Data Protection & CybersecurityPrivacy & Cybersecurity

DORA Regulation approved: new cybersecurity obligations for banks, insurance companies and financial institutions

Following the approval of the NIS2 Directive, the EU Parliament also approved the Digital Operational Resilience Act (DORA) Regulation, which aims to consolidate and harmonize essential cybersecurity requirements regarding digital operations at the European level of resilience in the financial sector for entities like banks, insurance companies, crypto asset service companies, financial institutions, and their suppliers.

The DORA Regulation is part of a broader European package of policy measures for fintech (which includes a proposed regulation on crypto-asset markets, MiCA, and one on distributed ledger technology, DLT).  It aims to ensure that firms can cope with cyber-attacks and operational disruptions through implementing governance, cybersecurity, and ICT risk management and incident reporting measures.

1.  Goals, scope, and deadline for implementing the DORA Regulation

Why a regulation?  Over the past decade, information and communication technology (ICT) has revolutionized the financial sector and gained a central role in its daily operations.  However, digital transformation has not been accompanied by adequate awareness and management of the cyber risks to the sector increasingly exposed.  Cybersecurity provisions have so far remained scattered in different EU acts, not always consistent with each other and differentiated at the national level.

The growth and severity of cyber-attacks, the danger of systemic consequences, and the gaps in the existing regulatory framework led to the conception of the now-approved DORA Regulation, which aims to uniformly regulate “operational resilience” in the financial sector in the EU.  The goal is thus to mandate the adoption of standardized cybersecurity requirements necessary to ensure that financial entities operating in Europe are positioned to prevent, resist and respond to cyber threats of which they may be targets.  To this end, the DORA Regulation introduces a harmonized body of technical-organizational cybersecurity measures to enable and support digital finance’s innovative potential while mitigating technological innovation risks.

To whom does it apply?  The scope of the DORA Regulation is vast and will impact almost everyone in the financial sector.  Indeed, it will apply not only to “traditional” financial institutions (e.g., banks, investment firms, and insurance companies) but also to “new players” in the market, such as crypto-asset service companies and critical ICT service providers (e.g., cloud service providers).  In addition, the approved DORA Regulation also applies to critical service providers to the companies mentioned above.

When will it be operational?  Affected operators will benefit from a grace period of 24 months from the effective date of the DORA Regulations to implement all the necessary steps from a technical-organizational point of view to comply with this regulation.

2.  The cybersecurity pillars of the approved DORA Regulation

The DORA Regulations can be summarized in three main pillars:

(i) Governance and internal organization (Art. 5)

Financial entities must have an internal cybersecurity governance and control framework to manage all ICT risks effectively and prudently to achieve a high level of digital operational resilience.  In particular, a defined set of tasks will need to be assigned to the management body of the financial institution, which remains primarily responsible for the overall management of ICT risks.

(ii) Risk management (Arts. 6-16)

Financial entities must have a robust, comprehensive, and well-documented cyber risk management framework as part of their overall risk management system.  Among other things, operators will need to take care to:

  • use resilient ICT tools and systems such that the impact of related risks is minimized;
  • promptly identify all sources of risk and implement mechanisms that can detect abnormal activities; and
  • adopt internal procedures and measures for protection and prevention.

The DORA Regulation introduces some simplifications for firms exempt from the enhanced obligations (e.g., small non-interconnected investment firms).  Still, these exemptions do not exclude the implementation of basic ICT risk mapping and management measures.

(iii) Incident management and reporting (Arts. 17-23)

Numerous provisions have been introduced regarding the management of incidents related to ICT services.  Financial entities will have to:

  • provide for and implement business continuity and systems policies and recovery plans in the event of an ICT-related disaster, as a consequence of a cyber attack, for example;
  • equip themselves with appropriate capabilities and personnel to detect vulnerabilities, threats, incidents, and cyber-attacks and assess the possible consequences on their digital operational resilience;
  • provide communication plans to various stakeholders.

On the other hand, with regard to the reporting of related incidents, financial entities will need to establish and implement a management process to monitor and record ICT-related incidents, classify them and determine their impact, and notify them, through a report, to the relevant authorities if deemed severe.

(iv) Third-party ICT service providers (Arts. 28-44)

To mitigate the risks arising from the dependence of financial entities on third-party service providers, specific supervisory powers are provided to financial supervisors.

Therefore, in addition to providing an EU-wide oversight framework for third-party providers of critical ICT services, key contractual aspects (contracting, execution, post-contractual phase) will be harmonized to ensure that financial companies monitor third-party cyber risks.  In addition, to ensure adequate monitoring of technology service providers that perform a critical function for the operation of the financial sector, a “lead” oversight authority will be defined for each third-party provider of critical ICT services.

Thus, the DORA Regulation is also particularly onerous for providers of critical services to these companies.

3.  Main implications for operators and next steps

It is important to keep in mind that, for the implementation of the above requirements, the approved DORA Regulation refers to the principle of proportionality (Art. 4) and, thus, follows a well-established logic found in many other regulations (foremost among them, for example, the GDPR), puts the onus back on the individual entity, to assess and demonstrate the correct level of requirements that need to be implemented.

How to prepare for the DORA regulation?

It will be critical for all financial entities to take a proactive and informed approach by carrying out preparatory activities that will enable them to determine the actual impact of DORA on their organization and thus not be unprepared when it is implemented.  Among these, in particular, it will be appropriate for practitioners to:

  1. Gap analysis of the ICT risk management framework: review the internal governance structure and ICT risk and incident management measures already in place to check corporate awareness of the new regulatory framework and assess whether the resources, strategies, and response and remediation plans in place adequately address the regulatory requirements.  If not, plans to update and adapt will need to be considered.
  2. Review of incident reporting mechanisms: assess the company’s reporting capabilities and responsiveness, and accordingly implement from scratch or adjust existing incident reporting procedures to ensure alignment with new regulatory requirements.
  3. Assessment of critical ICT service providers and renegotiation of the agreements with them: mapping contracts with third-party ICT providers, assessing their criticality to business operations, reviewing and documenting their vulnerabilities to enable planning of appropriate risk containment strategies and renegotiating the agreements with them to make them compliant with the DORA Regulation.

In turn, ICT service providers will need to assess their own membership in the category of providers defined as “critical” and, if so, analyze the actions to be taken to meet the new supervision requirements by the European Supervisory Authorities (EBA, EIOPA, ESMA).

Finally, it will be important for all market participants to monitor the positions and directions that the European Supervisory Authorities will adopt, including, in particular, the definition of the criteria under which certain companies will be required to perform so-called “threat led penetration tests” at least once every three years.

It is likely that several organizations will have to manage concurrently the activities necessary to comply with obligations under the NIS Directive, the DORA Regulation, and the Cyber Resilience Act, along with the activities necessary to comply with local cybersecurity perimeter regulations.  To this end, proper planning will be critical to avoid wasting resources or performing superficial activities that do not ensure compliance.

To this end, the following articles, “The NIS2 Directive approved – cybersecurity news for more and more companies“, “What directors’ liability for a cyber attack against the company?” and “Cyber Resilience Act: cybersecurity news for IoT digital products” may be of interest.

Authors: Maria Chiari Meneghetti and Giorgia Carneri

Don't miss our weekly insights

Show More

Related Articles

Back to top button