How will DORA impact the financial sector?

The 2020s have been a whirlwind of disruption and accelerated digitalization. 

In the context of increased cyber risks, heavy dependence on technologies and accelerated advancement of digital tools and assets, the final approval of DORA has been welcomed by financial services players. 

A refresher on DORA’s back story

In the aftermath of the financial crisis, the European Commission has been strengthening the financial resilience of the EU financial sector, adopting measures aimed at increasing capital resources and liquidity of financial entities, as well as reducing market and credit risks. For over a decade, Information and Communication Technologies (ICT) risks were indirectly or partially addressed in an uncoordinated way from the different financial supervisors in Members States. Inconsistency in approaches not only led to the proliferation of diverging regulatory initiatives but also to duplicated rules set out in the 2016 Network and Information Systems (NIS) Directive¹, in particular for incident notification, security requirements and testing. In response and after consultation, the digital finance package²  was adopted on 24 September 2020 by the European Commission, containing within it a digital finance strategy and legislative proposals on crypto-assets³ and digital resilience. 

What is DORA and to whom is it relevant?

The Digital Operational Resilience Act (DORA⁴), formed one element of this package, and is the latest addition coming out of the pipeline of regulations. Published on 27 December 2022, it provides consistent rules addressing digital operational resilience needs of all regulated financial entities and establishes an oversight framework for critical ICT third-party providers (CCTPs). The main pillars are:

• ICT risk management
• ICT related incident reporting
• Resilience testing
• ICT third-party risk
•  Information sharing

A set of rules has been defined and they are spread over six sections:

• Covering existing typical requirements on ICT governance and ICT risk management (Chapter II) and ICT-related incident reporting (Chapter III)
• Introducing new requirements for digital testing (Chapter IV), information sharing (Chapter VI) and management of ICT third-party risks (Chapter V)
• Providing financial supervisors with the tools to fulfill their mandate to contain financial instability stemming from those ICT vulnerabilities (Chapter VII)

DORA rules are based on the principle of proportionality

Many market participants will be impacted by DORA, including traditional financial sector entities such as credit institutions, trading venues and clearing houses, investment firms, UCITS management companies, alternative fund managers (AIFMs), insurance companies, payment institutions, electronic money institutions, as well as crypto-asset service providers (CASPs), issuers of crypto-assets and issuers of asset-referenced tokens⁵.

While the rules cover all financial entities, their applicability will depend on the size of the entity, its activity and the overall risk to which it is subjected. Micro-enterprises will benefit from this flexibility and will be subject to proportionate application of requirements on ICT risk management, digital resilience testing, reporting of major ICT-related incidents and oversight of critical ICT third-party service providers.

Key takeaways of the DORA Regulation

Emphasizing the importance of full responsibility management and accountability (Chapter II - Art. 5)

The management body is responsible for setting the tone and enforcing the definition and implementation of organizational and technical measures which enable and ensure effective and prudent management of all ICT risks. At the same time, they should play an active role in steering the ICT risk management framework, assigning roles and responsibilities. The management body should be continuously engaged in the control of monitoring ICT risk management as well as in the full range of approval and control processes and the appropriate allocation of ICT investments and training. The members of the management body themselves should, on a regular basis, follow specific training to gain and maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.

ICT risk management requirements to be fully enforced (Chapter II - Art. 6 - 16)

A key principle is to align financial entities’ business strategy with ICT risk management. Entities should be aligned with the joint European Supervisory Authorities (ESAs) technical advice or other industry standards, such as NIST⁶ or best practices.

Improving and streamlining ICT-related incident reporting (Chapter III - Art. 17 - 23)

Financial entities shall establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. While incidents should be classified, assessed, and root causes identified, documented and addressed, only – at least – major incidents should be reported to senior management and imperatively to the competent authority.  It must be noted that draft regulatory technical standards (RTS) will be developed in order to:

• Establish the content of the reports for major ICT-related incidents in order to reflect the criteria laid down in Article 18(1) and incorporate further elements, such as details for establishing the relevance of the reporting for other Member States and whether it constitutes a major operational or security payment-related incident or not
• Determine the time limits for the initial notification and for each report referred to in Article 19(4)
• Establish the content of the notification for significant cyber threats

Perform digital operational resilience testing at least annually (Chapter IV - Art. 24 - 27)

DORA defines common standards for digital operational resilience testing with the objective to ensure firms are prepared when ICT related incidents happen. Beyond the traditional ICT testing techniques, the testing program should include a full range of appropriate tests, including vulnerability assessments and scans, open-source analyses, network security assessments, penetration testing, and even source code reviews (where feasible).

The DORA suggests and strongly recommends advanced testing of ICT tools, systems and processes based on threat led penetration testing (TLPT), carried out at least every three years. The technical standards to apply, when conducting intelligence-based penetration testing, should be developed by the joint ESAs and are likely to be aligned with the voluntary TIBER-EU⁷ developed by the ECB.

At the end of the tests, financial entities should communicate agreed reports and remediation plans to the competent authority and should confirm that penetration tests have been performed in accordance with the requirements. The competent authority, in this case, will review, validate and issue an attestation.

Finally, the competent authority should consider proportionate application of this requirement: TLPT will be carried out in a manner proportionate to the size, scale, activity, and overall risk of the financial entity.

Bringing the CCTPs into the game (Chapter V - Art. 28 - 39)

As the overall objective of DORA is to have streamlined and effective governance, CCTPs will become subject to oversight to ensure they do not pose undue operational risks for the financial sector. While recommendations will be issued by the ESAs’ Lead Overseer to the CCTP, national competent authorities (NCAs) will be responsible for following up and taking actions against their supervised financial entities when the recommendations are not addressed by the CCTP. In such cases, the Regulation also gives the competent authorities the right to require the supervised financial entities to temporarily suspend their CCTPs services or to terminate their contracts with that CCTP. Either EBA, ESMA, or EIOPA will be then appointed as Lead Overseer for each identified CCTP. The goal is to ensure that an adequate monitoring of the CCTP is performed but also to avoid a domino effect of the heavily interconnected financial sector. The Lead Overseer will be empowered to request all documentation, conduct inspection and obtain reports and may impose penalty payment (up to 1% of the average daily worldwide turnover of the CCTP in the preceding business year) to compel the CCTP to comply with the before mentioned points.

Aligning with the EBA, ESMA or EIOPA guidelines on outsourcing, DORA requires harmonization of contractual arrangements in terms of establishment (e.g., audit clause, defined roles), maintenance (e.g., reporting, review) and termination (e.g., exit plan, data retention).

Information sharing encouraged (Chapter VI - Art. 45)

On a voluntary basis and after confirming their participation to their relevant competent authority, financial entities are strongly encouraged to share cyber-threat intelligence and information within the community. The goals are to enhance digital operational resilience, raise awareness in relation to cyber threats, limit or impede the cyber threats’ ability to spread, and support financial entities’ range of defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages.

Challenges come with benefits

Managing internal and third-party risk has become increasingly challenging in the current world order, and financial entities are pressed to account for how they and their third parties (CCTPs for instance) use and protect their data. With the adoption of this new Regulation, we see strong benefits for financial entities to have a harmonized and comprehensive framework for ICT risk management, and to some extent alignment with the NIS framework. Not only will DORA bring synergies at the EU level, but it will also have the merit to push for a digital single market adoption for financial services. At EY, through our cybersecurity and resilience services, we assist organizations in having trust in systems, design and data, so they can make transformational change and enable innovation with confidence. 

Food for thought

DORA contains certain sanctions and remedial measures that could be applied generally to all entities governed by the Regulation. However, we see differences in the application of these administrative or legal sanctions, along with requested remedial measures.

For the CCTPs, the ESA, as Lead Overseer, will be empowered to request further security measures and address recommendations, including to refrain from entering into a further subcontracting arrangement when the subcontractor is an ICT third-party service provider or a subcontractor established in a third country, and the subcontracting concerns a critical or important function of the financial entity. The Lead Overseer can also impose significant penalties to ensure the CCTPs compliance with DORA requirements. The penalty will take the form of periodic penalty payment of 1% of the average daily global turnover of the organization in the preceding business year for a period no longer than six months following the notification to the CCTP. While issuance of these recommendations is given to the ESA, follow-up and monitoring (as per Art. 37) whether financial entities take into account the risks identified in the recommendations addressed to critical ICT third-party are under the responsibility of the NCAs. In this regard, the NCAs may require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider or even to terminate, in part or completely, the relevant concluded contractual arrangements. In such a situation, one can easily fear the lack of coordination between the ESAs and NCAs in the oversight framework and see potential problems in the follow-up process and lack of harmonization in the different countries. 

What’s next

DORA was published in the Official Journal on 27 December 2022. Alongside the Regulation, a Directive has been published in order to modify the general rules of UCITS, AIFMD and MiFID II to apply the operational risk management obligations addressed in DORA to entities subject to these directives. They shall both apply from 17 January 2025. Some RTS on DORA are expected to be published before the application date.

How can EY help

On the one hand, while DORA brings more attention to the resilience needed to avoid disruption of critical functions and operations, financial entities have already implemented several ICT risks measures, and reached a certain level of maturity. As part of strategy consulting, we support various actors of the financial industry in designing, implementing or assessing the effectiveness and efficiency of ITC risk programs, compliance positions and how risks are managed now and going forward (resilience).

In addition, as DORA pulls CCTPs into the game with increased scrutiny from the competent authorities, EY has developed Third Party Security Risk Management (TPRM) solutions providing a support function for management bodies to identify, evaluate, monitor and manage the risks associated with third parties and contracts. Some of our services are outlined below.

Current state assessments of resilience capability and building a multi-year roadmap

Perform assessment by leveraging existing mapping information (such as business impact analysis, privacy data flow mapping, technology asset inventories) that exists within the organization.

Setting of resilience dashboards and reporting for senior stakeholders

Dashboards and reporting to key stakeholders should be actionable and understandable and include information on significant initiatives, investments, regulatory focus areas and emerging risk themes.

Understanding clients’ critical end-to-end business services, mapping and setting impact tolerances for each of them

Identify important business services to ensure resilience capability is proportionate and help in differentiating which areas need resilience measures due to the harm associated with potential outages.

Profiling third parties and assessing their risk and controls, leveraging client (or EY) technology and framework

Service risk profiling and perform global onsite and remote-control assessment execution across all risk domains (e.g., resilience, cyber, financial health and regulatory compliance).

To view how DORA will impact you and the next steps, please download our DORA brochure 

To view the DORA article, complete with regulatory timelines and graphics, please download our Market Pulse PDF publication.

1. NIS II Directive was published in the Official Journal on 27 December 2022

2. Digital finance package, European Commissions

3. 10 questions sparked by MiCAR, EY Luxembourg

4. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) - EUR-Lex - 32022R2554 - EN - EUR-Lex (europa.eu)

5. For more information on crypto-assets providers and issuers, refer to our special publication on MiCAR

6. National Institute of Standards and Technology

7. European framework for Threat Intelligence-based Ethical Red Teaming