The Digital Operational Resilience Act (DORA), a landmark legislation focused on the Information and Communication Technology (ICT) operational resiliency for financial entities was adopted on 28th of November. It is expected to be finalized by the end of the year, with compliance by firms expected from as early as Q4 2024.
DORA’s introduction took place in September of 2020, when the European Commission tabled a proposal for a new regulation centered around the digital operational resilience of the financial sector. This proposal was followed by a provisional agreement on DORA’s content in May of this year.
The EU’s financial sector is regulated by a single rulebook, governed by the European system of financial supervision, however as stated in the most recent information note published by EUR-Lex on the 14th of November this year, this rulebook lacks provisions in tackling digital operational resiliency and ICT security:
“Provisions tackling digital operational resilience and ICT security are not yet fully or consistently harmonised, despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and no less important than, for example, common prudential or market conduct standards.”
DORA is expected to bring as many as 20, already regulated financial entity types into its scope, in addition to technology and data service providers, which includes both cloud and non-cloud computing providers. Furthermore, third-party service providers, who in an ever-increasing way provide financial entities with their ICT solutions, will also be brought into the scope of DORA.
DORA will also apply to the crypto-asset service providers which fall into the scope of the recently approved Markets in Crypto-Assets (MiCA) regulation:
Full list of entities falling under DORA regulation
- credit institutions;
- payment institutions;
- account information service providers;
- electronic money institutions;
- investment firms;
- crypto-asset service providers
- central securities depositories;
- central counterparties;
- trading venues;
- trade repositories;
- managers of alternative investment funds;
- management companies;
- data reporting service providers;
- insurance and reinsurance undertakings;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- institutions for occupational retirement provision;
- credit rating agencies;
- administrators of critical benchmarks;
- crowdfunding service providers;
- securitisation repositories;
- ICT third-party service provider
The motivation for such regulation to financial entities of both crypto and non-crypto alike, is clear for all those to see. ICT infrastructure is now the life blood of most if not all operational organs of financial entities. Only the crypto industry faced an estimated total of $14 billion in hacker-related losses for 2021 with an increasing rate of cyber-attacks and fraud incidents in 2022.
So, what does this mean for the financial entities (inclusive of crypto-asset service providers) of the European Union, and what changes can they be expected to make?
The requirements set forth by this new legislation, for all of those which fall under its scope, have been divided up into five core pillars, details of which can all be found in the latest provisional agreement.
- ICT risk management requirements.
- ICT-related incident reporting.
- Digital operational resiliency testing.
- ICT third-party risk management.
- Information and intelligence sharing.
The new legislation shall better align intercompany and interstate ICT risk management practices, while also aiming to “establish a single EU Hub for major ICT-related incident reporting”, instead of separated national databases.
There is also a definition of “critical” ICT third-party service provider that will most probably impose certain limits on service providers from outside of the union. Also, depending on the required competence, either European Banking Authority, European Security and Markets Authority or European Insurance and Occupational Pensions Authority will be assigned to oversee the Critical third-party service providers in a role of “Lead Overseer”.
On individual company level, the impacted functions will now need to conduct a gap analysis of the requirements as against their current processes and procedures to identify the extent of the work required to ensure compliance with DORA. All of these will be a significant burden to their compliance costs.
Once the Act is finalised and implemented, it will then be passed into law by each EU member state. EU wide supervisory authorities will develop technical standards for the entities to abide by. The enforcement of DORA will be maintained by the respective national authorities. If you want us to observe in more detail how DORA regulation is implemented at an EU member country level, leave us a comment.