The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA)


28 June 2022, European Council, Update - Council presidency and European Parliament reach political agreement

The Council presidency and the European Parliament reached a political agreement on the directive on the resilience of critical entities. Work will now continue at technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

This directive aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.

The text agreed today covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Central public administrations will also be covered by some of the provisions of the draft directive.

Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.

The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or it may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations related to the directive.



11 May 2022, European Council - Provisional agreement reached on the Digital Operational Resilience Act (DORA)

The EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.

Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.

Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.

As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.

Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.

As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.

The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Background

The Commission came forward with the DORA proposal on 24 September 2020. It is part of the larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).

This package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.

The Council adopted its negotiating mandate on DORA on 24 November 2021. Trilogues between the co-legislators started on 25 January 2022 and ended in the provisional agreement reached yesterday.



The Digital Operational Resilience Act (DORA)

The Act is part of the digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it. It is in line with the Commission priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

The digital finance package includes a new Strategy on digital finance for the EU financial sector 1 with the aim to ensure that the EU embraces the digital revolution and drives it with innovative European firms in the lead, making the benefits of digital finance available to consumers and businesses.

In addition to this proposal, the package also includes a proposal for a regulation on markets in crypto assets, a proposal for a regulation on a pilot regime on distributed ledger technology (DLT) market infrastructure, and a proposal for a directive to clarify or amend certain related EU financial services rules.

Digitalisation and operational resilience in the financial sector are two sides of the same coin. Digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. These need to be well understood and managed, especially in times of stress.

Policymakers and supervisors have therefore increasingly focused on risks stemming from reliance on ICT. They have notably tried to enhance firms’ resilience through the setting of standards and through the coordination of regulatory or supervisory work. This work has been carried out at both international and European level, and both across industries as well as for a number of specific sectors, including financial services.

ICT risks nevertheless continue to pose a challenge to the operational resilience, performance and stability of the EU financial system. The reform that followed the 2008 financial crisis primarily strengthened the financial resilience of the EU financial sector, only addressing ICT risks indirectly in some areas, as part of the measures to address operational risks more broadly.

While the post-crisis changes to the EU financial services legislation put in place a Single Rulebook governing large parts of the financial risks associated with financial services, they did not fully address digital operational resilience.

The measures taken in relation to the latter were characterised by a number of features that limited their effectiveness. For example, they were often devised as minimum harmonisation directives or principled-based regulations, leaving substantial room for diverging approaches across the Single Market. In addition, there has been only some limited or incomplete focus on ICT risks in the context of the operational risk coverage.

Finally, these measures vary across the sectoral financial services legislation. Thus, the intervention at Union level did not fully match what European financial entities needed for managing operational risks in a way that withstand, respond and recover from impacts of ICT incidents. Nor did it provide financial supervisors with the most adequate tools to fulfil their mandates to prevent financial instability stemming from the materialization of those ICT risks.

The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies).

Action at Member State level, however, only has a limited effect given cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs - especially for cross-border financial entities - or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.

It is therefore necessary to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities. This framework will deepen the digital risk management dimension of the Single Rulebook.

In particular, it will enhance and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers. The proposal will create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities, and strengthen supervisory effectiveness.



Legal basis of the Digital Operational Resilience Act (DORA)

The proposal for regulation is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). It removes obstacles to, and improves the establishment and functioning of the internal market for financial services by harmonising the rules applicable in the area of ICT risk management, reporting, testing and ICT third-party risk.

Current disparities in this area, both at legislative and supervisory levels, as well as national and EU levels, act as obstacles to the single market in financial services because financial entities that engage in cross-border activities face different, where not overlapping, regulatory requirements or supervisory expectations with the potential to impede the exercise of their freedoms of establishment and of provision of services.

Different rules also distort competition between the same type of financial entities in different Member States. Moreover, in areas where harmonisation is absent, partial or limited, the development of divergent national rules or approaches, either already in force or in the process of adoption and implementation at national level, can act as a deterrent to the single market freedoms for financial services. This is particularly the case as regards to digital operational testing frameworks and the oversight of critical ICT third-party service providers.

As the proposal has an impact on several Directives of the European Parliament and of the Council adopted on the basis of Article 53(1) of the TFEU, a proposal for a Directive is also adopted at the same time to reflect the necessary amends to those Directives.



The Digital Operational Resilience Act (DORA), news and alerts

This website belongs to Cyber Risk GmbH (established in Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). We are carefully monitoring the new legal and regulatory obligations that follow the Digital Operational Resilience Act (DORA). We learn the requirements for EU and non-EU firms and entities, update our training programs accordingly, and inform our clients and recipients of our monthly newsletter. For news and developments about the Digital Operational Resilience Act (DORA), you can receive our monthly newsletter at no cost (you may visit Cyber Risk GmbH, Reading Room, links at the top of the page). You may also visit this web site.

You may also visit:

European Cyber Resilience Act

NIS 2 Directive

European Chips Act