The Digital Operational Resilience Act came into force on 16 January 2023; it is part of a comprehensive EU package for the digitalisation of the financial sector, which also includes the proposed regulation on Markets in Crypto Assets (MiCAR) and the proposed regulation on Distributed Ledger Technology (DLT). The new requirements must be implemented by those who such legislation is addressed to by 17 January 2025.
By harmonising the existing regulations and requirements for the security of network and information systems in the financial sector, the new regulation is intended on the one hand to ensure the operational resilience and stability of the sector even in the event of serious disruptions, and to protect market participants, on the other hand.
Who are the regulations addressed to and what specifically are the new requirements?
Who will be affected by the new requirements under DORA?
The new requirements in the regulation are addressed at both enterprises in the financial sector and third parties providing services in the area of information and communication technologies to financial service providers (ICT third-party service providers).
Enterprises in the financial sector or financial entities (as they are referred to in the regulation) not only include traditional credit and payment institutions, e-money institutions or securities companies, but also providers of crypto services and issuers of crypto securities (each of which is authorised under MiCAR), to name but a few examples. Investment funds, insurance companies and insurance intermediaries are also among the enterprises covered by the scope of application of the regulation.
ICT third-party service providers are enterprises which provide digital services and data services, such as providers of cloud computing services or data analysis services. Specific examples include developers of banking apps, operators of core banking systems or traditional IT service providers.
What are the new compliance requirements under DORA?
As regards the obligations to be fulfilled, the regulation differentiates between the financial entities and ICT third-party providers concerned in terms of size, company profiles and extent of digital risks (under the so-called proportionality principle).
ICT risk management and management accountability
The management body of the financial entity is responsible for establishing an internal governance and control framework and for all duties related to ICT risk management. This includes the definition of clear roles and responsibilities for all ICT-related functions.
The ICT risk management framework has to be documented in writing and to include policies and protocols which protect all relevant physical components and infrastructures (including computer hardware and servers), as well as all relevant premises (including data centres and sensitive areas) properly and effectively from risks such as damage, unauthorised access or use. To this end, ICT systems must be regularly maintained, monitored, controlled and updated with regard to their functionality. Financial entities must also have an ICT strategy for business continuity and a disaster recovery ICT plan; these must be reviewed at least annually.
- Reporting ICT-related incidents
Financial entities must establish a management process for monitoring, logging and reporting ICT-related incidents. In simple terms, this is defined in the regulation as an unforeseen event detected in the network and information systems which may result from malicious acts, affecting the security of network and information systems or causing adverseeffects.
Depending on the classification, which has to be made on the basis of the criteria specified, serious incidents, i.e. those with a potentially extensive adverse effect on the network and information systems, must be reported to the financial supervisory authorities by means of initial notifications as well as intermediate and final reports. If the incident could have an impact on the financial interests of customers and users, these must also be informed about the incident and the measures taken.
- Involvement of ICT third-party service providers
As regards the involvement of ICT third-party service providers, the regulation imposes strict requirements, some of which are not entirely new, but linked to the existing outsourcing regime for regulated financial market participants.
Financial entities must maintain a Register of Information containing all outsourced ICT processes and make it available to the authorities upon request. They are liable for compliance with and fulfilment of all obligations of the regulation by the contractors providing third-party ICT services and are only allowed to enter into contracts with such ICT third-party serviceproviders as comply with high, appropriate and current standards for information security. It must therefore be possible for financial entities to check and monitor the ICT third-party providers involved from theconclusion of the contract to the post-contract phase.
To this end, the outsourcing contracts to be signed must contain certain essential contractual provisions, such as a description of all the functions and services provided by the ICT third-party service provider, details of the locations where data are to be processed, ongoing monitoring rights for the financial entities, and termination rights as well as exit policies. In respect of the use of cloud computing services, the Commission plans to develop standard contractual clauses for use by the players concerned.
Outlook
Due to the broad scope of application, numerous enterprises from the financial sector are now subject to these new obligations, including, for the first time, ICT third-party service providers (ICT service providers) used by the regulated financial service providers for the outsourcing of services.
Our New Technologies and IP team will be happy to keep you updated and to advise ICT service providers in respect of the implementation of requirements related to the Digital Operational Resilience Act.