Digital Operational Resilience Act (DORA)
Harmonisation of cybersecurity in the entire EU financial sector*
The European Union is placing a strong focus on the digitalisation of the financial sector and the related increased security risks. This has resulted in the publication of the Digital Operational Resilience Act “DORA”, a new European framework for an effective and harmonised management of digital risks in the financial sector.
Jean-François Trapp, partner at Baker McKenzie Luxembourg and Ana Vazquez, director at Baker McKenzie Luxembourg, share their views on the general objectives of DORA and the consequences for financial institutions which DORA may represent.
1. What is DORA’s scope of application and how will financial entities operating in Luxembourg be impacted?
DORA covers a wide range of financial entities, including credit institutions, investment firms, payment and electronic money institutions, central counterparties and trade repositories, authorised alternative investment fund managers, (re)insurance undertakings and intermediaries and crypto-asset services providers.
In addition, DORA also includes certain entities typically excluded from financial regulations. For instance, crowdfunding service providers or third-party information and communication technologies “ICT” service providers (like cloud service providers and data centres) must follow DORA requirements.
DORA also applies to firms that provide critical third-party information services, such as credit rating services and data analytics providers.
The question was raised whether Luxembourg professionals of the financial sector (PFS), such as specialised PFS and support PFS, were impacted by DORA. In this respect, the CSSF has confirmed on the new webpage, launched at the end of March 2024 and dedicated to DORA, which specialised PFS and support PFS do not qualify as a “financial entity” within the meaning of DORA. Therefore, these entities do not fall under its scope.
However, without prejudice to the foregoing, the CSSF takes the view that by nature of the services offered, certain PFS will be considered under DORA as ICT third-party service providers.
It is worth mentioning that all financial entities and third-party ICT service providers have until 17 January 2025 to comply with DORA before enforcement starts.
2. What are the so-called five key pillars of DORA?
DORA represents a significant step forward in enhancing the digital operational resilience of the financial sector in Luxembourg and across Europe. It imposes new obligations on financial entities and certain ICT service providers, requiring them to implement robust measures to manage and mitigate ICT risks, which rely on five domains:
a) ICT risk management. The first pillar concerns the adoption of a comprehensive ICT risk management framework and governance to address evolving digital risks. In particular, financial institutions shall ensure that their ICT documentation (procedures, policies, controls and tools) complies with DORA requirements.
ICT governance shall also be adapted. The Regulation explicitly requires that members of the management body of the financial entity actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by regularly following specific training commensurate to the ICT risk being managed. Furthermore, members of the management body must play an active and central role in steering and adapting to DORA the entity’s ICT risk framework and overall digital resilience strategy.
b) ICT incident management and reporting. The second pillar concerns ICT incident management and reporting. Financial institutions shall use a streamlined procedure to log and classify ICT incidents and report major incidents to authorities. DORA also requires financial entities to voluntarily notify competent authorities about an important cyber threat.
c) Digital operational resilience testing program. The third pillar requires that financial institutions regularly perform assessments, such as vulnerability assessments, penetration testing, and scenario-based exercises.
All critical systems and processes will be put through rigorous and thorough testing by DORA to ensure that they can resist and bounce back from operational shocks.
d) Strategy for ICT third-party risk. Obligations are imposed on financial institutions to adopt and regularly review their strategy in order to regularly assess the risks coming from ICT third-party service providers, including cloud computing services.
The strategy for ICT third-party risk should include a policy on the use of ICT services supporting “critical or important functions” provided by ICT third-party service providers.
In addition, financial organisations must make sure that their third-party providers meet the same demanding requirements for operational resilience. This involves carrying out due diligence, monitoring performance, and making sure contractual agreements have clauses that mandate compliance with DORA requirements.
A register of information related to all contractual arrangements on the use of ICT services shall be maintained.
e) Information and intelligence sharing. The fifth pillar provides for the possibility, on an optional basis, for financial entities to exchange information and intelligence about cyber threats, enhancing the financial sector’s overall capacity to identify, respond to and reduce ICT risks.
The above requirements will be enforced according to the proportionality principle, meaning that smaller entities will not be held to the same standards as major financial institutions.
3. What are the potential challenges for firms in complying with the new rules resulting from DORA?
2024 is the year of implementation work for in-scope financial institutions, which shall prepare for the expected entry into force of DORA on 17 January 2025 — a mere nine months from now. It is worth mentioning that this implementation deadline will not be extended, as set out under article 64 of DORA.
Therefore, from the perspective of the industry, we anticipate a rather challenging task ahead. It will indeed be necessary to adapt to the new framework despite insufficient clarity and certainty about what it is requested from financial entities.
As you may know, DORA has tasked the European Supervisory Authorities (ESAs), i.e., EBA, EIOPA and ESMA, to jointly develop 13 policy instruments, organised in two batches, which will complement DORA’s key pillars.
On 17 January 2024, the ESAs published the first batch of policy mandates. The consultation period for the second batch ended only on 4 March 2024.
The various legal instruments will be finalised by the ESAs and submitted to the European Commission by 17 July 2024. Once these delegated regulations are reviewed and adopted by the European Commission, they will need to be adopted by the European Parliament and the Council and published in the Official Journal.
In our view, the challenges with navigating the secondary legislation add a further layer of complexity around implementation for financial entities falling within the scope of DORA.
Indeed, they will not have complete certainty on what is required from them until secondary legislation gets fully adopted. However, awaiting until the finalisation of such secondary legislation may not leave enough time for affected entities to complete implementation before the January 2025 compliance deadline.
Therefore, being able to start performing or updating a gap assessment based on DORA’s requirements and the first batch of policy mandates released so far will be of paramount importance for financial institutions this year.
4. Could you provide us with your views on what are the implications of DORA for third-party service providers, especially as regards contracts?
As discussed, one of the key pillars of DORA is to assess and monitor the risks coming from ICT third-party service providers, including cloud computing services.
All contracts involving a financial entity and ICT third-party service providers must meet the requirements set out under DORA.
Such requirements are more stringent for providers that support “critical or important functions” (as defined in article 3 of DORA) and shall have an impact on both new and existing contracts. On 17 July 2024, additional technical standards will be released detailing the evaluation of ICT third-party service providers in the context of subcontracting “critical or important functions.”
This means that, in preparing for these changes, financial entities will, one on hand, need to review those services that fall under the DORA definition of ICT services.
On the other hand, third-party service providers, especially those in the cloud services sector, should start conducting a thorough review of their current services and contracts. They should identify any areas where they may not be compliant with DORA’s requirements and take steps to address these gaps. This could involve renegotiating contracts, implementing new security measures, or changing their service offerings to ensure they can provide the required assistance to financial entities.
5. What is the voluntary “dry run” exercise launched by ESAs?
The Regulation requires financial entities, as part of their ICT risk management framework, to maintain and update at entity level, as well as at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services.
To facilitate compliance with this requirement, the ESAs announced on 11 April 2024[1] a voluntary exercise for the collection of the registers of information of contractual arrangements on the use of ICT third-party service providers by financial entities.
This exercise aims to assist financial entities in establishing their information registers. It will provide support in building these registers, testing the reporting procedure, addressing data quality issues, and improving internal processes related to the registers.
By the end of May 2024, financial entities will receive a preliminary Data Point Model (DPM) from the ESAs. This will be accompanied by specifications, guidelines, an Excel-based template, and a tool for converting these templates into CSV files. These resources will guide financial entities in setting up their registers according to the ESAs’ specifications.
The ESAs have outlined a timeline for the dry run. An introductory workshop for financial institutions will be held on 30 April 2024. The provision of resources and tools to collect data is expected to be launched in May 2024, with participating financial entities expected to submit their registers of information through their competent authorities between 1 July and 30 August.
Participating financial institutions will receive feedback on their data quality and a refined dataset from their regulatory authority. The ESAs will also release a report on data quality insights and organise workshops to share the results with the sector.
It is to be noted that the CSSF, through a communication issued last 17 April, encourages finance institutions falling within its supervision to participate in the voluntary dry run.
We believe that this dry run initiative coming from the ESA’s will be welcomed in the market, as it will assist in identifying trouble spots. It will also help in getting a better understanding of how this DORA requirement to establish a register of information on the use of ICT services fits together with existing requirements on outsourcing resulting from CSSF Circular 22/806 or CAA Letter Circular 22/16.
[1]https://www.eba.europa.eu/publications-and-media/press-releases/esas-run-voluntary-dry-run-exercise-prepare-industry-next-stage-dora-implementation
*Slides of this presentation on request. Please contact Daniel@amcham.lu.
