The clock is ticking: Financial entities must comply with the requirements stemming from Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) by 17 January 2025.
What is DORA?
DORA aims to enhance cybersecurity and safeguard the financial sector entities’ operational resilience towards Information and Communication Technology (ICT) related incidents in view of the increasing risks with respect to ICT and the growth in digitalisation and interconnectedness.
DORA introduced rigorous obligations for financial institutions and indirectly for their third-party providers.
How could it be relevant for you?
DORA largely covers all financial sector entities (FEs) in its scope (i.e. 20 types of financial sector entities, from credit institutions, payment and e-money institutions, including exempted payment and e-money institutions, investment firms, fund management companies, (re-)insurance undertakings and (re-)insurance intermediaries to crypto-asset service providers and crowdfunding service providers) as well as ICT third party service providers.
Specific exemptions from the scope of application of DORA are explicitly provided thereunder while discretion was granted to member states for the exclusion of certain entities (in Greece that would be the Deposits and Loans Fund).
We are expecting also the necessary local provisions transposing Directive (EU) 2022/2556 to adjust the sectorial legal framework applicable to FEs to DORA requirements.
What are the key pillars of DORA?
ICT risk management: FEs shall have in place, on the basis of the proportionality principle, internal governance and control framework (including policies and procedures adopted by their management body, tools and systems, ICT audit plan, communication plans towards clients and counterparties etc.). There are several arrangements that shall be in place, e.g. a person or a member of senior management shall be dedicated as responsible for overseeing the related risk and documentation; the ICT risk management framework shall be reviewed and reported periodically to competent authorities, ICT security awareness programmes and trainings shall be also adopted.
ICT incident management and reporting: FEs must establish an ICT-related incident process to record and classify ICT-related incidents and determine their impacts; reporting of major ICT-related incidents to competent authorities is required, while notification of significant cyber threats, on a voluntary basis, is also provided. FEs’ clients must be informed without undue delay.
Digital operational resilience testing: FEs will have to regularly test their operational resilience in accordance with their sound and comprehensive digital operational resilience testing programme to be adopted as part of the ICT risk management framework. Certain FEs shall ensure that such tests are undertaken by independent parties (whether internal or external). In addition, certain FEs will be subject to “advanced” testing by using threat-led penetration tests (TLPTs).
ICT third-party risk management: FEs must manage ICT third-party risk as an integral component of ICT risk. Contractual arrangements must be in place which must include a list of provisions provided under DORA taking into account that ICT services supporting critical functions are subject to stricter requirements. Although in many cases such provisions may already be included in outsourcing agreements as per the existing requirements under BoG act 178/2020 on outsourcing arrangements, where applicable, a gap analysis among the two regimes is needed to ensure that FEs comply with the new requirements under DORA. A register of information in relation to all contractual arrangements on the use of ICT services must be kept and relevant information must be reported to competent authorities.
Certain ICT third party service providers that are designated by European Supervisory Authorities as “critical” will become subject to the direct oversight of EU financial authorities. Such non-EU providers may need to establish a subsidiary in the EU.Information and intelligence sharing: FEs may exchange among themselves cyber threat information and intelligence as per the provisions of the new regulation; FEs must notify competent authorities of their participation in the information-sharing arrangements.
Next steps
To ensure compliance:
Review and update: FEs will need to evaluate current risk management practices and implement and /or adjust, on the basis of proportionality principle, the internal procedures, policies and arrangements with DORA. A testing framework tailored to FEs must be developed.
Optimise Incident Reporting: systems for classifying and reporting significant ICT incidents need to be implemented starting from 17 January 2025.
Adjust outsourcing: Outsourcing arrangements between FEs and ICT third party service providers (including subcontracting chain) must be reassessed and aligned with DORA provisions.
Consider implications on non-EU ICT third party providers: Such providers that are critical or important must re-assess their business model (in light of the EU subsidiarisation requirement under DORA).