Financial institutions and third-party ICT providers will have to strengthen their IT security organisations, as the European Digital Operational Resilience Act (DORA) is expected to be fully applicable in early 2025 after a two-year implementation period.
Earlier this year, the European Parliament and the Council of the European Union reached provisional agreement on the Digital Operational Resilience Act (DORA). The provisional agreement has yet to be given the final green light by the Council and Parliament before the regulation can be formally adopted. That agreement is expected later this year.
The DORA is expected to enter into force in Q1 of 2023 and to be fully applicable in early 2025, after a two-year implementation period.
DORA is part of the broader "Digital Finance Package", which aims to develop a European approach that promotes technological development and ensures financial stability and consumer protection.
Due to the ever-increasing risk of cyberattacks, the EU aims to strengthen the IT security of financial institutions such as banks, insurance companies and investment firms by means of DORA. DORA aims to ensure that the European financial sector can continue to operate resiliently in the event of serious operational disruptions.DORA aims to ensure that the European financial sector can continue to operate resiliently in the event of serious operational disruptions. To this end, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector and of critical third parties providing them with ICT-related services, such as cloud platforms. The package sets specific requirements for IT risk management, testing of IT systems and outsourcing to critical digital service providers.
In a nutshell, DORA creates a regulatory framework for digital operational resilience, which means that all companies that fall within its scope must ensure that they are able to withstand, respond to and recover from ICT-related disruptions and threats.
In light of the short period before DORA enters into force, the financial sector must start preparing for the impact it will have on their IT framework and governance.
In this longread, we look at the important requirements that DORA brings.
DORA; an outline impact analysis
DORA brings impactful changes to the following sub-areas:
Digital operational resilience
DORA will establish standardised EU standards for testing digital operational resilience. Testing requirements include vulnerability and network security assessments, gap analyses and software solution testing, as well as scenario-based testing, performance testing and penetration testing.
These requirements aim to establish a uniform approach to standards of operational resilience, bringing them within the scope of the EU for the first time.
Risk management
Under the new rules, financial sector companies must develop and maintain resilient ICT systems and tools that can identify and mitigate ICT risks in a consistent and reliable manner.
Where they are not already obliged to do so on the basis of sector-specific legislation, they will also have to introduce comprehensive business continuity policies and disaster recovery plans.
DORA also sets requirements for internal governance and control frameworks that must ensure proper management of all ICT risks. The board must approve these frameworks, supervise their implementation and is ultimately responsible. The board is thus expected to play an active and crucial role in complying with the requirements set by DORA. To encourage compliance with those requirements, awareness of cyber risks must also be stimulated at all levels of the organisation. In this respect, ICT is given an explicit place in the governance of financial enterprises.
Reporting and management of ICT incidents
Financial firms will need to design systems to monitor, identify and report significant ICT incidents to the competent authorities.
This new, standardised approach is likely to result in the creation of a new centralised EU body to oversee and facilitate incident reporting and management.
Sharing information
DORA encourages financial firms to share cybersecurity information and intelligence with firms in other Member States, in an effort to reduce the impact of cyber threats in financial services and strengthen response and recovery capabilities in the European financial sector as a whole.
Third-party risk management
DORA stipulates that third-party ICT providers, including cloud service providers, will be regulated by one of the European Supervisory Authorities (ESAs), which will have the power to request information, make recommendations and requests, carry out inspections and even impose sanctions for non-compliance with the new EU rules on risk management and operational resilience.
Financial firms will also need to assess and document all potential risks associated with their external ICT service providers and ensure that their contracts with such firms specify their legal obligations under the new legislation.
DORA also has an impact on third-party service providers: critical providers of ICT services to EU financial entities established in third countries will have to set up a subsidiary within the EU, so that it can be properly supervised.
Relationship to NIS
DORA thus includes many cybersecurity provisions for the financial sector. This raises the question of how DORA relates to more generic legislation in the field of cybersecurity, such as the existing NIS Directive. The NIS Directive aims to increase digital resilience in the European Union and to reduce the impact of cyber incidents.
The NIS Directive (in Dutch: the Netwerk en Informatiebeveiliging Richtlijn or NIB) focuses on the critical infrastructure of the member states. In the Netherlands, this includes energy and gas transport networks, the Port of Rotterdam, Amsterdam Airport Schiphol, water companies, large internet hubs, the nuclear sector, flood defences, but also the banking sector. The continuity of these sectors is of vital importance to Dutch society. If these services fail, it could lead to social disruption.
In the Netherlands, the NIS Directive has been implemented in the Network and Information Systems Security Act (Wet beveiliging network en informatiesystemen or Wbni) and the associated Network and Information Systems Security Decree (Besluit beveiliging network- en informatiesystemen or Bbni). The Wbni and Bbni prescribe security requirements, among other things, and thus include a duty of care for digital security. The Wbni also includes an obligation to report serious cyber incidents.
The NIS Directive and DORA could therefore overlap. However, DORA itself makes it clear that the NIS Directive continues to apply, including to financial entities that have multiple licenses and operate in different markets within the EU. DORA contains a lex specialis provision, which avoids any possible overlap with the NIS Directive, since a lex specialis (DORA) takes precedence over a lex generalis (NIS Directive).
Incidentally, the NIS Directive will soon be drastically revised. Under the current NIS Directive, the Member States have fairly broad national implementation options, which has led to differences in the level of cybersecurity between the Member States. This is undesirable. Renewed Directive NIS 2, yet to be introduced, aims to further harmonise cyber risk management. The scope of NIS 2 will also be considerably larger than it is now: the number of sectors will be expanded and the applicability will be determined by a size cap. In addition, NIS 2 limits the freedom of Member States to give their own interpretation to the rules. On 12 May 2022, the Council and Parliament reached agreement on the compromise text.
What's next?
Once the DORA proposal has been formally adopted, the relevant European supervisory authorities – such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – will develop further technical standards that all financial services institutions will have to comply with.
The national competent authorities in the EU Member States will be responsible for supervising compliance and enforcing the regulations where necessary. Depending on the type of financial institution, that supervision will in future be the responsibility of the Dutch Central Bank (De Nederlandsche Bank) or the Netherlands Authority for the Financial Markets (Autoriteit Financiële markten) (or for significant institutions within the meaning of the SSM Regulation: the ECB).
In the meantime, the European financial sector will have to prepare for DORA’s entry into force, starting with an impact analysis on their current ICT risk framework.
With less than 3 months to go until DORA comes into force, this deserves your full attention!