA) in brief
Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (“DORA”) is part of a set of measures prepared by the Commission as part of its strategy on digital finance for the EU financial sector.
The initiative also includes a proposal for a regulation on markets in crypto assets, a proposal for a regulation on a pilot regime on a distributed ledger technology market infrastructure, and a proposal for a directive to clarify or amend certain related EU financial services rules.
The package of measures aims to enable and support the development of the potential of digital finance in terms of innovation and competition while mitigating related risks.
The proposal for the DORA regulation consolidates and updates the onthe information and communication technologies (ICT). It compiles the regulations of digital risks in the financial sector into one legislative act. The regulation aims to fill the gaps and remedy the irregularities in the current fragmented regulation, and explicitly address ICT-related risks. The new, targeted rules will apply to risk management, reporting, and testing, as well as the monitoring of risks related to third parties. The regulation includes a single rulebook, a system of oversight, and the expansion of the mandates of financial supervisory bodies monitoring and protecting the financial stability and integrity of the market.
To ensure consistency of risk management requirements, the personal scope of the regulation will apply to a wide range of financial entities regulated at the EU level (e.g., credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, insurance intermediaries, statutory auditors, and others). The regulation now also expands the list of regulated parties to ICT third-party service providers.
4 DORA requirement areas
The DORA proposal is a harmonisation regulation whose provisions will be further specified by 14 regulatory technical standards once adopted. DORA presents requirements on the security of networks and information systems used by financial entities for their business operations and defines a supervisory framework for critical ICT third-party service providers when providing services to financial entities.
- ICT risk management requirements. They include a set of essential principles and requirements for ICT risk management, with emphasis on their specific risk management functions (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). Most of these requirements will be further specified by regulatory technical standards.
- ICT-related incident reporting requirements. These mainly include harmonising rules for the process of identification, management and reporting of incidents and processes for ensuring a consistent and integrated handling of identified incidents. At the same time, the general requirements for reporting significant incidents to supervisory authorities are considered. Financial entities will be subject to the obligation to submit initial, intermediate, and final reports and inform their users and clients where the incident has or may have an impact on their financial interests.
- Digital operational resilience testing. Financial entities will have to maintain a comprehensive testing programme for digital resilience as part of the ICT management framework. While all entities will have to perform testing of ICT tools and systems, advanced testing using penetration tests should only apply to entities identified as significant.
- ICT third-party risk. This set of rules defines the general principles for sound risk management and provides a list of essential contractual clauses that all financial entities will have to reflect in their outsourcing and vendor agreements once the regulation comes into force (e.g., full service level descriptions, relevant provisions on accessibility, availability, integrity, guarantees for access, inspection and audit by the financial entity or an appointed third party).
While the legislative trialogue regarding the proposal for the regulation has begun, a relatively lengthy period can be expected to follow after its adoption, allowing financial entities to adjust their internal processes accordingly. The original proposal of the European Commission included a one-year period for the general rules and a three-year period for the requirements regarding penetration testing. The European Parliament and the Council however prefer a single two-year period.
One way or the other, the primary part of the requirements will be specified using technical standards (especially regarding ICT risk management) and their creation and the effective date is, according to the current wording of the proposal, scheduled to follow one to two years after the proposal comes into effect.
Despite the relatively comfortable deadline for implementing the necessary changes, financial entities should closely monitor the discussion regarding the proposal for the regulation. Stakeholders’ comments can gradually uncover possible future wording, primarily of the regulatory technical standards that will affect the current state of ICT risk management processes.
Due to its wide personal scope and despite the applied principle of proportionality, the implementation period may not be sufficient, especially for entities lacking experience with the ICT risk management areas mentioned or if the maturity of their processes fails to reach adequate levels.