The European Union’s (EU) Digital Operational Resilience Act (DORA) set out various requirements for the security of the network and information systems that support the business operations of entities operating in and supporting the financial services sector. DORA is part of the European Commission’s (EC) Digital Finance Package and seeks to ensure financial sector entities can withstand disruptions and threats to their information and communication technology (ICT).
DORA imposes various requirements on firms covering: (i) the provision, risk management, governance and operation of ICT systems; (ii) the management, classification and reporting of ICT-related incidents; (iii) digital operational resilience testing of ICT tools and systems; and (iv) sound management of ICT third-party risk. DORA also contains provisions to create a supervisory framework to oversee critical ICT third-party service providers.
DORA defines digital operational resilience as ‘the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.’
ICT Risk Management
DORA imposes obligations covering the governance and organisation of financial sector entities for the management of ICT risk, including requiring an entities’ management bodies to:
Put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data.
Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions.
Set and approve a digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the financial entity.
Approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy, ICT response and recovery plans, ICT internal audit plans, ICT audits and material modifications to them.
Allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff.
Approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers.
Put in place corporate level reporting channels for ICT third party service provider arrangements, including a risk analysis summary to assess the impact of changes to arrangements, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.
DORA also requires financial sector entities to have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
Digital Operational Resilience Strategy and Testing
DORA requires financial sector entities to develop a digital operational resilience strategy setting out how their digital operational resilience framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:
explaining how the ICT risk management framework supports the financial sector entity’s business strategy and objectives.
establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial sector entity, and analysing the impact tolerance for ICT disruptions.
setting out clear information security objectives, including key performance indicators and key risk metrics.
explaining the ICT reference architecture and any changes needed to reach specific business objectives.
establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial sector entity, and analysing the impact tolerance for ICT disruptions.
setting out clear information security objectives, including key performance indicators and key risk metrics.
explaining the ICT reference architecture and any changes needed to reach specific business objectives.
outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it.
evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures.
implementing digital operational resilience testing.
outlining a communication strategy in the event of ICT-related incidents.
DORA also requires financial sector entities to develop a programme of digital operational resilience testing, including generic testing and periodic advanced testing based on threat-led penetration testing.
ICT-related incident management, classification and reporting
DORA requires financial sector entities to use and maintain appropriate and reliable ICT systems, protocols and tools to support operations and to identify, protect and prevent, detect and respond and recover and learn from ICT-related incidents. Furthermore, DORA also requires financial sector entities to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents, including the following elements:
early warning indicators.
procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted.
roles and responsibilities that need to be activated for different ICT-related incident types and scenarios.
plans for communication to staff, external stakeholders and media and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate.
reporting of at least major ICT-related incidents to relevant senior management and the management body, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents.
ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.
DORA requires the reporting of ICT-related incidents to supervisors depending on their severity.
Management of ICT Third-Party Risk
DORA requires financial sector entities to manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. DORA clarifies that regardless of any contractual arrangements that are in place with third-parties, financial sector entities remain responsible for compliance. DORA requires that financial sector entities undertake an assessment of third-parties before entering into contractual arrangements, including whether the provider is easily substitutable and whether they will be exposed to concentration risk by using the third party’s services.
DORA sets out a wide range of provisions that contractual arrangements on the use of ICT services between a financial sector entity and third party provider shall contain.
Almost all regulated financial services entities are in scope of DORA.
DORA consists of a Directive and a Regulation. The Directive is necessary to amend sectoral legislation and ensure entities such as banks, investment firms and fund managers etc are subject to the new framework as set out in the Regulation
DORA includes within the scope of the provisions on ICT risk management, ICT-related incidents, digital operational resilience, and sound management of ICT third-party risk, a wide array of ICT systems and assets. The ICT systems that are covered by DORA also include legacy systems that are still in use and supporting the functions of a financial sector entity.
DORA provides for supervision of ICT third party service providers designated as “critical” by the three European Supervisory Authorities.
Various Regulatory and Implementing Technical Standards are required under DORA. The ESAs have published a first batch of proposed RTS/ITS in the areas of risk management, classification of ICT related incidents, templates for register of information and policy on ICT services performed by ICT third-party providers.
In Ireland the Central Bank’s webpage highlights the link between DORA and the Central Bank’s guidance on outsourcing, operational resilience and IT & Cybersecurity risks.
DORA was published in the EU’s Official Journal on 14 December 2022, entered into force on 16 January 2023 and shall apply from 17 January 2025. There is a significant body of work to develop the various implementing measures under DORA, on which the European Supervisory Authorities have commenced work, including the publication of a consultation paper on 19 June 2023.