On 24 September 2020 the European Commission published its long-awaited draft regulation on digital operational resilience for the EU financial services sector (DORA). The proposal, which is part of the broader Digital Finance Strategy package, is a first European-level legislative initiative aiming to introduce harmonised and comprehensive framework on digital operational resilience for European financial institutions. When formally adopted, DORA will also bring critical third-party service providers – such as cloud computing services – within a direct oversight of the European Supervisory Authorities. The following note provides an overview of 10 key things that you need to know about DORA.
1) Scope and subject matter
The Commission’s proposes DORA to have very broad application and to cover credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, CCPs, trading venues, trade repositories, AIFMs, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, securisation repositories and ICT third-party service providers. The proposed legislation sets out requirements applicable to financial entities in respect of ICT risk management, contractual arrangements between ICT third-party service providers and financial entities, the oversight framework for critical third-party service providers and rules on cooperation between competent authorities.
The draft legislation includes a comprehensive set of definitions concerning persons and services within the scope of DORA, including definitions of digital operational resilience, ICT risk, ICT third-party risk, ICT third-party service provider (including cloud computing services) and ICT third-party service provider established in a third country.
3) ICT Risk Management
When formally adopted, DORA will require financial entities to have in place comprehensive internal governance and control frameworks for ICT risks. Financial entities will also be obliged to build and maintain a sound, comprehensive and well-documented ICT risk management framework. This will include an obligation for financial entities to have and maintain updated ICT systems, protocols and tools, as well as to identify and document that pose a potential source of an ICT risk, especially those configurations that interconnect with internal and external ICT systems. Draft DORA sets out prescriptive measures that financial entities will need to comply with for the purpose of protection and prevention, detection, response and recovery from ICT risks, including having a dedicated and comprehensive ICT Business Continuity Policy. Finally, financial entities will also have to have in place measures allowing monitoring the effectiveness of the implementation of their digital resilience strategy as well as bespoke communications plan enabling a “responsible disclosure of ICT-related incidents or major vulnerabilities”.
4) ICT Related Incidents: Management, Classification and Reporting
When formally adopted, DORA will require financial entities to establish and implement a specific ICT-related incident management process to identify, track, log, categorise and classify ICT-related incidents. Such process will have to allow to classification of ICT-related incidents in accordance with a set of criteria that is to be further developed by a Joint Committee of the European Supervisory Authorities (“the ESAs Joint Committee”). Finally, financial entities will be obliged to report all major ICT-related incidents to the competent authority, within the timeframes prescribed and by using harmonised reporting templates.
5) Digital Operational Resilience Testing
For the purposes of their ICT risk management framework, financial entities will have to put in place a sound and comprehensive digital operational resilience testing programme, comprising of ICT testing tools, systems and methodologies as set out in the proposed regulation.
6) Key Principles for a Sound Management of ICT Third-Party Risk
The draft legislation sets out key principles for managing ICT third-party risk, and covering responsibility of the financial entity, proportionality, strategy on ICT third-party risk, documentation and record-keeping, pre-contracting analysis, information security, audits, termination rights and exit strategies. The rights and obligations of the financial entity and of the ICT third-party service provider will have to be clearly allocated and set out in a contractual agreement, detail scope of which will be set out in the legislation. Among other obligations, financial entities will have to perform preliminary assessment of concentration risk and further sub-outsourcing arrangements. The objective of such assessment will be to identify whether entering into a contractual arrangement would lead to contracting with a dominant ICT third-party services provider that is not easily substitutable, or having in place multiple contractual arrangements.
7) Oversight Framework of Critical ICT Third-Party Service Providers
The draft legislation sets out a separate set of provisions applicable to critical third-party service providers (CTPPs), which will be designated by the ESAs Joint Committee and on the basis of a list of criteria set out in DORA. The proposed legislation also requires to establish an Oversight Framework of CTTPs responsible for, among other, verifying that CTPPs have in place and respect “sound, comprehensive and effective rules, procedures and arrangements” that are appropriate to manage risks that CTPPs may “pose to financial entities and to the overall financial stability”. In accordance with the draft proposals, Oversight Framework will be equipped with far-reaching powers, including the unrestricted right to access all information deemed necessary by a Lead Overseer – this being one of the ESAs. The Lead Overseer will also have powers to conduct general investigations (including on-site inspections) of ICT third-party service providers. Finally, CTPPs will be charged oversight fees designed to cover all of the ESA’s “necessary expenditure” in relation to conduct of Oversight tasks.
8) Information Sharing Arrangements
The proposed legislation will permit financial entities to exchange amongst themselves information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.
9) Competent Authorities
Finally, the proposal includes detailed rules concerning supervisory powers. By deciding against a centralised supervisory body, the Commission proposed to place supervision of compliance with the requirements of DORA with the respective competent authorities responsible for overseeing the in-scope financial entities.
10) Next steps
The draft legislation will be transferred to the European Parliament and to the Council of Ministers for review and adoption. Both legislators can introduce additional amendments so the final version of the legislation might differ to some extent from the draft proposed by the Commission. Legislative review of complex files can take between 18 and 24 months, followed by a transition period that will be prescribed in a final legal act. Stakeholders are therefore encouraged to engage in legislative review from the early stages thereof.