Introduction of the Digital Operational Resilience Act (DORA)

On 11 May 2022, the presidencies of the European Council and the European Parliament approved the provisional text of the Digital Operational Resilience Act (DORA)[1]. This closes the trialogues phase of this act. The final compromise text of DORA was published on 23 June 2022[2]. Taking account of the next steps in the process of introducing this act, this means that organisations in the financial sector and their IT service providers need to comply with the digital resilience requirements of DORA by the end of 2024. The purpose of the DORA legislation is to harmonise the requirements imposed on managing ICT risks, and in doing so to safeguard the continuity of critical processes within the organisations.

For which organisations is DORA particularly relevant?

It applies in particular to insurance and reinsurance companies, insurance intermediaries, investment institutions, management companies, banks, crypto-asset service providers, institutions for company pension funds and third-party providers of ICT services.

Why is DORA introduced?

The introduction of DORA aims to reduce the societal and economic risks of the increasing cyber threats in the financial sector. It is possible to identify various causes for the rise in cyber threats, such as increased connectivity of cross-organisation information technology, outsourcing IT to third parties, including cloud service providers. Another cause can be found in the continuing digitisation of the financial sector, including digitalisation of financial services and fintech applications on the one hand, and the existence of vulnerable legacy systems within the sector on the other.

Not only financial institutions will be affected by the introduction of DORA. IT service providers operating in the financial sector will also be regulated by the relevant regulators through this law. Audit firms, unlike the previous DORA text, will be excluded from DORA for the time being. An extension to DORA will follow at a later stage for audit firms. On this, it has been decided that this will take place at the latest within three years of the introduction of DORA.

What can you do?

With the publication of the compromise text on 23 June 2022, now is the time for all organisations that are governed by the DORA regulations to jump into action. DORA requires policy and procedural measures, but also verifiable operational measures in the area of digital resilience and the corresponding accountability.

The impact on organisations that are already under the supervision of the Netherlands Central Bank or that Radiocommunications Agency Netherlands, is likely to be less than for organisations that are not. We recommend that you start by identifying the gaps in the existing information-security processes in your organisation in relation to the DORA requirements. This gap analysis can form the basis for a suitable action plan to introduce and embed the DORA requirements in a structured manner. This is a challenging process, and for most organisations the arrival of DORA will involve a significant scale-up of their cybersecurity measures and more integrated management.

The Digital Operational Resilience Act

The DORA legislation rests on five pillars that each have a specific focus. The illustration represents the different pillars. Ultimately, the specific DORA requirements can be part of a uniform ICT Risk Management Framework in order to manage the digital resilience of an organisation in a permanent manner. For each pillar, a number of striking impressions have been given from the new DORA legislation.

Pillar I: ICT Risk Management

• Organisations will have to set up a structured and detailed risk-management process that classifies and monitors the cybersecurity risks from a structured and broad business perspective, and that tests and evaluates the cybersecurity measures. Attention is also required for the risks of legacy systems, complete insight into the existing IT assets and the corresponding risks. The intended result is a high and safeguarded level of cyber resilience.
• The organisation shall produce a uniform ICT risk management framework that includes at least strategy, policy, procedures, IT protocols, and tools. This is required to protect all the information and IT resources, including computer software, hardware, servers, physical components and infrastructure, buildings, data centres and sensitive environments. This highlights that the framework is to be elaborated in detail, based on the current operational IT situation and that it should involve cyber threats in determining risks.
• Organisations should identify and classify all sources of cybersecurity risks. The risks and their classification should be monitored continuously. The classification and monitoring also includes the services of any IT third-party service providers. Important changes in IT resources or infrastructure require a new evaluation of the risks. Periodically or at least annually, a specific risk assessment should be carried out of legacy systems that no longer receive adequate security updates.
• Top management is responsible for the cyber resilience risk management and framework and shall ensure that adequate knowledge of cybersecurity and resilience is available at board level. The responsibilities and tasks for cybersecurity are defined and implemented in the organisation. At the request of the supervisory authority, a financial institution shall be able to present the entire ICT Risk Management Framework and supporting documentation. This framework should also comprise the cyber risks.

Pillar II: ICT Incident Reporting

• DORA has a duty to report serious cybersecurity incidents to the relevant competent authorities and a voluntary opportunity to report less serious incidents. Organisations should have a centralised system for recording IT and cybersecurity related incidents.
• Measures aimed at detection are also a requirement within DORA, and they concern detecting non-conformities in dataflows, network traffic and cyber-attacks in particular.

Pillar III: Digital Operational Resilience Testing

• DORA does not only impose requirements on having an ICT business continuity policy including a recovery plan, but also that this policy is verifiably implemented and that periodic recovery tests are carried out. DORA points out that the outsourced activities to IT third-party providers should also form part of this.
• Testing the cyber resilience is another express element of DORA with specific attention to aspects of the cyber resilience for incident response, disaster recovery and back-up facilities and procedures.
• Carrying out penetration tests should take place on the basis of risk analyses and recognising cyber threats (threat-led penetration testing). These obligations also apply to any IT third-party service providers. Requirements are imposed on the penetration tests in terms of approach and reputation. Penetration tests and red teaming activities must be founded on a risk-based approach and carried out in accordance with a structured approach. Penetration testers must be accredited by a European body or work under professional and ethical rules. 
• Financial institutions should use updated systems, software and tools focused on managing risks and they should be able to cope with any crisis situations and safeguard continuity of processes.

Pillar IV: ICT Third-Party Risk Management

• First of all, DORA is the first legislative framework in the world to give financial supervisory authorities a mandate to supervise IT third-party providers that are crucial to a financial institution, and that includes any Cloud Service Providers (CSPs).
• DORA imposes requirements on contractual agreements between financial institutions and IT service providers regarding cybersecurity, and on IT service providers’ obligations to cooperate with cybersecurity assessments and with off-site and on-site cybersecurity audits by supervisory authorities. It is fairly certain that organisations will have to revise / tighten up the agreements reached in the area of cybersecurity in order to make them DORA compliant.

Pillar V: Information And Intelligence Sharing

• DORA creates a statutory framework for exchanging cyber-threat information and everything that is associated with that, be that techniques, indicators of compromise, or security tooling. This links in well with existing exchanges in the area of cybersecurity, such as the P(ension)-ISAC, P(ayment)I(nstitutions)-ISAC and the F(inancial)I(nstitutions)-ISAC. Smaller financial institutions will have to join sector-based or other Information Sharing and Analysis Centres (ISAC).
• Supervisory authorities have the option to impose fines in the event of non-compliance with the DORA obligations.

Finally, it is important to recognise that there will be additions to the more technical standards in 2023. The finer details of the technical aspects of these measures are with the various European Supervisory Authorities (ESAs).

Conclusions

These are just a few impressions from DORA that suggest that DORA is an all-inclusive and far-reaching act that will have drastic consequences for many organisations in terms of IT-risk management and internal controls, with cyber resilience as the focus. With the adoption of the now agreed text of DORA, organisations have a strong foundation to prepare for the implementation of this act. The European Parliament is expected to endorse DORA in October 2022. It is wise to start now with carrying out the gap analysis with the aim of preparing a roadmap for designing the required “digital resilience risk management framework”, following which there is sufficient time for the further implementation of the required measures before the end of 2024.

In the context of the "Cybersecurity in the DIGITAL Europe" programme, many legislative initiatives have been started, such as adopting the Network and Information Security Directive 2 (NIS2), the European Cybersecurity Certification Scheme for Cloud Services (EUCS) as part of the EU Cybersecurity Act and the EU Data Governance Act.

Footnotes

[1] Raad van de EU,  Persmededeling , 11 mei 2022, Digitale financiën: voorlopig akkoord over eDORA

[2] REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014