DORA isn’t a gift for everybody

Background

The Digital Operational Resilience Act (DORA) was adopted by the Commission on 24 September 2020. DORA sets out uniform requirements for the security of network and information system for the financial industry, as well as for critical third parties which provide information communication technology (ICT) services to them. A provisional political agreement on DORA was reached on 10 May 2022.

DORA’s purpose is to create legal certainty in relation to the Network Information System Directive (NIS and NIS2), a policy effective since 2016 which aimed to increase the overall level of European cyber-resilience, but which has proved to be suboptimal for the financial services industry.

NIS had three main flaws that affected its applicability to financial services: (i) designation of a critical entity was set with the member states, with each having discretion over the definition of criticality; (ii) designation wasn’t made public, which created challenges around the disclosure obligations of listed companies; (iii) non-disclosure could potentially create tension between the obligations by the national NIS supervisor (or multiple NIS supervisors in different EU Member States) and the financial institution’s prudential supervisor.

To address these problems, DORA was designed by DG FISMA as a lex specialis that supersedes the NIS Directive.

Summary of DORA

In summary, DORA consists of two parts:

1. It will harmonise and codify the operational risk management, incident reporting, review of outsourcing arrangements, and integrity and penetration testing requirements for all authorised financial services institutions. Most sectoral legislation currently doesn’t include such requirements, with the exception of the Payment Services Directive (PSD2). Many of DORA’s provisions seek alignment with industry practices but as a lot of details are left to secondary legislation there’s a real fear it could become very prescriptive.
   
   One area where the EU goes beyond current industry standards is on penetration testing and will also require the ESAs to review their current outsourcing guidelines.
   
   DORA introduces proportionality for micro-financial institutions and imposes a number of additional requirements on the most critical financial institutions, including, though not limited to, penetration testing.
   
   In contrast, the Bank of England is adopting a principle-based approach based on overhauling the governance requirements.
2. The more controversial aspect of DORA relates to the establishment of a new oversight framework for critical third-party ICT providers to the financial services industry. This is the first time non-authorised technology providers come under an EU framework for the purpose of the financial services industry.
   
   ICT providers to the financial services industry that are designated as critical will be subject to the oversight by one of the three ESAs. They will be subject to on-site inspections and audits and the overseer can issue recommendations.
   
   The critical ICT provider needs to follow these recommendations or otherwise be subject to administrative fines and the possibility of suspending or terminating contracts by the EU-based financial services institutions. The enforcement of the suspension of contracts is indirect and imposed by the respective competent authority of the financial institution.
   
   The designation process involves a committee of overseers which includes the ESAs, ECB, national competent authorities and ENISA. It’s based on some principles set out in the Level 1 text, such as the size, interconnection and cross-border relevance of the ICT provider. The European Commission is to provide more details in a Delegated Act.
   
   DORA also extends to third-country critical third-party ICT providers which have to establish a legal entity in the EU to service EU financial institutions.

Provisional political agreement

The co-legislators reached a provisional political agreement on the Digital Operational Resilience Act on 10 May. Please find below a read-out from the European Parliament:

On scope:

• Auditors: statutory auditors and audit firms are removed from the remit of DORA and the Commission will assess their inclusion in DORA or the Accounting Directive in three years’ time.
• Ancillary insurance intermediaries: micro, small and medium-sized ancillary insurance intermediaries are excluded.
• Market structures are excluded from the definition of microenterprises.

On the ICT risks management framework:

• Financial entities will have the option of defining an ICT multi-vendor strategy, but it won’t be mandatory. It will also be applied proportionally.

On ICT-related incident reporting:

• ESAs will define timelines for the reporting of major ICT-related incidents at Level 2, but with a strong mandate at Level 1. Timelines will be anchored to NIS2 and require a justification if deviating from it.
• ESAs will provide a feasibility report on the EU Hub within two years of DORA’s entry into force and in line with the deadline for the RTS on reporting.

On testing digital operational resilience:

• The Council has endorsed the agreement reached at a technical level.
• Co-legislators agree on the use of both external and internal testers, with additional safeguards:
  • Add to Level 1 a requirement for the internal tester to have capabilities equivalent to an external tester.
  • Add an RTS to the general principles governing the use of internal testers at Level 2, to ensure harmonisation within the EU.
  • Require the use of an external tester every three tests.
  • Require, at Level 1, the use of a threat scenario provided by an external provider.
  • Require that credit institutions under the SSM mechanism must always use external testers.
  • Make sure that all competent authorities involved in the tests have granted their approval for the use of internal testers.
• Advanced testing must be carried out at least every three years, with competent authorities able to increase or decrease the frequency of testing when justified.

On oversight framework:

• Managing ICT third-party risk: Co-legislators agreed to consider whether an ICT provider is an intra-group provider as a relevant factor in managing third-party risk. It was decided to include a recital, in line with the EBA guidelines on outsourcing, explicitly stating that intra-group provision of services is not less risky but is a relevant consideration in risk management.
• Architecture: The Commission proposal for a new Joint Oversight Network could be supported, except for lines 517 and 519. The Commission is requested to review and provide a report on its functioning within five years of entry into force.
• Oversight procedure: EP showed openness towards the Council provision on the disclosure of information regarding critical ICT service providers that fail to notify their intentions to follow or not the Lead Overseer’s recommendations with the condition that the ICT service providers are informed of that possibility when the recommendations are issued and notified ahead of the disclosure of that information.

On review clause and application date:

• Co-legislators agreed on the review and report by the Commission on the potential inclusion of payment system operators under the remit of DORA. With the help of the COM, co-legislators would like the revision to be aligned with the upcoming PSD2 review. The review clause should also contain a review on whether the reporting of significant cyber threats should be kept voluntary or not.
• On the application date, co-legislators agreed to have all the regulation provisions applicable for 24 months after the date of entry into force.

Co-legislators agreed that DORA provisions should be applicable to those entities that are subject to authorisation regime and supervision in MiCA. The technical team was mandated to align DORA scope with an eventual preliminary agreement on MiCA. 

Timeline

• The Council adopted its General Approach on 24 November 2021.
• The ECON Committee adopted its report on 1 December 2021.
• Trilogues began on 25 January 2022 and ended on 10 May 2022.
• The text is undergoing technical proofing. On the Council’s side, the presidency aims to submit the agreement to the Permanent Representatives Committee (Coreper) for endorsement shortly. In Parliament, the agreement will have to be approved by a vote in committee, after which it will be confirmed at plenary.
• DORA will enter into force 20 days after publication in the Official Journal of the European Union. It will apply for 24 months after entry into force.