The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554

The three European Supervisory Authorities (ESAs) - the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) - published the first set of final draft technical standards under the Digital Operational Resilience Act (DORA).

The joint final draft technical standards are:

1. JC 2023 83 - Final report on Draft Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union

2. JC 2023 84 - Final report on Draft Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union

3. JC 2023 85 - Final Report On Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554.

Next step: The final draft Regulatory Technical Standards (RTS) will be submitted to the European Commission for adoption. Following the adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union

4. JC 2023 86 - Final report, Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554.

Next step: The ESAs will submit the final draft Regulatory Technical Standards (RTS) to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these technical standards is 17 January 2025.

29 September 2023 - Joint European Supervisory Authorities’ Technical Advice. The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published their joint response to the European Commission’s Call for Advice on two EC delegated acts under the Digital Operational Resilience Act (DORA) specifying criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers. You can find the paper at the "DORA LINKS" (at the top of this web page).

18 September 2023 - Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA).

The Commission Guidelines on the application of Article 4 (1) and (2) of the NIS 2 Directive, that was published at the Official Journal of the European Union the 18th of September 2023, covers some of the major areas of concern for entities that try to understand if they must comply with the NIS 2 Directive, or the Digital Operational Resilience Act (DORA) and other sector-specific Union legal acts.

Article 4(1) of the NIS 2 Directive provides that, where sector-specific Union legal acts (like DORA, that applies in the financial sector) require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply to such entities. The sector-specific provisions will apply.

That provision further provides that where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.

Article 4(2)(a) of the NIS 2 Directive provides that cybersecurity risk-management measures that essential or important entities are required to adopt under sector-specific Union legal acts shall be considered to be equivalent in effect to the obligations laid down in the NIS 2 Directive, where those measure are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive.

When assessing whether the requirements in a sector-specific Union legal act on cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2) of the NIS 2 Directive, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance compared to the corresponding provisions of the NIS 2 Directive.

An important consideration when assessing the equivalence of a sector-specific Union legal act with the requirements of Article 21(1) and (2) of the NIS 2 Directive is that the cybersecurity risk-management measures required by the sector-specific Union legal act should be based on an ‘all-hazard approach’.

Since threats to the security of network and information systems could have different origins, any type of event can have a negative impact on the network information systems of the entity and potentially lead to an incident. Therefore, the cybersecurity risk-management measures taken by the entity should protect not only the entity’s network and information systems, but also the physical environment of those systems from any event such as sabotage, theft, fire, flood, telecommunication or power failures, or unauthorised physical access that are capable of compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Consequently, the cybersecurity risk-management measures required by a sector-specific Union legal act should specifically address the physical and environmental security of network and information systems from systems failure, human error, malicious acts, or natural phenomena.

NIS 2 and DORA.

The Commission Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA) of 18 September 2023, further explain the following in the Appendix:

Article 1(2) of DORA provides that, in relation to financial entities covered by the NIS 2 Directive and its corresponding national transposition rules, DORA shall be considered a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive.

This statement is mirrored in recital (28) of the preamble to the NIS 2 Directive, which says that DORA should be considered a sector-specific Union legal act in relation to the NIS 2 Directive with regard to financial entities.

Consequently, the provisions of DORA relating to information and communication technology (ICT) risk management (Article 6 et seq.), management of ICT-related incidents and, in particular, major ICT-related incident reporting (Article 17 et seq.), as well as on digital operational resilience testing, (Art 24 et seq.) information-sharing arrangements (Article 25) and ICT third-party risk (Article 28 et seq.) shall apply instead of those provided for in the NIS 2 Directive.

Member States should therefore not apply the provisions of the NIS 2 Directive on cybersecurity risk-management and reporting obligations, and supervision and enforcement, to financial entities covered by DORA.

27 December 2022 - We have the final text. The Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union as Regulation (EU) 2022/2554.

Full name: The full name is "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)".

Deadline:

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 17 January 2025.

Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.

We are surprised to read in Article 58 that by 17 January 2026, the European Commission shall carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal, on the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience, by means of the inclusion of statutory auditors and audit firms into the scope of this Regulation or by means of amendments to Directive 2006/43/EC.

28 November 2022 - The Council adopted the Digital Operational Resilience Act.

Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The Council adopted the Digital Operational Resilience Act (DORA) which will make sure that the financial sector in Europe is able to stay resilient through a severe operational disruption.

DORA applies to critical third parties which provide ICT (Information Communication Technologies)-related services to financial entities. It creates a regulatory framework on digital operational resilience, whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

Now that the DORA proposal is formally adopted, aspects that require national transposition will be passed into law by each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

The Digital Operational Resilience Act (DORA) aims first at consolidating and upgrading the ICT risk requirements addressed so far separately in the different Regulations and Directives. While those Union legal acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they could not comprehensively tackle, at the time of their adoption, all components of operational resilience.

The operational risk requirements, when further developed in these Union legal acts, often favoured a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risks) rather than enshrining targeted qualitative requirements to boost capabilities through requirements aiming at the protection, detection, containment, recovery and repair capabilities against ICT-related incidents or through setting out reporting and digital testing capabilities. Those Directives and Regulations were primarily meant to cover essential rules on prudential supervision, market integrity or conduct.

The Digital Operational Resilience Act (DORA) consolidates and updates rules on ICT risk. All provisions addressing digital risk in finance will for the first time be brought together in a consistent manner in a single legislative act. This initiative will fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third party risk monitoring.

Financial entities should follow the same approach and the same principle-based rules when addressing ICT risk. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overuse of ICT systems, platforms and infrastructures, which entails increased digital risk. The respect of a basic cyber hygiene should also avoid imposing heavy costs on the economy by minimising the impact and costs of ICT disruptions.

The use of a regulation helps reducing regulatory complexity, fosters supervisory convergence, increases legal certainty, while also contributing to limiting compliance costs, especially for financial entities operating cross-border, and to reducing competitive distortions. The choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities appears therefore the most appropriate way to guarantee a homogenous and coherent application of all components of the ICT risk management by the Union financial sectors.

It is crucial to maintain a strong relation between the financial sector and the Union horizontal cybersecurity framework would ensure consistency with the cyber security strategies already adopted by Member States, and allow financial supervisors to be made aware of cyber incidents affecting other sectors.

It is also important to ensure consistency with the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats, with possible implications for the financial sector.

28 June 2022, European Council, Update - Council presidency and European Parliament reach political agreement

The Council presidency and the European Parliament reached a political agreement on the directive on the resilience of critical entities. Work will now continue at technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

This directive aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.

The text agreed today covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Central public administrations will also be covered by some of the provisions of the draft directive.

Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.

The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or it may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations related to the directive.

11 May 2022, European Council - Provisional agreement reached on the Digital Operational Resilience Act (DORA)

The EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.

Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.

Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.

As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.

Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.

As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.

The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Background

The Commission came forward with the DORA proposal on 24 September 2020. It is part of the larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).

This package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.

The Council adopted its negotiating mandate on DORA on 24 November 2021. Trilogues between the co-legislators started on 25 January 2022 and ended in the provisional agreement reached yesterday.

The Digital Operational Resilience Act (DORA)

The Act is part of the digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it. It is in line with the Commission priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

The digital finance package includes a new Strategy on digital finance for the EU financial sector 1 with the aim to ensure that the EU embraces the digital revolution and drives it with innovative European firms in the lead, making the benefits of digital finance available to consumers and businesses.

In addition to this proposal, the package also includes a proposal for a regulation on markets in crypto assets, a proposal for a regulation on a pilot regime on distributed ledger technology (DLT) market infrastructure, and a proposal for a directive to clarify or amend certain related EU financial services rules.

Digitalisation and operational resilience in the financial sector are two sides of the same coin. Digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. These need to be well understood and managed, especially in times of stress.

Policymakers and supervisors have therefore increasingly focused on risks stemming from reliance on ICT. They have notably tried to enhance firms’ resilience through the setting of standards and through the coordination of regulatory or supervisory work. This work has been carried out at both international and European level, and both across industries as well as for a number of specific sectors, including financial services.

ICT risks nevertheless continue to pose a challenge to the operational resilience, performance and stability of the EU financial system. The reform that followed the 2008 financial crisis primarily strengthened the financial resilience of the EU financial sector, only addressing ICT risks indirectly in some areas, as part of the measures to address operational risks more broadly.

While the post-crisis changes to the EU financial services legislation put in place a Single Rulebook governing large parts of the financial risks associated with financial services, they did not fully address digital operational resilience.

The measures taken in relation to the latter were characterised by a number of features that limited their effectiveness. For example, they were often devised as minimum harmonisation directives or principled-based regulations, leaving substantial room for diverging approaches across the Single Market. In addition, there has been only some limited or incomplete focus on ICT risks in the context of the operational risk coverage.

Finally, these measures vary across the sectoral financial services legislation. Thus, the intervention at Union level did not fully match what European financial entities needed for managing operational risks in a way that withstand, respond and recover from impacts of ICT incidents. Nor did it provide financial supervisors with the most adequate tools to fulfil their mandates to prevent financial instability stemming from the materialization of those ICT risks.

The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies).

Action at Member State level, however, only has a limited effect given cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs - especially for cross-border financial entities - or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.

It is therefore necessary to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities. This framework will deepen the digital risk management dimension of the Single Rulebook.

In particular, it will enhance and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers. The proposal will create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities, and strengthen supervisory effectiveness.

Legal basis of the Digital Operational Resilience Act (DORA)

The proposal for regulation is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). It removes obstacles to, and improves the establishment and functioning of the internal market for financial services by harmonising the rules applicable in the area of ICT risk management, reporting, testing and ICT third-party risk.

Current disparities in this area, both at legislative and supervisory levels, as well as national and EU levels, act as obstacles to the single market in financial services because financial entities that engage in cross-border activities face different, where not overlapping, regulatory requirements or supervisory expectations with the potential to impede the exercise of their freedoms of establishment and of provision of services.

Different rules also distort competition between the same type of financial entities in different Member States. Moreover, in areas where harmonisation is absent, partial or limited, the development of divergent national rules or approaches, either already in force or in the process of adoption and implementation at national level, can act as a deterrent to the single market freedoms for financial services. This is particularly the case as regards to digital operational testing frameworks and the oversight of critical ICT third-party service providers.

As the proposal has an impact on several Directives of the European Parliament and of the Council adopted on the basis of Article 53(1) of the TFEU, a proposal for a Directive is also adopted at the same time to reflect the necessary amends to those Directives.