DIGITAL OPERATIONAL RESILIENCE ACT (DORA)
The use of Information and Communication Technologies (ICT) plays a central role in the financial sector. This role has increased to an even greater extent in ensuring the stability of the day-to-day operations of all financial institutions (and not only) in the light of the COVID-19 pandemic. However, such reliance on ICT could also threaten the stability of the financial system. The high degree of interconnection between financial institutions and the interdependencies of their IT systems is such that it is likely to represent a systemic risk, as localized cyber incidents could rapidly and widely spread from one financial institution to the whole financial ecosystem.
The absence of rules on digital operational resilience at EU level has led to the creation of uncoordinated regulatory initiatives at national level. These initiatives have on the one hand a limited effect on the threat given the cross-border nature of ICT risks and on the other hand jeopardize the stability and integrity of the European financial sector.
Under these circumstances, the European Commission published a proposal for a regulation on digital operational resilience for the EU financial sector (DORA). This proposal is part of a broader digital finance package, which aims to introduce an harmonized and comprehensive framework to ensure the operational resilience, the performance and the stability of the financial system of the European Union while further strengthening the promise of innovation and competitiveness that digital finance can offer.
The proposal points out 5 main policy areas:
- Risk management
Financial entities shall establish a sound, comprehensive and well-documented ICT risk management framework. Requirements include maintain updated ICT systems, protocols and tools, identify and document ICT business functions and related assets, monitor, control and detect anomalous activities within the ICT system, establish a Business Continuity and a backup policy. Financial entities shall also define a communication plan enabling a “responsible disclosure of ICT-related incidents or major vulnerabilities”
- IT incident reporting
Financial entities shall define and implement an ICT incident management process to detect, manage, classify and notify incidents. Financial entities shall also report incidents to the competent authority by using an harmonized template.
- Digital operational resilience testing
As part of their ICT risk management framework, financial entities shall establish a sound and comprehensive digital operational resilience testing programme, which includes a range of assessments, tests, methodologies, practices and tools to assess their ICT system and identify weaknesses.
- ICT third-party risk
Financial entities shall assess, manage and monitor risks related to ICT third party service providers and the rights and obligations of the third party must be set out in a contractual agreement.
- Information sharing
DORA provides guidelines to support the exchange of information related to cyber threat between financial entities
The proposal also sets out specific provisions applicable to ICT third party service providers deemed “critical”. Those will be designated by the European Supervisory Authorities (ESAs) based on a list of criteria and will fall under the new Oversight Framework. Critical Third Party Providers (CTPPs) will be supervised by a Lead Overseer who will assess whether the service provider has an appropriate, sound and effective risk management policy. The supervisor will have unrestricted rights to access information and the power to perform off-site and on-site inspections, issue recommendations and impose penalties in case of non-cooperation or non-compliance.
The proposal is now in the hands of the European Parliament and to the European Council for review and adoption. We can expect a final version by the end of 2022. We therefore encourage financial entities and ICT providers to engage in a review of the proposal and recommend to take the following actions in the coming months:
- Conduct a gap analysis of your organization against DORA requirements
- Identify, classify and document ICT business functions, information assets supporting these functions, ICT system configurations and interconnections with internal and external ICT systems.
- Consolidate information related to third-party service providers; number of arrangements on the use of ICT services, categories of ICT third-party service providers, type of contractual arrangements and services and functions being provided
Mathieu ROSE – Payment & Cash Management consultant