The European Union (“EU”) has issued a Regulation on Digital Operational Resilience (“DORA”) in the EU financial sector,
which entered into force on 16 January 2023 and shall apply in its entirety to all Member States as of 17 January 2025. DORA aims to unify network security and information systems security of companies and organisations which operate in the financial sector, throughout the EU, through homogenous operational resilience and cybersecurity regulations.
“Financial entities” regulated under the DORA include credit and payment institutions, electronic money institutions, investment firms and crypto-asset service providers, data reporting service providers, insurance intermediaries, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers, among others. Moreover, it should be mentioned that critical third-party ICT providers will also be regulated under DORA.
Under DORA, financial entities will need to comply with the requirements of DORA on protection, detection, and repair capabilities against ICT-related distributions and threats. DORA provides financial entities with very specific criteria, templates and instructions regarding ICT and cyber risk management. DORA sets five core obligations for ICT-related risks, namely, (i) ICT risk management requirements, (ii) ICT-related incident reporting, (iii) digital operational resilience testing, (iv) ICT third-party risk and (v) information sharing.
(i) ICT risk management requirements: DORA requires that financial entities have in place robust governance arrangements, policies, procedures, controls and ICT protocols for the management of ICT risk.
(ii) ICT-related incident reporting: Under the DORA, the financial entities are required not only to detect and manage any ICT-related incidents, but also to report them. Moreover, financial entities must identify, document and address the cause of the incidents, so as to be able to prevent similar future ICT-related events. Lastly, financial entities should inform their clients of major ICT-related incidents and of the measures taken to handle the issues arising.
(iii) digital operational resilience testing: According to DORA, financial entities are required to implement digital operational resilience testing undertaken either by internal or external independent parties, every three years using threat-led penetration testing. The digital operational resilience testing as part of the ICT risk management compels financial entities to establish advanced tools, techniques and policies to prioritise, classify and remedy any issues revealed throughout the performance of the tests. Any gaps and/or deficiencies must be identified and promptly eliminated.
(iv) ICT third-party risk: Financial entities must adopt and regularly review their policy on engaging ICT third-party service providers and must adhere to specific requirements when contracting with ICT third-party service providers. Furthermore, they must maintain an information register in relation to all arrangements with ICT third-party service providers. Also, financial entities are required to provide reports to competent authorities regarding matters related to their ICT third-party service providers. Finally, it is important to note that financial entities are required to make risk management assessments prior to engaging any ICT third-party service providers.
(v) information sharing: Under this framework, financial entities are allowed to share and exchange cyber threat information and intelligence among trusted communities provided that this is dine in accordance with the requirements of the applicable legal framework (including compliance with data protection requirements).
To sum up, financial entities are required to identify and prevent ICT risks, increase their resilience level through tools and updated techniques, review and update relevant policies and procedures, track and provide notifications in respect of any ICT-related incidents and comply with the reporting requirements under DORA.