What is DORA (EU)?
The DORA Regulation (No. 2022/2554), known as the Digital Operational Resilience Act, is an important EU law about cybersecurity for financial institutions like banks or credit institutions. More than just having security for defense, it is about resilience.
The ‘FinTech Action Plan,’ (2018) by the European Commission emphasized the need to make the European financial sector stronger: ensuring that its technology is secure, can bounce back quickly from tech problems, and can provide financial services smoothly across the entire European Union, even during challenging times. This approach also aims to maintain the trust of consumers and the market.
The aim of DORA is to establish a financial entity’s capability to ensure the security and reliability of its operations, either by itself or through third-party ICT service providers, including all the necessary ICT-related skills to protect its network and information systems. This ensures the uninterrupted provision of financial services and their quality even during disruptions.
DORA is relevant to all financial organizations within the EU, encompassing both conventional institutions such as banks, investment firms, and credit institutions, as well as unconventional entities like crypto-asset service providers and crowdfunding platforms.
Interestingly, DORA extends its scope to include entities that are typically exempt from financial regulations. For instance, third-party service providers that furnish financial firms with ICT systems and services, such as cloud service providers and data centers, are obligated to adhere to DORA requirements. Additionally, DORA encompasses companies offering critical third-party information services, such as credit rating agencies and data analytics providers.
Financial entities and third-party ICT service providers have until January 17, 2025 to comply with DORA before enforcement starts.
Who needs to comply with DORA EU?
DORA applies to 21 types of entities (as per Article 2):
| credit institutions | payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366; |
| account information service providers; | electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC; |
| investment firms; | crypto-asset service providers and issuers of asset-referenced tokens; |
| central securities depositories; | central counterparties; |
| trading venues; | trade repositories; |
| managers of alternative investment funds; | management companies; |
| data reporting service providers; | insurance and reinsurance undertakings; |
| insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries; | institutions for occupational retirement provision; |
| credit rating agencies; | administrators of critical benchmarks; |
| crowdfunding service providers; | securitisation repositories; |
| ICT third-party service providers. |
The following entities are EXCLUDED from DORA:
- Managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
- Insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
- Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
- Natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises The definition is given in Article 4(60) of DORA: which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed 2 million euros;
- Post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.
- It should be noted that Member States may choose to exclude from the scope of DORA some very specific national credit or investment entities, as referred to in Article 2(5) of Directive 2013/36/EU.
What are the requirements for DORA (EU)?
DORA establishes technical requirements for financial entities and ICT providers across four domains:
- ICT risk management and governance,
- Incident response and reporting
- Resilience testing
- Third-party risk management.
An important part of DORA is that the framework must be kept up-to-date by:
- Reviewing it at least once a year (or periodically for very small businesses).
- Updating it when significant ICT-related incidents happen.
- Making changes as directed by regulators.
- Incorporating findings from digital operational resilience tests or audits.
Here is a sampling of the DORA requirements, just to give you an idea of how comprehensive the DORA regulations are:
Leadership Responsibilities:
– Engage senior leaders in ICT risk management.
– Define risk management strategies.
– Ensure awareness of personal accountability for compliance.
Comprehensive ICT Risk Management Framework:
– Develop comprehensive risk management.
– Map ICT systems.
– Identify critical assets and dependencies.
– Conduct continuous risk assessments.
– Document cyber threats and mitigation steps.
Business Impact Analysis:
– Assess impact of disruptions.
– Set risk tolerance levels.
– Inform ICT infrastructure design.
Cybersecurity Protection Measures:
– Implement security policies and controls.
– Include identity and access management.
– Use security solutions (XDR, SIEM, SOAR).
Business Continuity and Disaster Recovery:
– Create plans for various risk scenarios.
– Include data backup, system restoration, and communication plans.
Incident Management:
– Establish systems for incident monitoring, management, and reporting.
Severity-Based Reporting:
– Assess incident severity for reporting.
– Prepare initial, progress, and root cause reports for critical incidents.
Upcoming Rules:
– Stay informed about incident reporting rules.
– Explore streamlined reporting options.
– Monitor initiatives for the central reporting hub.
Scheduled Testing:
– Regularly test ICT systems for vulnerabilities.
Compliance and Third Parties:
– Ensure ICT providers meet contract requirements.
– Use standardized contractual clauses if available.
Third-Party Risk Management:
– Negotiate contracts for critical functions.
– Map third-party ICT dependencies.
– Avoid concentration risk.
– Be aware of critical provider oversight by ESAs and Lead Overseers.
The DORA official documentation is hundreds of pages long and each step mentioned above comes with many details regarding its requirements and applications. Using an automated GRC tool for preparation along with sound legal advice is highly recommended.
Key Terms & DORA Definitions
ICT Risk
ICT risk, also known as Information and Communication Technology risk, refers to the potential threats and vulnerabilities associated with the use of technology in an organization. It encompasses the various risks related to the management, operation, and security of information and communication technology systems and infrastructure.
ESAs
While the EU has officially accepted DORA, some important details are still being worked out by the European Supervisory Authorities (ESAs). The ESAs are like the watchdogs of the EU’s financial system, including organizations like the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
The ESAs are responsible for creating rules and technical standards that the covered organizations need to follow. These rules are likely to be completed by 2024. Additionally, the European Commission is developing a set of rules for overseeing critical ICT providers, and these rules are also expected to be finalized in 2024.
Overseers
An overseer is an entity responsible for supervising and managing a specific area or function. The Lead Overseer, mentioned in Article 31(1)(b), is tasked with overseeing ICT third-party risk in the financial sector. They play a key role in ensuring that the regulations and guidelines regarding ICT risk management are followed and that there is consistency in monitoring this risk across the European Union. The Oversight Forum supports the work of the Joint Committee and this Lead Overseer in this particular area. Essentially, the overseer is responsible for overseeing and ensuring compliance with regulations and standards related to ICT third-party risk management in the financial sector.
Microenterprises
A microenterprise is a tiny business with very few employees and relatively low annual earnings or financial assets. According to Article 4(60) of DORA, a microenterprise is a very small business that:
- Has less than 10 employees.
- Makes less than 2 million euros in sales or has a balance sheet total under 2 million euros each year.
Why should you be DORA (EU) compliant?
Once the standards are finalized and we reach the January 2025 deadline, the responsibility for enforcement will rest with specific regulators in each EU member state, called “competent authorities.” These authorities can ask financial institutions to implement certain security measures and fix any vulnerabilities. They also have the power to impose administrative penalties, and in some cases, even criminal penalties on entities that don’t comply. Each member state will decide on its own penalties.
For ICT providers considered “critical” by the European Commission, they will be directly supervised by “Lead Overseers” from the ESAs. Just like competent authorities, Lead Overseers can request security measures and fixes and penalize non-compliant ICT providers. According to DORA, Lead Overseers can impose fines on ICT providers that amount to 1 percent of the provider’s average daily worldwide earnings from the previous year. These fines can be imposed every day for up to six months until the provider meets compliance.
How to achieve compliance?
To comply with the DORA requirements, you will need to review all the requirements written in the DORA documentation and ensure you have the policies, processes, systems and tools in place for continuous alignment with the requirements. This can be done easily by using the Centraleyes automated GRC platform with its inbuilt DORA questionnaire, preparing you for all the DORA requirements and providing a centralized hub for collecting evidence, tracking your progress, and remediating any gaps with ease.
The Centraleyes DORA questionnaire assessment is designed for FINANCIAL ENTITIES, including microenterprises.
Using an automated tool to cover DORA methodically and efficiently, will save you hours of effort. It is imperative when preparing to comply with any regulation or law to use your own legal expert in addition to GRC tools in order to ensure your context within and alignment to DORA. The Centraleyes platform will provide you with an excellent resource to assess and evidence your alignment with DORA.
Unique to the GRC space, Centraleyes also provides a customisable automated Risk Register, as well as its Remediation Center and Reporting in real-time. Set up a quick demo and see how you can be compliant with DORA in no time.
Read more: Link to Official DORA Documentation
