DORA is coming – financial institutions and third-party ICT providers are set to become more digitally resilient by 2025 thanks to regulation

DORA is coming – financial institutions and third-party ICT providers are set to become more digitally resilient by 2025 thanks to regulation

Article Digital Business & Innovation Cyber Security & Privacy

Regulation will strengthen the resilience of financial institutions as well as enhance their digital performance

Dora in a nutshell

The EU Digital Operational Resilience Act for the financial sector, known as DORA, came into effect on January 16th this year.

The aim of the directive is to strengthen the resilience of the European financial sector against information and communication technology (ICT) risks, such as IT failures and cyberattacks, by introducing standard security requirements for network and information systems.

DORA is part of a package of measures put forward on September 24th, 2020 to digitalize the financial sector, through which the European Commission intends to strengthen competitiveness and innovation.

On the one hand a European approach is intended to promote the development and use of new technologies and products and on the other, to guarantee financial stability whilst protecting consumers and investors. With the new regulation, the supervisory authorities not only want to improve IT security and cyber defense in the European financial sector, but also expand their own associated supervision.

Companies in the financial services sector have a period of 24 months to implement the regulation.

European Supervisory Authorities (ESAs) = e.g. the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)

Background of the new directive

Due to the use of innovative technology, supervisory authorities are focusing on new types of risks.

Digitalization has become an integral part of the banking industry, and not only since the Covid pandemic.

  • Most customers use digital products as a matter of course nowadays; gone are the days when digital account opening was seen as an exciting innovation.
  • Financial service providers can no longer be competitive or will soon lose their competitive edge, if they don’t leverage the efficiency offered by using new technologies such as automation, Cloud, big data and Data Mining.
  • The flexibility that digitalization provides in daily work is playing an important role when it comes to recruiting and retaining employees.

However, the integration and use of innovative technology goes hand in hand with new types of risk.

IT security as a focus point in banking supervision

The growing digitalization and use of IT products is increasing the dependency of financial companies on information and communication technology (ICT) and makes them particularly vulnerable to associated disruptions or threats. This can compromise data security, resulting in data loss and restricted business activities.

With regard to consumer protection and possible effects on affected financial institutions and other companies associated with them, digital operational resilience in the financial sector is increasingly becoming the focus point of banking supervision.

Cyber risks were highlighted by the BaFin (Federal Financial Supervisory Authority) already in 2022, and remain as a particular focus point among five other major risks in 2023.

The BaFin has also identified “digitalization in the financial sector” as one of the three major future trends harboring risks that the BaFin and the companies under its supervision will have to tackle intensively.

The supervisory authorities are now aiming to create increased “digital operational stability” with the directive on digital operative resilience in the financial sector.

Companies within the scope of application

DORA concerns third-party ICT providers as well as financial companies.

In addition to the existing regulations, the supervisory authorities plan to use DORA to ensure that new technologies and products fall within the scope of financial market regulation and the regulations governing the control of operational risks in companies operating within the EU.

In order to fulfill this aim, DORA is amending previous applicable requirements and specifications for regulated banks, insurance companies and payment service providers. The security measures required to prevent and protect against the effects of ICT failures and cybersecurity incidents are specified or extended.

This also increases the number of companies within the scope of application significantly. The scope of application defined in paragraph 2 Article (1) of the directive also includes crypto service providers, trading centers, rating agencies and data reporting service providers as well as insurance brokers among others. Due to the dependency of the financial sector on third-party (or even fourth-party) providers and their IT security, the inclusion of “third-party ICT providers” also extends the supervisory framework to third-party ICT providers operating in the financial sector.

DORA applies to every company that provides IT services to financial companies. The definition of these services includes “digital services and data services provided via ICT systems on a permanent basis to one or more internal or external users, including hardware as a services and hardware services, including technical support by hardware providers through software or firmware updates, with the exception of traditional analog telephone services”.

This means companies that provide digital services and data services, providers of cloud computing services, software, data analysis services and data centers for financial companies will be directly subject to the new regulation in the future. According to the principle of proportionality, fewer requirements apply to smaller companies (so-called micro-enterprises with less than 10 employees and an annual turnover or balance sheet total of less than €2 million).

The new directive, which is to be implemented by 17.01.2025, therefore concerns not only financial companies but also companies that were not previously directly regulated. The first step for companies that could potentially be affected should be to check whether and to what extent they will actually be affected in context of the legal exceptions and the dependency of certain requirements on the size and specific activity of the company.

Operative implementation of requirements

Operative implementation in the affected companies involves different units.

The requirements to be implemented relate to different divisions and therefore involve different organizational units and positions within the company. The main units concerned are IT, information security management, business continuity management and (central) outsourcing management. The directive stipulates implementation on four main areas:

  • ICT risk management with IT security, ISM and BCM requirements (chapter II);
  • Guidelines on incident management and the reporting of ICT related incidents (chapter III);
  • Requirements for testing digital operational resilience (chapter IV);
  • Management of third-party risks throughout the entire outsourcing chain (chapter V)

The following chapters define non-mandatory requirements or requirements for the supervisory authorities.

Overview of the 5 focus points of the Digital Operational Resilience Act DORA

The affected companies currently have a window of just less than two years before 17.01.2025, when the directive will become applicable and its implementation will be checked by the national supervisory authorities and compliance will be enforced. However, certain parts of the DORA framework are still being prepared:

  • the legal acts delegated at EU level
  • the guidelines to be created by the responsible EU supervisory authorities, the Regulatory Technical Standards (RTS), and the Implementing Technical Standards (ITS).

Companies within the scope of application should nevertheless start their implementation projects in good time and take advantage of the 24-month implementation period.

This also applies to companies that are already regulated, such as banks, insurance companies and payment service providers, although many of the DORA requirements are identical to the applicable statutory guidelines and therefore are presumably already covered. Even though these companies are well-versed in the implementation of applicable requirements, they can still expect substantial implementation work due to the clarifications and additions that come with the new directive. They must also ensure that their third-party ICT providers implement DORA appropriately, or if necessary, part company with them before the deadline.

Implementation should begin with a scope analysis to define the scope of application for the company concerned. By locating the requirements to be implemented in the existing organization, the responsible units and positions to be incorporated and coordinated in an overarching implementation project can be identified for the gap analysis, implementation planning and the rollout. An audit readiness verification is then recommended in order to be prepared for forthcoming audits.

DORA implementation in 6 steps

Our experts look forward to welcoming DORA and will be happy to answer any questions you or your organization may have.