The Digital Operational Resilience Act (DORA) and its Significance for the Financial Sector

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act, “DORA”) significantly tightens the requirements for financial entities in dealing with information and communications technology (“ICT”) risks and at the same time creates an entirely new supervisory framework for ICT service providers. Probably the most significant innovation relates to the future supervision of critical ICT service providers by the European supervisory authorities. DORA will therefore have an enormous practical impact beyond the financial sector in the strict sense. The regulation entered into force on 16 January 2023 through publication in the Official Journal of the European Union and will apply from 17 January 2025.

Addressees and Regulatory Content

This article is the first in a series in which the specific areas regulated by DORA and their significance for the financial sector will be explored in detail over the coming months. We will focus primarily on topics such as managing third-party risks, negotiating contracts for outsourcing to third-party ICT service providers, testing procedures, IT governance and risk management as well as the supervision of critical ICT service providers. To start off, this newsletter considers

(i) DORA’s scope of application, including its addressees, and

(ii) DORA’s key substantive provisions.

Background

DORA is based on a package of measures for the digitalisation of the European financial sector adopted by the European Commission in September 2020 (Link). The background to this is essentially the realisation that the increased use of ICT in the financial sector gives rise to additional risks for the market participants. These result, for example, from cyber attacks, ICT disruptions or dependence on (external) ICT service providers. Consequently, DORA aims to strengthen the operational resilience of the European financial sector, thereby promoting the protection of financial entities and their customers and, ultimately, the financial system as a whole, from ICT risks.

DORA aims to harmonise the largely inconsistent national and European legal frameworks for dealing with ICT risks. At the national level, various sector-specific regulatory provisions have applied so far to regulated insurance and financial companies, such as the German Federal Financial Supervisory Authority’s (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) circulars on information technology requirements for credit institutions (Supervisory Requirements for IT in Financial Institutions, Bankaufsichtliche Anforderungen an die IT, BAIT) or insurance companies (Supervisory Requirements for IT in the Insurance Sector, Versicherungsaufsichtliche Anforderungen an die IT, VAIT). DORA establishes uniform requirements for the entire financial sector. In addition, DORA is intended to harmonise the highly fragmented regulatory requirements at the European level in order to promote a functioning internal market while also establishing a single supervisory framework for ICT third-party service providers.

Scope of application

DORA’s requirements essentially apply to all supervised institutions and entities across the financial sector (known as “financial entities”) and to companies that provide ICT services for companies in the financial sector (known as “ICT third-party service providers”).

For the purposes of DORA, “financial entities” are credit institutions, payment and e-money institutions, investment firms, capital management companies and insurance/reinsurance companies, but also include account information service providers (AISPs), providers of crypto services within the meaning of Regulation (EU) 2023/1114 (Markets in Crypto-Assets Regulation, MiCAR), rating agencies, crowdfunding service providers, insurance and reinsurance intermediaries and institutions for occupational retirement provision (Article 2(1)(a) to (t) of DORA).

DORA defines “ICT third-party service providers” as undertakings providing ICT services (Article 2(19) of DORA). This includes digital services and data services provided through ICT systems to one or more internal or external users (i.e. financial entities) on an ongoing basis, including hardware as a service and hardware services (cf. Article 2(21) of DORA). This means that unregulated third-party service providers, e.g. of cloud services, software, data analysis services or data centres, also fall within the scope of DORA. In Germany, ICT third-party service providers, as far as they qualify as outsourcing companies, are already subject to limited regulation and the supervisory powers of BaFin. In addition, at the EU level ICT third-party service providers that are classified as critical will now be under the direct oversight of the European Supervisory Authorities (the “ESAs”) (see below).

The DORA requirements will be applied in accordance with the principle of proportionality, taking into account the size and overall risk profile of the financial entity, and the nature, scope and complexity of its services, activities and operations (see Article 4 of DORA). Various exemptions from DORA’s scope of application apply to “very small enterprises” (i.e. financial entities that employ fewer than ten persons and whose annual turnover and/or balance sheet total does not exceed EUR 2 million).

Significant changes introduced by DORA

DORA focuses on IT governance and risk management in financial entities and on requirements for outsourcing to ICT third-party service providers. Financial entities are to create internal structures that limit ICT risks and risks arising from the provision of services by ICT third-party service providers. This results in the following requirements in particular:

• ICT risk management (Chapter II of DORA): Financial entities’ risk management must cover ICT risks. Under DORA, financial entities are required to establish an internal governance and control framework that enables an effective and prudent management of ICT risk. This must be continuously monitored and updated if necessary. These tasks fall primarily to the governing body, which has overall responsibility for managing ICT risks and ensuring the availability, authenticity, integrity and confidentiality of data through policies that are periodically reviewed. The management body must fulfil logging obligations and take preventive measures. From a German perspective, the requirements for ICT risk management are not entirely new in view of the administrative practices that BaFin already adopts. Nevertheless, DORA now establishes more specific requirements, which are also elevated to the status of an official law.
• Notification of ICT-related incidents (Chapter III of DORA): Financial entities are obliged to classify ICT-related incidents according to predefined criteria. An ICT-related incident is an event or series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial entity (see Article 3(8) of DORA). In addition, major ICT-related incidents must be reported to the competent authority. Moreover, financial entities may, on a voluntary basis, notify cyber threats to the competent supervisory authority. Financial entities must establish processes to monitor and document ICT-related incidents. DORA thus goes beyond the sector-specific reporting obligations that have so far only existed in certain areas, for example, regarding serious security incidents pursuant to Section 54(1), sentence 1 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz).
• Digital operational resilience testing (Chapter IV DORA): In order to avoid ICT-related incidents, financial entities are required to test their digital operational resilience and make such tests a core component of their ICT risk management strategy. If they fulfil the DORA requirements, external service providers may also be entrusted with conducting such tests. The tests must be carried out taking into account the size and the business and risk profile of the respective financial entity. In the future, systemically important institutions will have to carry out what is known as Threat Led Penetration Testing (TLPT) at least every three years. Thus, DORA complies with existing testing requirements as set forth, for example, in the Supervisory Requirements for IT in the Insurance Sector (VAIT) and the Supervisory Requirements for IT in Financial Institutions (BAIT). What is new, however, is the incorporation of such rules in a European regulation. BaFin has already announced that it will compare the existing obligations with those under DORA and publish a notification dealing with this.
• Management of ICT third-party risk (Chapter V, Section I of DORA): Furthermore, DORA provides for additional requirements for managing ICT third-party risk, such as the obligation to maintain a register of information in relation to all contractual agreements on the use of ICT services provided by ICT third-party service providers. DORA also establishes minimum requirements for the main content of outsourcing contracts between the financial entity and the ICT third-party service provider. This content includes a description of the contracted or subcontracted functions, the obligation to notify the financial entity in the event of an ICT incident, termination rights, reporting obligations and the right of the financial entity to monitor, on an ongoing basis, the ICT third-party service provider. In this way, DORA builds on the existing sector-specific requirements for outsourcing by regulated institutions (such as the European Banking Authority’s guidelines on outsourcing, the BaFin circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomangement, MaRisk), the Supervisory Requirements for IT in the Insurance Sector (VAIT) and the Supervisory Requirements for IT in Financial Institutions (BAIT)). Although the DORA requirements are largely in line with the existing minimum requirements for outsourcing contracts in sector-specific provisions, DORA does add to and clarify the applicable framework. One example of this is the obligation under DORA to maintain an independent control function for managing and monitoring ICT risks.
• Oversight framework of critical ICT third-party service providers (Chapter V, Section II of DORA): Finally, DORA introduces “overseeing” of what are known as critical ICT third-party service providers by the ESAs, which is a significant innovation. The ESAs decide on whether an ICT third-party service provider qualifies as “critical” on the basis of a list of criteria (see Article 32(2) of DORA). Unlike in the case of full supervision, “overseen” critical ICT third-party service providers do not require a permit from the financial supervisory authorities. At the same time, oversight is limited to the sub-area of managing ICT risks for financial entities that may emanate from a critical ICT third-party service provider. The ESAs’ powers also go well beyond BaFin’s existing sector-specific powers of intervention in relation to outsourcing companies.

Conclusion

Given the pace of digitalisation and the associated challenges it presents in the ICT sector, DORA will in practice be a highly significant addition to the current regulatory framework. By harmonising the currently non-uniform regulations in the EU Member States, DORA will bring us one step closer towards the goal of creating a level playing field in the EU. Entities that may be impacted by DORA should carefully assess early on if and to what degree they will be affected by the new rules, as well as what requirements will be imposed on them in the future. In addition, financial entities and third-party ICT service providers must take timely measures to implement the requirements of DORA within their organisations.

The next article in our DORA Insight series will deal with managing the third-party risk.