In a renewed effort to address the danger posed by the proliferation and increasing severity of cyberattacks, the European Parliament approved the Digital Operational Resilience of the Financial Sector (DORA) directive on Thursday, November 10. The EU Parliament also approved the NIS2 directive, which is intended to improve cybersecurity resilience in other sectors of the economy.
Both DORA and NIS2 are part of the same regulatory framework. DORA is intended to mitigate operational risks in information and communications technologies (ICT) in finance. Specifically it is an attempt to make ICT operations, which underpin many of the basic activities in the finance sector, more resilient in the face of disruption and cyberattack.
The interconnectedness and cross-border nature of the finance eco-system means that it represents a systemic risk to economies, with disruption in one system or geography having the potential to spread and infect other geographies and, ultimately, the entire financial system. Disruption in the finance sector would not only have a detrimental impact on businesses, but also individuals. The legislators are not only concerned about the soundness of banks and other financial institutions, but also the potential for a loss of confidence and trust in the markets in an instance of widespread disruption.
DORA’s range
DORA applies to a very comprehensive list of financial market participants, including, amongst many others;
- credit and payment institutions;
- investment firms;
- authorised crypto-asset service providers and token issuers;
- central counterparties;
- trading venues and repositories;
- insurance and reinsurance firms;
- data reporting service providers;
- credit rating agencies;
- ICT third-party service providers.
These disparate entities are all designated “financial entities” in the Directive and are all required to have in place a governance and control framework to manage ICT risk. The objective is to ensure a high level of digital resilience.
Managing resilience
Financial entity management is responsible for the implementation and management of this framework. Responsibilities are wide-ranging and cover all aspects of ICT operations including;
- appropriate policies;
- roles and responsibilities;
- governance;
- digital operational resilience strategy;
- risk tolerance;
- business continuity policy and plans;
- ICT audit and internal audit;
- adequate budgeting;
- training and awareness;
- third-party service arrangements.
Communication and information sharing is another major aspect of the Directive with ICT-related incidents needing to be identified, recorded and classified to management and to the regulator. The reporting of cyber-threats remains voluntary, which is probably a tacit acknowledgement of the sheer number of these and the resulting potential reporting burden. The regulatory reporting will be subject to technical standards that are to be developed by the regulators in consultation with the European Union Agency for Cybersecurity (ENISA) and the ECB.
The Directive also includes requirements for testing, which are critical to ensuring that the measures in place to make the ICT operations more resilient can actually do so in the face of attempts to compromise them. Testing potentially includes both assessment and analysis as well as scenario based, end-to-end and penetration testing.
Security threshold
Financial institutions are responsible for ensuring the compliance with the Directive’s requirements of all the outsourcing arrangements that they have in place for ICT services. All ICT services’ outsourcing arrangements must be fully documented and also reported, on an annual basis, to the relevant regulator.
Due diligence of the third parties along with an appropriate risk assessment is requirement and outsourcing is only permitted with entities that comply with appropriate security standards.
Finally, organizations that are outsourcing ICT services that support critical or important functions must put in place exit strategies in the case of problems with the third party providing those services. The exit arrangements must be sufficiently robust to avoid business disruption, deterioration in service quality and non-compliance.
Under the new rules the contractual arrangements with outsourcers must include, at a minimum, certain very specific elements:
- Description of functions and services (including an indication whether subcontracting is permitted).
- The location where functions and services are provided and where data is processed.
- Provisions around data protection.
- Provisions ensuring data access and recovery.
- Service level descriptions.
- An obligation to provide assistance in the case of an ICT incident connected to the service being provided.
- An obligation to cooperate with the relevant regulator.
- Termination rights and notice periods.
In the case of critical or important services being outsourced the contractual arrangements above must also be supplemented with:
- measurable performance targets;
- reporting obligations;
- adequate business contingency and security measures;
- an obligation to cooperate in penetration testing;
- the right to monitor performance (including unrestricted access);
- exit strategies.
In addition an oversight framework for third-party providers who are designated as critical is envisioned by the rules along with more detailed technical standards to be developed by local regulators in connection with ICT service outsourcing arrangements.
For anyone operating in the financial services eco-system – whether a financial institution or a service provider – the eventual adoption of DORA is likely to lead to at least some work in ensuring full compliance. Because of the relative paucity of regulatory scrutiny of ICT and connected arrangements in the past it may well result in significant work to make internal processes and outsourcing arrangements fit for purpose under this new regulatory regime.