In light of steadily increasing cyber threats, the EU is successively tightening IT security requirements for businesses in the EU. With the update of the NIS Directive (NIS2), companies and organisations from critical and other particularly sensitive sectors in the EU are required to significantly increase their level of cyber security.
For the financial industry in particular, additional requirements in the area of IT security will apply from 2025 under the Digital Operational Resilience Act (DORA). DORA applies from 17 January 2025 and aims to strengthen the IT security of the financial sector. In addition to financial companies, ICT third party providers are also specifically regulated under DORA in order to capture the IT security risks that typically accompany the outsourcing of corresponding services for regulated companies in the financial industry (so-called third party risks). Parts of the DORA requirements are already familiar from existing regulatory and supervisory administrative practice (in Germany for example through BAIT, KAIT, VAIT, ZAIT, MaRisk). However, DORA goes beyond the previously applicable requirements in various places - in some cases significantly - and creates a considerable need for adaptation in the financial industry.
What's new?
Depending on the area of activity and the size of the company, different requirements apply to systemic and organisational IT security. Particular importance is attached to organisational and procedural requirements, especially in the context of the obligation to establish an IT security management organisation.
ICT risk management
To increase their digital resilience, financial entities need to establish ICT risk management with a set of requirements and procedures. The need to include ICT risks in risk management is not necessarily new but DORA now sits across existing Member State administrative legislation (eg in Germany BAIT, VAIT), harmonises the approach across the EU, and adds in additional elements including by requiring more documentation of concrete procedures. The entire risk documentation must be available in written form in order to be accessible for mandatory internal and external audits.
A comprehensive and well-documented risk management framework is required from financial entities to quickly address and mitigate risks associated with the use of network and information systems and to ensure a high level of digital operational resilience.
Part of the framework will be policies, guidelines, procedures, ICT protocols and tools necessary to protect all information and ICT assets, such as computer software, hardware and servers, but also relevant physical components and infrastructures, such as premises and data centres.
An essential part of this risk management framework is having documented strategies for digital operational resilience, including concrete implementation measures. DORA provides specific and detailed guidance on the methods that need to be in place, including response to ICT-related incidents, mitigation of downtime, data backup and recovery procedures, and internal control functions and conduct of internal audits.
DORA also imposes compliance obligations on management with minimal scope for delegation. Management bodies must be fully involved in risk management and trained to understand and assess ICT risks and their impact on the business activities of the financial company itself.
Reporting obligations and communication
Chapter III is dedicated to the handling, classification and reporting of ICT-related incidents. What constitutes an ICT-related incident is broadly defined as a "single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity".
Financial companies must identify and document a process for handling ICT-related incidents. All ICT-related incidents and significant cyber threats must be recorded. Incidents must be classified by financial companies and their impact determined. Article 18 defines the criteria for this, which are to be further specified in the future by the European Supervisory Authorities (ESAs) in consultation with the ECB and ENISA.
If serious incidents as defined in Article 3 occur, they must be reported to the competent authority in accordance with the stipulated procedure of providing initial, interim and final notifications. In such cases, clients must be informed immediately if the serious incident has an impact on their financial interests. The incident and the measures taken must be explained in order to protect clients from the corresponding risks. Communication plans need to be developed and documented as part of the risk management framework.
Testing of the digital operational stability through test procedures
Under Chapter IV, DORA requires regular testing of digital operational resilience so financial entities must establish a robust and comprehensive testing programme. The testing obligations under DORA are a significant step up from existing obligations which means a full review and upgrade of current procedures will be needed.
Under Article 25, tests should be carried out at least annually, either by independent internal or external testers. If internal testers are used, conflicts of interest must be avoided.
For systemically relevant, ie particularly large financial entities (as defined in Article 26), extended tests in the form of threat-led penetration tests (TLPT) are required at least every three years. Affected companies must comply with additional procedural requirements including for the commissioning of regulated testers.
Third party ICT risks and outsourcing
DORA looks to ensure the resilience of the financial sector throughout the supply chain and therefore sets out far-reaching and in many cases new requirements for the management of ICT third party risks, especially in relation to outsourcing. Financial entities remain fully responsible for compliance with DORA when outsourcing functions. As a result, managing third party risk will become an integral part of the ICT risk management framework.
Before entering into a contractual agreement on the use of ICT services, financial entities are subject to certain assessment and verification obligations. Again, these go some way beyond the existing regime which means outsourcing processes and contracts need to be reviewed and (most likely) adapted.
DORA also introduces comprehensive requirements for agreements between financial entities and third party ICT service providers (Article 30) which supplement and go beyond the current market standards set by the EBA guidelines on outsourcing. If ICT services are used to support critical or important functions, further requirements apply. The new DORA requirements tie in seamlessly with this outsourcing regime for regulated financial market participants, but nonetheless, outsourcing contracts will need to be reviewed and possibly revised.
The governance framework for ICT third party risks is supplemented by reporting to the competent supervisory authorities. Corresponding obligations will in future expose ICT service providers in particular to supervisory audits and generate considerable additional practical effort on the part of the regulated companies.
Also new are the regulations to prevent so-called concentration risks which can arise where services are predominantly awarded to certain individual service providers. (Overly) strong dependencies and "cluster risks" must be avoided, among other things, through pre-contractual risk assessment and documentation obligations. The costs and benefits of alternative solutions must also be taken into account.
This area of regulation is supplemented by the (existing) obligation on regulated financial entities to have ICT third party service providers contractually grant them comprehensive monitoring and termination rights. The new regulations, some of which are quite specific, will require a review of existing outsourcing contracts. They also require the creation and documentation of a so-called exit strategy for each outsourcing project which must be documented before the contract is concluded.
All in all, the incoming requirements will present the companies concerned with major and practically demanding compliance challenges.
Oversight framework for critical ICT third-party service providers
DORA additionally brings an oversight framework for ICT service providers classified as critical.
The classification criteria are specified in Article 31. A number of characteristics are to be taken into account in the classification, including the systematic impacts in the event of an operational disruption of the provider or the importance of the financial entities using the service. The Regulation specifies some exceptions. For example, intra-group ICT service providers cannot be classified as critical, which is a considerable relief in terms of intra-group outsourcing.
In Germany, a similar supervisory framework was set up under the FISG. However, the supervisory powers for overseeing ICT service providers under DORA go much further. They include, for example, requests for information and documentation, on-site inspections or even the imposition of penalty payments to force the respective critical ICT third party provider to comply with the legal requirements.
Also worth noting in this context are the strict requirements around using ICT providers based outside the EU. Such providers may only be used by financial entities if the third-country ICT provider has established a subsidiary in the EU within 12 months of its classification as critical. The use of other third country providers may therefore be restricted and requires an appropriate risk assessment prior to the award of the contract.
The designation as "critical" therefore has far-reaching consequences for ICT third party service providers. The ESAs, through the Joint Committee, will publish or update a list of critical ICT third party service providers annually.
Unlike for financial entities, with regard to third party ICT service providers, DORA does not supersede the NIS2 Directive. Instead the two laws run in parallel, which will lead to increased practical complexity.
What should affected (financial) companies do?
Before DORA takes effect in 2025, there is a lot to be done.
DORA takes into account that the extent of digital risks may differ significantly between affected financial entities depending on their size, company profiles or focus of activities. As a result, the Regulation follows a risk-based regulatory approach with due regard to proportionality and micro-enterprises (defined as a "small and non-interconnected investment firms and certain payment institution") do benefit from exemptions.
Nonetheless, DORA brings changes for a large number of regulated companies, some of which are substantial and so a thorough review must be carried out promptly in order to implement them within the current deadlines.
This should encompass a GAP analysis between the guidelines and strategies implemented so far and those that will apply in the future and will involve reviewing all existing guidelines, processes, policies and accompanying documents. The relevant contracts with third party service providers must also be covered especially given the new business continuity management and extended test procedures which are likely to be a particular focus. Management bodies need to implement the extensive governance processes. Not only will this assist with compliance, it will provide a competitive advantage to those who are well prepared.