DORA? What is it about?
The EU Regulation 2022/2254 “Digital operational resilience for the financial sector and amending regulations”, or DORA, published in the Official Journal of the EU on December 27, 2022, establishes a detailed, comprehensive and unified supervisory framework aimed at improving the digital operational resilience of financial companies within the EU, including third-party ICT service providers. The aim of DORA is to enable these companies to optimize their ICT risk management in order to mitigate their vulnerability to ICT disruptions and cyber threats along the entire value chain.
ICT risks, including ICT third-party risks, are not to be overcome (exclusively) through quantitative measures such as capital requirements for operational risks, but also through targeted qualitative measures. In addition, for the first time, DORA establishes a legal framework for the direct monitoring of critical third-party ICT service providers (especially large cloud computing service providers).
Being an EU regulation and thus a binding legislative act with immediate legal effect, DORA did not need to be implemented on the level of national legislation and came into force directly on January 16, 2023. As of this date, financial companies have 24 months to implement all regulatory requirements; no further transitional provisions are currently planned. Until then, further regulatory technical standards (RTS/ITS) are to be expected, which will specify the existing regulations and are to be published by the ESAs after 12 and 18 months, respectively.
DORA constitutes new regulations for establishing a framework for ICT risk management, incident reporting, operational resilience testing and third-party ICT risk monitoring.
Who is affected by DORA?
DORA applies – with only a few exceptions – in principle to all regulated financial firms in the EU and, in particular, also to ICT third-party service providers. Compared to the two EBA guidelines on ICT and security risk management and EBA guidelines on outsourcing, DORA covers a larger number and more types of financial firms.
Its requirements apply not only to credit institutions, insurance companies and investment firms, but to all companies that are active in the financial industry, such as payment institutions, asset management companies and rating agencies, as well as ICT and crypto-related service providers. Individual exceptions, such as in the area of development banks, can be defined at a national level.
What needs to be done in concrete terms?
Most of the DORA requirements are already known from existing regulations and supervisory administrative practice, such as MaRisk in conjunction with BAIT and the EBA Guidelines. With DORA, these are specified in more detail, expanded and amended with new, additional aspects.
In this context, the principle of proportionality is applied. The implementation of the requirements shall take into account the size and overall risk profile of each institution, as well as the nature, scope and complexity of their services, activities and operations. It can be assumed that the principle of proportionality will affect detailed aspects in audit practice, but that the basic DORA requirements will have to be met regardless of the size of each individual institution.
However, not all financial firms are facing the same number of challenges; this depends largely on the type and regulatory maturity of each institution.
Institutions that already meet regulatory requirements for IT, such as XAIT, and are being aligned with international standards, such as the ISO 27xxx family, are at a good starting point for meeting the DORA requirements. However, there are a large number of developments that will lead to significant expenses for them, as well.
zeb has analyzed the DORA requirements in detail and identified what different types of financial firms need to do in order to fulfill them. The DORA requirements were compared with those from existing regulations (BAIT, MaRisk, EBA Guidelines according to PSD2) in order to determine what needs to be done, depending on different degrees of maturity. Our analyses show that the greatest implementation efforts are to be expected in the areas of ICT risk management (Chapter II) and ICT third-party risk management (Chapter V).
Below, the DORA requirements are summarized along the five main topic areas relevant to financial firms. In addition, as an example, the expected need for action for a credit institution (LSI) is presented in excerpts and with a certain degree of abstraction.
1) ICT risk management (Chapter II)
- The regulations are intended to better align the business strategies of financial firms and their implementation of ICT risk management. Therefore, the management body will have a stronger personal obligation to coordinate and take responsibility for ICT risk management.
- To keep pace with the rapidly evolving cyber threat landscape, financial organizations must establish and maintain resilient ICT systems and tools. These should be designed to minimize the impact of ICT risks, continuously and fully identify their sources, establish protection and prevention measures, instantly detect anomalous activity, and implement dedicated, comprehensive business continuity policies as well as contingency and recovery plans as an integral part of the operational business continuity process.
DORA does not particularize any specific guidelines for this. Instead, the requirements are based on relevant international, national and industry-specific standards, guidelines and recommendations and define certain functions of ICT risk management (identification, protection and prevention, detection, response and recovery, further development and communication).
“Against the background of BaFin increasingly imposing fines, it should not be underestimated that DORA legally anchors ultimate responsibility with the management body for the first time.”– Dr. Markus Escher, Partner Banking Regulatory Law at GSK Stockmann
Need for action:
2) Handling, classification of, and reporting on ICT-related incidents (Chapter III)
- Financial firms must establish and implement a management process to identify, track, log, categorize and classify ICT-related incidents. Serious ICT incidents must be reported to the relevant authorities using a pre-defined template. In order to harmonize the reports, the incidents must be classified according to specific criteria.
Need for action:
3) Testing digital operational resilience (Chapter IV)
- The capabilities and functions defined in the ICT risk management framework must be tested on a regular basis to ensure their functionality, cyber resilience and operational readiness at all times, to identify any weaknesses, deficiencies or gaps, and to instantly take any necessary remedial action. In this context, DORA allows for proportionate implementation of operational stability testing requirements, depending on the size as well as the business and risk profile of the respective financial firm. The necessary tests range from standard tests of ICT tools and systems for smaller institutions to advanced tests based on TLPT (Threat-Led Penetration Testing) for significant financial firms.
“With the explicit requirement of penetration tests based on TLTP, financial firms as well as ICT third-party service providers are facing increased testing intensity demands. Especially in contracting, this will result in additional expenses when purchasing ICT services.”
– Roger Buschmann, Senior Manager at zeb
Need for action
4) Management of ICT third-party risk (Chapter V)
- Key principles for reliable ICT third-party risk management (Chapter V.I): DORA is intended to ensure reliable monitoring of ICT third-party risk, including, in particular, an analysis of the concentration risks associated with multi-client service providers. The regulation defines principle-based rules and standardizes key elements of services from and relationships with ICT third-party service providers. These elements include minimum aspects for complete monitoring of ICT third-party risk by the financial institution along the entire life cycle of outsourcing or other external procurement of IT services, including the associated contractual relationships (closing, implementation, termination, post-contractual phase).
“All ICT services provided by third-party ICT service providers fall within the scope of DORA. It does not matter whether they are currently classified as IT outsourcing or other external procurement of IT services. It can be assumed that the need for adjustments will be higher for any external procurement of IT services other than IT outsourcing (esp. for the topics of risk analysis, contract content and ongoing service provider monitoring).”– Alexander Geißler, Senior Manager at zeb
Need for action:
- Conferring powers to financial supervisory authorities to monitor the risks of critical third-party ICT service providers (Chapter V.II): In order to align the different supervisory approaches to ICT third-party risk in the financial sector, critical ICT third-party service providers will be subject to a supervisory framework provided by the EU. To this end, the ESAs, which will be designated as lead supervisors for each of those critical third-party ICT service providers, will be given powers within the scope of a new harmonized legal framework to ensure that system-critical technology service providers are adequately supervised on a pan-European level.
“With DORA, financial supervisory authorities now have direct access to ICT service providers. This will particularly affect hyperscalers in the area of cloud computing as well as large CBSproviders. For financial firms, this may well be of advantage in contract negotiations and, ideally, lead to a relief in service provider management, in the long term, if some sort of “DORA 3.0” gets implemented.”– Stephan Sahm, Senior Manager at zeb
5) Agreements on the exchange of information (Chapter VI)
DORA allows financial firms to enter into joint agreements to share information and intelligence on cyber threats.
This is intended to raise awareness of ICT risks as well as minimize the spread of threats, with the goal of supporting financial firms’ defense capabilities and technical solutions for threat detection.
What are the key success factors for the implementation of DORA requirements?
In order to fulfill DORA’s many requirements in less than 24 months, it is essential to address them early, to analyze how existing procedures and methodologies need to be changed and to develop a concrete implementation plan.
The analysis and implementation planning requires an overarching understanding of risk management at financial service providers – from the various facets of provider management to cyber threats to measures that mitigate them or improve overall resilience.
Seven factors are essential for the successful implementation of DORA requirements
- DORA is an overarching issue, so the first and second line of defense elements, such as IT, risk management, emergency management, information security, outsourcing management, and the legal department, require a stronger incorporation and closer interconnection.
- ICT risks must be integrated into each institution’s overall risk management system. The definition of a comprehensible risk taxonomy/methodology that is free of overlaps and adapted to the risk distribution of the institution is critical to success, so that allocation, management and responsibility for information and outsourcing risks or cyber risk, for example, are unambiguously defined.
- In order to consider all minimum contents according to DORA in a legally secure way when adapting IT service contracts, functional/technical understanding of the service contracted out to a third party, both experience with existing EBA/BaFin regulatory requirements and legal expertise are indispensable.
- Medium-sized third-party ICT providers in particular may be late in dealing with DORA and the resulting obligations for them, so they may not have enough time to optimally adapt their service contracts. Therefore, you should contact your strategically relevant IT service providers early on to agree on a roadmap.
- In addition to strategy, guidelines and policies, measures to improve digital resilience often involve concrete implementations in technology or in processes. This requires not only a strategic/conceptual view, but also knowledge and skills regarding concrete software solutions up to their implementation and/or methods from change management. This is the only way to ensure that the measures are effective for both man and machine and that the prescribed tests are successful.
- Ongoing regulatory initiatives should already take the new requirements into account in areas that are affected by DORA in order to leverage synergies.
- Since DORA has already reached a high degree of maturity in all but a few topics, it is essential to start immediately with the implementation and not wait for the RTS/ITS to be published.
DORA: conclusion and outlook
DORA is aimed at creating a unified and comprehensive supervisory framework with the goal of improving the digital operational resilience of financial firms in the EU. However, many financial companies and also third-party ICT service provider are facing challenges due to the considerable number of new requirements and the short implementation period. Thus, we recommend looking into the DORA requirements at an early stage.
First of all, it is important to understand these requirements and to derive needs for action as well as concrete measures so that a prioritized implementation plan can be developed. For the analysis, for example, zeb’s newly developed DORA check-up tool can be used, which contains a variety of information for each requirement, such as guiding questions, typical result objects or detailed needs for action. This lays the foundation to ensure a successful implementation of measures to fulfill the DORA requirements in the second step.
Since MaRisk and BAIT are “nothing more than” administrative guidelines that are as legally binding as a circular, orders issued by BaFin in this regard usually take the long route via the German Banking Act (KWG) Sec. 25a para. 2. In contrast, DORA, being an EU regulation, has immediate “legal character”. Article 50 requires EU member states to establish “appropriate administrative penalties and remedial measures for breaches of this Regulation”, which must be “effective, proportionate and dissuasive”.
In the course of this, we expect a “tangible” catalog of fines that will directly hold management personally accountable, particularly with regard to the requirements for ICT risk management and governance. To avoid violating the law and being imposed a fine, affected companies must implement DORA with the utmost care and accuracy over the next 23 months.