GOOD PRACTICES Who is obliged by DORA and how?

On September 24, 2020, the European Commission published the Digital Operational Resilience Act (DORA), i.e. a draft Regulation on the operational resistance to digital threats of financial sector entities. This regulation is intended to preserve and promote robust ICT risk management standards in financial institutions in the EU, while supporting innovation. Who will the new provisions apply to, and to what extent?

The context of the regulation is wide and it relates to the overall digital strategy for the financial sector of the European Union. Its goal is, among others, to develop the competitiveness of the financial sector, introduce better products to the market, and bring financial support for the European economy, including the green transformation.

The COVID-19 pandemic has accelerated the digitization process of many sectors. The European Commission, aware of the need for digital transformation and the challenges that must be faced by, i.a., financial institutions that are particularly vulnerable to digital disruptions and attacks, proposed a package of regulations containing – in addition to the DORA proposal – also proposals for a regulation on crypto asset markets, a pilot system for market infrastructures based on distributed ledger technology (DLT), proposal for a directive to clarify or amend certain related EU financial services rules. These regulations are all aimed at minimizing digital threats to financial institutions and providing them with full digital operational resilience.

According to the EC, threats related to ICT (information and communications technology) constitute a challenge to the operational resilience, efficiency and stability of the EU financial system, and the preventive measures introduced after the 2008 crisis were not accompanied by the development of uniform regulations to counter digital threats. In the period 2019-2020, the Commission carried out public and expert consultations in the Member States, which helped develop the framework for conduct in the field of ICT – in relation to financial services.

The policy option adopted by the Commission would, among other things:

• provide companies in the SME sector with clarity about the regulations, which will reduce the costs of complying with them,
• reduce the number and average cost of incidents, for the benefit of society through greater confidence in the financial services sector;
• encourage the wider use of the latest generation of ICT infrastructures and services which are expected to become more environmentally sustainable.

Importantly, the scale of the obligations arising from the regulation would be proportional to the size and risk associated with the activities of a given entity. The authors of the application point out that large companies are already pursuing a cybersecurity policy based on international standards. The new standards proposed by the European Commission under DORA should not differ from those currently used, which is aimed at reducing the costs of adapting to EU regulations.

As we read in the proposal, the regulation will cover:

a range of financial entities regulated at Union level, namely credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers

The obligations of such entities, which are not micro-enterprises, are to include, i.a.:

• Establishing complex management rules,
• Establishment of special management positions
• Carrying out detailed assessments following significant changes to network infrastructures and information systems,
• Conducting a regular risk analysis with regard to older versions of ICT systems,
• Extending the scope of business continuity testing and response and recovery plans

Notably, the overriding principle is the full responsibility of the management body for the management of the financial entity’s ICT risk.

Similar to the practice already in place among the Member States, the DORA regulation also indicates the minimum requirements that ICT providers should meet in order to mitigate the digital threat in the financial sector. A key proposal is the introduction of pan-European standardization for this type of providers.

The regulation “seeks to promote convergence on supervisory approaches to the ICTthird-party risk in the financial sector by subjecting critical ICT third-party service providers to a Union oversight framework”

– the release reads.

The plans of the European Commission go even further: the idea is to create an international information exchange system.

“To raise awareness on ICT risk, minimize its spread, support financial entities’ defensive capabilities and threat detection techniques, the regulation allows financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.”

The effect of these activities is therefore to constitute a tight and transparent regulatory environment for the European financial sector with regard to ICT threats.

Technology companies operating in the European Union are already preparing for the changes that may be required by legislation in the long run. As an external ICT provider that meets the recommendations regarding information processing in public and hybrid clouds by regulated entities, FORDATA is closely monitoring new regulatory proposals at the European level. We are waiting for the final version of the Regulation, and when the new regulations enter into force, we will be ready to continue supporting financial institutions in times of technological transformation.