Regulation (EU) 2022/2554 on the Digital Operational Resilience Act (DORA) came into force on 16 January 2023.
For affected entities, DORA is applicable from 17.01.2025.
While our first session on DORA dealt with general aspects (such as scope of application and a rough overview of DORA), this session will deal with the content-related requirements of DORA in detail.
1 ICT Risk Management (Chapter II - Art 5-16)
1.1 In order to achieve a high level of digital operational resilience, "financial undertakings" (according to Art 2(2) DORA, these are all undertakings listed in Art 2(1), with the exception of ICT (information and communication technology) third party service providers) must have an effective and prudent management of ICT risks. A well-documented ICT risk management framework must be implemented and be part of the overall risk management system.
This ICT risk management framework must include policies, guidelines, procedures and ICT protocols and tools to properly and adequately protect all information and ICT assets, including computer software, hardware and servers. An information policy shall be developed and documented.
1.2 In addition, all relevant physical components and infrastructure (such as premises, data centres, and designated sensitive areas) shall be protected from damage or unauthorised access.
1.3 The responsibility for implementing these points lies with the management body (a concrete list of tasks can be found in Art 5 para 2 lit a-i DORA).
1.4 Complete and up-to-date information on ICT risks and the ICT risk framework must be provided to the competent authority upon request.
1.5 There shall also be adequate separation and independence of ICT risk management functions, control functions and internal audit functions.
1.6 The ICT risk management framework must be subject to regular monitoring in the form of an internal audit. In addition, financial firms must establish a "comprehensive" ICT business continuity policy. As part of this guideline, financial firms must conduct a business impact analysis (BIA) of the existing risks for serious business disruptions.
1.7 Financial firms shall review at least annually whether ICT risk classifications and documentation are still appropriate. In addition, cyber threats and ICT vulnerabilities shall be identified.
1.8 Financial firms will also be required to develop and document policies and procedures for data protection and recovery procedures and methods. Financial firms must have the capacity and staff to collect information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber attacks, and to investigate the likely impact on digital operational resilience.
1.9 According to Art 16 DORA, the provisions in Art 5-15 should (inter alia) not apply to "small and non-interconnected" investment firms or payment institutions exempted under Directive 2015/2366 (as amended: "Payment Services Directive") (Art 32 Payment Services Directive). However, they are also subject to the obligations listed in Art 16 (1) and (2) with regard to ICT risk management.
2 Treatment, classification and reporting of ICT-related incidents (Chapter III - Art 17-23)
2.1 Financial undertakings shall establish a process for handling ICT-related incidents. Early warning indicators (among others) must also be used. Further obligations are set out in Art 17 (3) DORA.
Financial undertakings must also classify ICT-related incidents and determine their impact.
According to Art 18 (3) and (4) DORA, the European Supervisory Authorities (ESA) must submit general draft regulatory technical standards specifying the requirements for financial undertakings to classify ICT-related incidents to the European Commission by 17 January 2024.
2.2 Financial firms must report serious ICT incidents to the competent authority in the form of initial, interim and final reports within a "reasonable timeframe" to be defined by the ESA in the form of regulatory technical standards.
The content and deadlines of the notification are to be defined by ESA in consultation with ENISA (European Union Agency for Cybersecurity) and the ECB in the form of regulatory technical standards. These shall be submitted to the Commission by 17.07.2024.
3. Test digital operational resilience (Chapter IV - Art 24-27)
1.1 Financial firms shall establish and maintain a robust and extensive digital operational resilience testing programme. Testing shall be conducted by independent internal or external parties.
3.1 Financial firms shall establish procedures and guidelines for prioritising, classifying and remediating any issues identified during testing.
3.2 For ICT tools and systems, testing shall include vulnerability assessments and scans, open source analysis, network security assessments, gap analysis, physical security reviews, software solution questionnaires and scans, source code reviews where feasible, scenario-based testing, compatibility testing, performance testing, end-to-end testing and penetration testing.
4. Management of ICT third party risk (Chapter V - Art 28-44).
4.1 DORA also aims to provide an appropriate framework for the sound management of ICT third party risks. ICT third parties are service providers that provide ICT services to financial undertakings on the basis of a contractual agreement.
However, financial undertakings remain fully responsible at all times for complying with and fulfilling their obligations under DORA.
4.2 Financial undertakings shall develop and regularly review an ICT third party risk strategy. For this purpose, an information register containing all contractual agreements on the use of ICT services provided by ICT third party service suppliers shall be kept. This register must be presented to the competent authority upon request.
4.3 In addition, a report on the number of new agreements on the use of ICT services must be submitted to the authorities at least once a year.
Pursuant to Art 42 (6) DORA, the authorities may compel the financial undertaking to temporarily discontinue, in part or in full, the use or deployment of an ICT service from a third party service provider. The authority may also require the financial services provider to terminate, in whole or in part, contracts concluded with critical third-party ICT service providers.
4.4 DORA provides that contractual arrangements may only be entered into if appropriate information security standards are met. In the case of critical third party ICT service providers, consideration must be given to whether the third party ICT service provider applies the current and highest quality standards for information security before entering into an agreement.
4.5 DORA obliges financial undertakings to ensure that contractual agreements on the use of third-party ICT services can be terminated if the circumstances listed in Art 28 (7) lit a-d DORA (e.g. significant breach of applicable laws by the third-party ICT service provider or demonstrable weakness of the third-party ICT service provider in ICT risk management) exist.
4.6 The ESA is to develop standard contractual clauses by 17.01.2024, which should be considered by financial undertakings and ICT third party service providers when negotiating contractual agreements. Art 30(2)(a-i) and Art 30(3)(a-f) DORA lay down strict requirements for the contractual agreements.
4.7 The ESA must classify the third-party ICT service providers that are to be regarded as critical for financial undertakings. DORA provides many separate provisions for critical ICT third party service providers.
Critical third-party ICT service providers are subject to strict control by the "lead supervisory authority", which is to be appointed by the ESA pursuant to Art 31 (1) (b).
5. Information sharing arrangements (Chapter VI - Art 45)
Financial undertakings may exchange information and intelligence on cyber threats with each other. For this purpose, the requirements in Art 45 para 1 lit a-c DORA must be met.
6 Competent authorities (Chapter VII - Art 46-56)
DORA assigns the supervision of compliance with the requirements to the respective competent authorities responsible for the supervision of the financial undertakings falling within its scope. In Austria, this will largely be the FMA.
The powers include (among others) access to documents and data in any form, the conduct of on-site inspections and investigations, including the summoning of representatives of the financial undertaking.
7 Delegated Acts (Chapter VIII - Art 57)
DORA empowers the Commission to adopt delegated acts.
8 Transitional and Final Provisions (Chapter IX - Art 58-64)
Until 17.01.2028, the Commission shall carry out a review in accordance with the provisions of Art 58 (1) lit a-e DORA.