Digital resilience for the financial sector: the Digital Operational Resilience Act (DORA) now applies

The digital transformation is leading to ever greater dependence on digital structures in almost all sectors of the economy. However, this dependence is also accompanied by new threats from cyberspace. A failure of systems in sensitive sectors (e.g. due to an attack) can lead to considerable economic and human damage. The Digital Operational Resilience Act (DORA) therefore aims to strengthen digital resilience in the financial sector. To this end, obligations for financial entities and service providers for information and communication technology (ICT) have been established. Some of these obligations correspond to existing regulations and concretise them, while others require new measures to be taken by the companies concerned.

1. When do the regulations apply?

DORA came into force in January 2023 and will be directly applicable as a regulation in all member states from 17 January 2025. From this date, affected companies must fulfil all obligations that apply to them.

2. Who is affected?

The regulation is primarily aimed at financial entities. These include credit institutions, payment institutions, investment firms, central securities depositories, trading venues and credit rating agencies. DORA lists a total of 20 different types of entities. However, there are exceptions for certain entities, such as alternative investment fund managers or insurance and reinsurance intermediaries.

However, in addition to financial entities themselves, the regulation also applies to companies that provide ICT services for financial entities (ICT third-party service providers). Cloud computing services in particular are mentioned as an example. There are exceptions for small enterprises.

3. What are the obligations?

The regulation primarily places obligations on financial entities. The scope of the obligations follows a risk-based approach and may require additional measures for important and critical functions. The main requirements include

• ICT risk management (Art. 5-16 DORA): Financial organisations must establish an internal governance and control framework that enables them to address ICT risk quickly, efficiently and comprehensively  in order to achieve "a high level of digital operational resilience". Responsibility for this lies directly with the company's management body. The control framework must be reviewed at least once a year and a report must be submitted to the competent authority upon request.
• Management of ICT incidents (Art. 17-23 DORA): Financial organisations must establish a process to ensure the monitoring, handling and follow-up of ICT incidents and cyber threats and to identify causes, document and prevent the occurrence of such incidents. This includes, among other things, early warning indicators, logging, classification, notification of management and procedures for response measures. Serious incidents must be reported to the relevant authorities and, if affected, to customers.
• Digital Operational Resilience Testing (Art. 24-27 DORA): Financial entities must establish, maintain and review a digital operational resilience testing programme to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and implement corrective actions promptly. This includes conducting Threat Led Penetration Tests (TLPT) every three years.
• ICT third party management (Art. 28-44 DORA): An integral part of risk management is the management of third-party risk. These include, in particular, risks from ICT third-party service providers. Here, the regulation prescribes comprehensive contractual agreements that financial entities must conclude with ICT third-party service providers in order to comply with appropriate information security standards (e.g. cancellation rights in the event of breaches of the law or inadequate risk management). Financial entities may only enter into contractual agreements with ICT third-party service providers that comply with appropriate information security standards. This is also linked to the obligation to identify and assess the risk posed by ICT third-party service providers. The aim is to ensure that the outsourcing of IT services does not lead to a lower level of protection than that provided by the financial company itself.
• Information sharing (Art. 45 DORA): In order to strengthen the digital resilience of financial organisations and raise awareness of cyber threats, financial organisations can share information and intelligence on cyber threats. However, such sharing must be implemented on the basis of agreements that protect the sensitive nature of this information and are in line with the GDPR and the Competition Policy Guidelines.

For ICT service providers, the regulation primarily requires changes to contractual agreements with financial entities and corresponding adjustments to their own risk management. However, further obligations arise for ICT service providers that are designated as critical. The criteria for designation are systemic impact, importance for financial entities, reliance of financial entities and the degree of substitutability. Critical ICT service providers are subject to special monitoring by the supervisory authorities. The authorities can request information and documents, carry out inspections and request reports on monitoring activities. This involves checking whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities. Critical ICT service providers must therefore expect an increased effort to document their risk management. Non-compliance with measures can also result in a daily penalty payment of up to 1% of the average global daily turnover. Any fines imposed will be published.

4. What do companies need to pay attention to now?

The obligations under the regulation must be implemented from 17 January 2025. From this date, measures by the supervisory authorities can therefore also be expected, e.g. requests for documents or on-site inspections. Management bodies should note that they are directly responsible for the management of ICT risks and the strategy for digital operational resilience under the Regulation. To this end, members of the governing body must actively maintain sufficient knowledge and skills on ICT risks and keep them up to date.

The competent authorities can impose effective, proportionate and dissuasive sanctions in the event of non-compliance with the regulations. In addition to financial measures, these can also include public announcements or the prohibition of certain types of behaviour.

Companies must carefully consider what new obligations they will face and to what extent these deviate from existing regulations. While many of the obligations fit into the existing regulatory framework for cyber risks, some of them go beyond it (e.g. TLPT, contractual arrangements and an independent management control function). If they fall within the scope of companies obliged under DORA, a comprehensive review and, if necessary, amendment of existing systems, processes and contractual agreements will be necessary. For financial entities, this means concluding new or supplementary agreements with their ICT service providers. ICT service providers should also adapt their standard contractual agreements and prepare supplementary agreements for existing contracts in order to reflect the new requirements. In practical terms, the technical regulatory standards, technical implementation standards and guidelines of the supervisory authorities must be taken into account in particular. In this context, it is also advisable to coordinate the measures with a view to the future regulatory framework, in particular the NIS 2 Directive. We will be happy to advise you on the scope and implementation of the new obligations.

_____________________

We would be happy to advise you on all aspects of the DORA and support you in implementing the regulation in a legally compliant manner. Please feel free to contact Martin Lose from our team. You can find out more about our expertise in the field of cybersecurity on our focus page.