The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554



What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554), commonly known as DORA, addresses a critical gap in EU financial regulation. Prior to DORA, financial institutions primarily managed operational risks by allocating capital to cover potential losses. This approach failed to encompass all aspects of operational resilience, particularly in relation to Information and Communication Technology (ICT).

With the introduction of DORA, financial institutions are now required to follow stringent guidelines for safeguarding against ICT-related incidents. These include measures for protection, detection, containment, recovery, and repair. DORA explicitly targets ICT risks, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.

The regulation recognizes that ICT incidents and a lack of operational resilience can threaten the stability of the entire financial system, even when "adequate" capital is allocated to traditional risk categories. DORA closes this gap by ensuring that operational resilience is not merely about financial buffers, but about the ability to withstand and recover from ICT disruptions.


According to Article 1, Subject matter:

1. In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:


(a) requirements applicable to financial entities in relation to:

(i) information and communication technology (ICT) risk management;

(ii) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;

(iii) reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);

(iv) digital operational resilience testing;

(v) information and intelligence sharing in relation to cyber threats and vulnerabilities;

(vi) measures for the sound management of ICT third-party risk;


(b) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;


(c) rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;


(d) rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.


15 November 2024 - Decision from EBA, EIOPA and ESMA on the information that competent authorities must report to them for the designation of critical ICT third-party service providers under DORA.

Following the entry into force of DORA on 17 January 2025, the ESAs, together with competent authorities, will start the oversight of critical ICT third-party service providers (CTPPs) offering services to financial entities in the EU. The first oversight activity is the designation of CTPPs.

The Decision provides a general framework for the annual reporting to the ESA of the information necessary for the CTPP designation, including: timelines, frequency and reference dates, general procedures for the submission of information, quality assurance and revisions of submitted data, as well as confidentiality and access to information.

As the deadline for the first submission of the registers of information to the ESAs is set for 30 April 2025, the ESAs expect competent authorities to collect the registers of information from the financial entities under their supervision in advance, following their own timelines.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-announce-timeline-collect-information-designation-critical-ict-third-party-service-providers


15 October 2024 - ESAs respond to the European Commission’s rejection of technical standards under the Digital Operational Resilience Act

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) issued an Opinion on the European Commission’s (EC) rejection of the draft Implementing Technical Standards (ITS) on the registers of information under the Digital Operational Resilience Act (DORA). The ESAs raise concerns over the impacts and practicalities of the proposed EC changes to the draft ITS on the registers of information in relation to financial entities’ contractual arrangements with ICT third-party service providers.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-respond-european-commissions-rejection-technical-standards-registers-information-under-digital


The European Commission’s rejection of technical standards under the Digital Operational Resilience Act

"The Commission considers it necessary to take a more proportionate approach to the drafting of the ITS, in particular with regard to requirements relating to legal identifiers for ICT third-party service providers.

Against this background, we reject the draft ITS on mainly one specific aspect of the proposed Implementing Regulation, namely the mandatory use of LEI for ICT third-party service providers under Article 3(5) and (6) of the draft ITS. The Commission considers that it is necessary to give these companies a choice between the LEI and the European Unique Identifier (EUID), as for the majority of EU companies this EU identifier is already attributed free of charge."

https://finance.ec.europa.eu/document/download/d7f731c6-39a7-42e5-bd4b-f28434b7d51d_en?filename=240723-letter-esma-dora-register-information_en.pdf


1 October 2024 - ESAs appoint Director to lead their DORA joint oversight

The three European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) have appointed Marc Andries to lead their new joint Directorate in charge of oversight activities for critical third-party providers established by the Digital Operational Resilience Act (DORA). Marc Andries takes up his new role as Director for DORA joint oversight on 1 October 2024.

In his role as DORA Joint Oversight Director, Marc Andries will be responsible for implementing and running an oversight framework for critical ICT third-party service providers (CTPPs) at a pan-European scale, contributing to the smooth operations and stability of the EU financial sector.


26 July 2024 - Final report on Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554

Next step: The European Supervisory Authorities (ESAs) will submit the draft Regulatory Technical Standard to the European Commission for adoption.

What does it mean for us? Article 30(2) of DORA requires from financial entities: “ the contractual arrangements on the use of ICT services shall include at least the following elements[…] a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting”.

In accordance with Article 30(5) of DORA, “the European Supervisory Authorities shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements referred to in paragraph 2, point (a), which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions”.

According to the draft Regulatory Technical Standard, the provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors whereby ICT third-party service providers may enter into one or more subcontracting arrangements with other ICT third-party service providers.

While this indirect reliance on ICT subcontractors may have an impact on financial entities’ ability to identify, assess and manage their risks, including risks linked to gaps in the information provided by ICT third-party service providers and to the financial entities' limited ability to obtain information from ICT subcontractors providing ICT services supporting critical or important functions or material parts thereof, it cannot reduce the responsibilities the financial entities and their management bodies to manage their risks and to comply with their legislative and regulatory requirements.

To mitigate the subcontracting risks, it is necessary to specify all the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services supporting critical or important functions. For this purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.


17 July 2024 - Four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS), and 2 guidelines.

The European Supervisory Authorities (EBA, EIOPA and ESMA) published four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and 2 guidelines, under the Digital Operational Resilience Act (DORA):

1. Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents

and

Draft Implementing Technical Standards On the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-33_-_Final_report_on_the_draft_RTS_and_ITS_on_incident_reporting.pdf

Next steps - The final draft RTS will be submitted to the Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union.


2. Final Report - Draft Regulatory Technical Standards on harmonisation of conditions enabling the conduct of the oversight activities.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-35_-_Final_report_on_RTS_on_harmonisation_of_conditions_for_OVS_conduct.pdf

Next steps - The ESAs will submit the final draft RTS to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these technical standards is 17 January 2025.


3. Final Report - Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024_54_-_Final_Report_RTS_on_JET.pdf

Next steps - The ESAs will submit the final draft RTS to the European Commission for adoption. The European Commission may decide if this draft RTS would be merged in a single RTS with the other draft RTS based on the mandates under Article 41(1)(a), (b), and (d) of the DORA. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these regulatory technical standards is 17 January 2025.


4. Final Report - Draft Regulatory Technical Standards specifying elements related to threat led penetration tests under Article 26(11) of Regulation (EU) 2022/2554.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-29_-_Final_report_DORA_RTS_on_TLPT.pdf

Next steps - The ESAs will submit the final draft RTS to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these technical standards is 17 January 2025.


5. Final Report - Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-34_-_Final_report_GL_on_costs_and_losses.pdf

Next steps - The Joint Guidelines will be translated into the official EU languages and published on the ESAs websites. The deadline for competent authorities to report whether they comply with the Guidelines will be two months after the publication of the translations. The Guidelines should apply from 17 January 2025.


6. Final Report on Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554.

https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-36_-_Final_report_on_GL_on_oversight_cooperation.pdf

Next steps - The Guidelines will be translated into the official languages of the European Union and published on the websites of the ESAs. The deadline for competent authorities to notify the respective ESA whether they comply or intend to comply with the Guidelines will be two months after the publication of the translated Guidelines. The Guidelines should apply from 17 January 2025.


Important Note.

Article 20 of DORA mandates the European Supervisory Authorities (ESAs) to develop through the Joint Committee and in consultation with the European Central Bank and European Union Agency for Cybersecurity:

- Draft Regulatory Technical Standards (RTS) establishing the content of the reports for ICT related incidents and the notification for significant cyber threats, and the time limits for FEs to report these incidents to competent authorities.

- Draft Implementing Technical Standards (ITS) establishing the standard forms, templates and procedures for FEs to report a major ICT-related incident or to notify a significant cyber threat.

Article 20 of DORA further requires the ESAs to ensure that the requirements of the draft RTS and ITS are proportionate and consistent with the approach for incident reporting under Directive (EU) 2022/2555 (NIS 2).


25 June 2024 - Publication in the Official Journal

1. Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

2. Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

3. Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.


Important note for experts implementing the Digital Operational Resilience Act (DORA).

If you are implementing DORA, you must monitor the developments around the proposed Financial Data Access (FiDA) regulation.

Please read the official paper:

https://finance.ec.europa.eu/document/download/d8c27557-05cd-4d03-9db7-d195baa18cbc_en?filename=finance-events-230905-presentation_en.pdf



You will see the relationship between DORA and FiDA, even the need to amend DORA to bring Financial Information Service Providers (FISP) into the DORA scope.

Note: The proposed Financial Data Access (FiDA) Regulation introduces a new category of authorised Financial Information Service Providers (FISP), to ensure that only trusted and secure providers are eligible to access and process customer data in the financial sector.

Consumers will be protected with strong security safeguards against possible data misuse and data breaches as both data holders and data users will be bound by the rules of the Digital Operational Resilience Act (DORA).

We monitor FiDA at:

https://www.financial-data-access.com


The European Systemic Risk Board (ESRB) published the paper “Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024.”

According to the paper, the pan-European systemic cyber incident coordination framework (EU-SCICF) should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).

Read the paper at: Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024


NIS2 DORA CER

18 April 2024, Consultation Paper from EBA - ESMA - EIOPA, Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1) point (c) of Regulation (EU) 2022/2554

Regulation (EU) 2022/2554 (DORA) introduces a pan-European oversight framework of ICT third-party service providers designated as critical (CTPPs). As part of this oversight framework, the ESAs (EBA, ESMA, EIOPA) have been mandated under Article 41(1) to develop draft regulatory technical standards (RTS) to harmonise the conditions enabling the conduct of oversight activities.

According to the mandate, the draft RTS shall specify:

a) the information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical;

b) the information to be submitted by the ICT third–party service providers that is necessary for the LO to carry out its duties;

c) the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements;

d) the details of the competent authorities’ assessment of the measures taken by CTPPs based on the recommendations of the LO.

Next steps: The ESAs will consider the feedback received when finalising the draft RTS following this public consultation. The ESAs expect to submit the RTS by 17 July 2024 to the European Commission for adoption.

Read the paper: 18 April 2024, Consultation Paper from EBA - ESMA - EIOPA, Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1) point (c) of Regulation (EU) 2022/2554



17 January 2024, important update - We have the first set of final draft technical standards under the Digital Operational Resilience Act (DORA).

The three European Supervisory Authorities (ESAs) - the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) - published the first set of final draft technical standards under the Digital Operational Resilience Act (DORA).

The joint final draft technical standards are:

1. JC 2023 83 - Final report on Draft Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union


2. JC 2023 84 - Final report on Draft Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union


3. JC 2023 85 - Final Report On Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union


4. JC 2023 86 - Final report, Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554.

Next step: The ESAs will submit the final draft Regulatory Technical Standards (RTS) to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these technical standards is 17 January 2025.


29 September 2023 - Joint European Supervisory Authorities’ Technical Advice. The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published their joint response to the European Commission’s Call for Advice on two EC delegated acts under the Digital Operational Resilience Act (DORA) specifying criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers. You can find the paper at the "DORA LINKS" (at the top of this web page).


18 September 2023 - Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA).

The Commission Guidelines on the application of Article 4 (1) and (2) of the NIS 2 Directive, that was published at the Official Journal of the European Union the 18th of September 2023, covers some of the major areas of concern for entities that try to understand if they must comply with the NIS 2 Directive, or the Digital Operational Resilience Act (DORA) and other sector-specific Union legal acts.

Article 4(1) of the NIS 2 Directive provides that, where sector-specific Union legal acts (like DORA, that applies in the financial sector) require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply to such entities. The sector-specific provisions will apply.

That provision further provides that where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.

Article 4(2)(a) of the NIS 2 Directive provides that cybersecurity risk-management measures that essential or important entities are required to adopt under sector-specific Union legal acts shall be considered to be equivalent in effect to the obligations laid down in the NIS 2 Directive, where those measure are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive.

When assessing whether the requirements in a sector-specific Union legal act on cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance compared to the corresponding provisions of the NIS 2 Directive.

An important consideration when assessing the equivalence of a sector-specific Union legal act with the requirements of Article 21(1) and (2) of the NIS 2 Directive is that the cybersecurity risk-management measures required by the sector-specific Union legal act should be based on an ‘all-hazard approach’.

Since threats to the security of network and information systems could have different origins, any type of event can have a negative impact on the network information systems of the entity and potentially lead to an incident. Therefore, the cybersecurity risk-management measures taken by the entity should protect not only the entity’s network and information systems, but also the physical environment of those systems from any event such as sabotage, theft, fire, flood, telecommunication or power failures, or unauthorised physical access that are capable of compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Consequently, the cybersecurity risk-management measures required by a sector-specific Union legal act should specifically address the physical and environmental security of network and information systems from systems failure, human error, malicious acts, or natural phenomena.


NIS 2 and DORA.

The Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA) of 18 September 2023, further explain the following in the Appendix:

Article 1(2) of DORA provides that, in relation to financial entities covered by the NIS 2 Directive and its corresponding national transposition rules, DORA shall be considered a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive.

This statement is mirrored in recital (28) of the preamble to the NIS 2 Directive, which says that DORA should be considered a sector-specific Union legal act in relation to the NIS 2 Directive with regard to financial entities.

Consequently, the provisions of DORA relating to information and communication technology (ICT) risk management (Article 6 et seq.), management of ICT-related incidents and, in particular, major ICT-related incident reporting (Article 17 et seq.), as well as on digital operational resilience testing, (Art 24 et seq.) information-sharing arrangements (Article 25) and ICT third-party risk (Article 28 et seq.) shall apply instead of those provided for in the NIS 2 Directive.

Member States should therefore not apply the provisions of the NIS 2 Directive on cybersecurity risk-management and reporting obligations, and supervision and enforcement, to financial entities covered by DORA.


27 December 2022 - We have the final text. The Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union as Regulation (EU) 2022/2554.

Full name: The full name is "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)".

Deadline:

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 17 January 2025.

Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.

We are surprised to read in Article 58 that by 17 January 2026, the European Commission shall carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal, on the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience, by means of the inclusion of statutory auditors and audit firms into the scope of this Regulation or by means of amendments to Directive 2006/43/EC.



28 November 2022 - The Council adopted the Digital Operational Resilience Act.

Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The Council adopted the Digital Operational Resilience Act (DORA) which will make sure that the financial sector in Europe is able to stay resilient through a severe operational disruption.

DORA applies to critical third parties which provide ICT (Information Communication Technologies)-related services to financial entities. It creates a regulatory framework on digital operational resilience, whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

Now that the DORA proposal is formally adopted, aspects that require national transposition will be passed into law by each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

The Digital Operational Resilience Act (DORA) aims first at consolidating and upgrading the ICT risk requirements addressed so far separately in the different Regulations and Directives. While those Union legal acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they could not comprehensively tackle, at the time of their adoption, all components of operational resilience.

The operational risk requirements, when further developed in these Union legal acts, often favoured a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risks) rather than enshrining targeted qualitative requirements to boost capabilities through requirements aiming at the protection, detection, containment, recovery and repair capabilities against ICT-related incidents or through setting out reporting and digital testing capabilities. Those Directives and Regulations were primarily meant to cover essential rules on prudential supervision, market integrity or conduct.

The Digital Operational Resilience Act (DORA) consolidates and updates rules on ICT risk. All provisions addressing digital risk in finance will for the first time be brought together in a consistent manner in a single legislative act. This initiative will fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third-party risk monitoring.

Financial entities should follow the same approach and the same principle-based rules when addressing ICT risk. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overuse of ICT systems, platforms and infrastructures, which entails increased digital risk. The respect of a basic cyber hygiene should also avoid imposing heavy costs on the economy by minimising the impact and costs of ICT disruptions.

The use of a regulation helps reducing regulatory complexity, fosters supervisory convergence, increases legal certainty, while also contributing to limiting compliance costs, especially for financial entities operating cross-border, and to reducing competitive distortions. The choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities appears therefore the most appropriate way to guarantee a homogenous and coherent application of all components of the ICT risk management by the Union financial sectors.

It is crucial to maintain a strong relation between the financial sector and the Union horizontal cybersecurity framework would ensure consistency with the cyber security strategies already adopted by Member States, and allow financial supervisors to be made aware of cyber incidents affecting other sectors.

It is also important to ensure consistency with the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats, with possible implications for the financial sector.



28 June 2022, European Council, Update - Council presidency and European Parliament reach political agreement

The Council presidency and the European Parliament reached a political agreement on the directive on the resilience of critical entities. Work will now continue at technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

This directive aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.

The text agreed today covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Central public administrations will also be covered by some of the provisions of the draft directive.

Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.

The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or it may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations related to the directive.



11 May 2022, European Council - Provisional agreement reached on the Digital Operational Resilience Act (DORA)

The EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.

Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.

Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.

As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.

Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.

As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.

The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Background

The Commission came forward with the DORA proposal on 24 September 2020. It is part of the larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).

This package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.

The Council adopted its negotiating mandate on DORA on 24 November 2021. Trilogues between the co-legislators started on 25 January 2022 and ended in the provisional agreement reached yesterday.



The Digital Operational Resilience Act (DORA)

The Act is part of the digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it. It is in line with the Commission priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

The digital finance package includes a new Strategy on digital finance for the EU financial sector 1 with the aim to ensure that the EU embraces the digital revolution and drives it with innovative European firms in the lead, making the benefits of digital finance available to consumers and businesses.

In addition to this proposal, the package also includes a proposal for a regulation on markets in crypto assets, a proposal for a regulation on a pilot regime on distributed ledger technology (DLT) market infrastructure, and a proposal for a directive to clarify or amend certain related EU financial services rules.

Digitalisation and operational resilience in the financial sector are two sides of the same coin. Digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. These need to be well understood and managed, especially in times of stress.

Policymakers and supervisors have therefore increasingly focused on risks stemming from reliance on ICT. They have notably tried to enhance firms’ resilience through the setting of standards and through the coordination of regulatory or supervisory work. This work has been carried out at both international and European level, and both across industries as well as for a number of specific sectors, including financial services.

ICT risks nevertheless continue to pose a challenge to the operational resilience, performance and stability of the EU financial system. The reform that followed the 2008 financial crisis primarily strengthened the financial resilience of the EU financial sector, only addressing ICT risks indirectly in some areas, as part of the measures to address operational risks more broadly.

While the post-crisis changes to the EU financial services legislation put in place a Single Rulebook governing large parts of the financial risks associated with financial services, they did not fully address digital operational resilience.

The measures taken in relation to the latter were characterised by a number of features that limited their effectiveness. For example, they were often devised as minimum harmonisation directives or principled-based regulations, leaving substantial room for diverging approaches across the Single Market. In addition, there has been only some limited or incomplete focus on ICT risks in the context of the operational risk coverage.

Finally, these measures vary across the sectoral financial services legislation. Thus, the intervention at Union level did not fully match what European financial entities needed for managing operational risks in a way that withstand, respond and recover from impacts of ICT incidents. Nor did it provide financial supervisors with the most adequate tools to fulfil their mandates to prevent financial instability stemming from the materialization of those ICT risks.

The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies).

Action at Member State level, however, only has a limited effect given cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs - especially for cross-border financial entities - or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.

It is therefore necessary to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities. This framework will deepen the digital risk management dimension of the Single Rulebook.

In particular, it will enhance and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers. The proposal will create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities, and strengthen supervisory effectiveness.



Legal basis of the Digital Operational Resilience Act (DORA)

The proposal for regulation is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). It removes obstacles to, and improves the establishment and functioning of the internal market for financial services by harmonising the rules applicable in the area of ICT risk management, reporting, testing and ICT third-party risk.

Current disparities in this area, both at legislative and supervisory levels, as well as national and EU levels, act as obstacles to the single market in financial services because financial entities that engage in cross-border activities face different, where not overlapping, regulatory requirements or supervisory expectations with the potential to impede the exercise of their freedoms of establishment and of provision of services.

Different rules also distort competition between the same type of financial entities in different Member States. Moreover, in areas where harmonisation is absent, partial or limited, the development of divergent national rules or approaches, either already in force or in the process of adoption and implementation at national level, can act as a deterrent to the single market freedoms for financial services. This is particularly the case as regards to digital operational testing frameworks and the oversight of critical ICT third-party service providers.

As the proposal has an impact on several Directives of the European Parliament and of the Council adopted on the basis of Article 53(1) of the TFEU, a proposal for a Directive is also adopted at the same time to reflect the necessary amends to those Directives.


Cyber Risk GmbH, some of our clients