Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, known as the Digital Operational Resilience Act (DORA) came into effect on January 16, 2023, and marks the EU’s most comprehensive framework on operational resilience and cybersecurity within the financial sector.
Companies affected by DORA now have until the beginning of 2025 to meet the requirements. This means that the clock has started ticking for Swedish financial entities to integrate the regulation into their operations.
Expanding focus of supervision
DORA expands the focus of the EU’s financial supervisory authorities (ESAs), whose main task is to ensure that companies are financially resilient and can maintain operations during serious disruptions. The regulation shifts the focus to also ensuring how well they can maintain operations and withstand various incidents, cyber threats and IT issues. The introduction of a unified supervisory approach for all relevant sectors throughout the EU ensures both convergence and harmonization of previous practices regarding cybersecurity and resilience to various digital incidents.
It is important for both financial entities and providers of information and communication technology services (ICT services) to understand the changes that DORA will bring, affecting everything from license application, supervisions by the Swedish Financial Supervisory Authority (FI), internal governance and supplier agreements to incident reporting and ICT system testing.
DORA’s purpose is to harmonize and strengthen requirements regarding the management of operational risks, especially ICT services, in financial entities. Due to the increased digitization and the rapid development in the financial services sector and the increased vulnerability to cyberattacks, it has been recognized by multiple European authorities and international organizations that the previous regulations are not sufficient to address today’s challenges.
DORA sets requirements for ICT-related risk management, incident management, testing and management of third-party risks. It also establishes a harmonized European supervisory framework for critical ICT third-party service providers, new supervisory and sanction provisions for financial entities, and rules for common information exchange.
Scope and relationship to other regulations
DORA intends to cover, with a few exceptions, all financial entities and sets requirements for the security of these companies’ network and information systems, for example electronic communication networks enabling the transmission of signals in any way, regardless of the type of information transmitted. Such security is typically ensured through the use of ICT services, for example digital services continuously provided through ICT systems.
ICT systems encompass all of a company’s digital services and processes, including cloud services, but DORA does not expressly define the term “ICT system”.
There are certain companies that, due to their size, are exempt from or benefit from certain relief measures in the scope of DORA, such as microenterprises.
Certain security requirements relating to ICT systems are also found in the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive).
ICT risk management
Governance and organization
DORA introduces an obligation for financial entities to implement an internal governance and control framework (ICT risk management framework) that describes the company’s management of ICT risks, that is, all risks that, if they occur, could threaten the security of a company’s network and communication systems.
The ICT risk management framework should be an integral part of the company’s risk management and should include strategies, guidelines, and procedures necessary to protect the company’s ICT assets (including physical assets and infrastructures, in addition to ICT systems) from damage and unauthorized access. The existing risk management frameworks of companies should serve as a starting point for incorporating the considerations required by DORA.
Organisationally, the board of directors bears the ultimate responsibility for compliance with DORA. The management and monitoring of a company’s ICT risks should, however, be continuously handled by an independent control function. DORA does not provide detailed provisions on how the organization should be structured, for example in relation to smaller companies.
Considering how smaller companies are normally managed under existing regulations on internal governance and control in, for example, credit institutions and insurance companies, smaller companies with less complex operations are likely to combine different control functions, provided they can explain why their organization is suitable. Outsourcing of the control function is also allowed if, as customary in outsourcing, the financial entity retains control over the function through appropriate arrangements.
As part of the ICT risk management framework, a financial entity should also have prepared crisis communication plans targeting both customers and the public, as well as counterparties.
ICT systems
Financial entities should use updated ICT systems, ICT protocols, and ICT tools that are appropriate, reliable, and have sufficient capacity to process the data required to operate their business to manage ICT risks.
Financial entities should also identify and classify business functions supported by ICT systems appropriately to assess exposures and dependencies on individual systems and their mutual interdependencies. As part of this identification, companies are also required to identify dependencies on third-party ICT system providers.
Additionally, financial entities need to have documented strategies, guidelines, and procedures for the protection of ICT systems, including encryption, automated mechanisms to isolate information assets during cyberattacks, appropriate strategies for software fixes and updates, access limitation, and such like. Mechanisms for detecting abnormal activity and identifying single points of failure should also be in place.
ICT incidents
DORA requires financial entities to have a process for detecting, managing, and reporting ICT-related incidents. The reporting requirement under the Swedish Payment Services Act (2010:751) will cease to apply to financial entities covered by DORA, even if the incidents are not ICT-related.
The process for managing ICT-related incidents under DORA should include indicators for early warning, prioritization procedures, and a description of procedures to mitigate the effects of an incident. When it comes to the classification of incidents, DORA sets forth certain factors to be considered regarding their severity:
- the number of customers/financial counterparts/transactions affected;
- impact on the company’s reputation;
- duration (including service downtime);
- geographical spread (especially if there is a cross-border impact);
- extent of data loss;
- criticality of the affected services for the company’s operations;
- economic impact.
Some materiality thresholds and reporting deadlines for the above points will be specified through technical standards by ESAs.
Financial entities are also required to report major ICT-related incidents to the supervisory authority, as well as the measures taken by the company to mitigate the effects of the incident. It also introduces the possibility of voluntarily reporting certain cyber threats that a company has identified if the company deems the threat relevant to the financial system or its clients.
Testing systems
Financial entities are required to carry out testing of their ICT systems in a preventive manner. Testing is intended for the company to identify weaknesses, deficiencies, and gaps in its resilience and to promptly implement corrective measures. Testing should be part of the ICT risk management framework and be risk-based and appropriate.
Most companies covered by DORA should carry out advanced testing, such as threat-led penetration testing, at least once every three years. This testing should focus on the company’s critical or important functions and should generally be conducted by external personnel.
The testing requirements may seem burdensome, although their scope has not yet been fully determined. However, DORA provides the possibility, under certain conditions, for financial entities to conduct joint testing of ICT systems used by multiple financial entities.
Management of ICT third-party risks
It is common for financial entities to use outsourcing for ICT services in their operations. A fundamental principle for such outsourcing is that the financial entity is always responsible for compliance with the regulations. DORA, therefore, requires;
- strategies for outsourcing in the ICT risk management framework;
- record-keeping on the use of various third-party service providers;
- reporting of outsourcing arrangements;
- risk assessments before entering into outsourcing agreements;
- monitoring of the ICT third-party service provider’s delivery of ICT services;
- and certain contractual provisions considered particularly important.
In the risk assessment of ICT third-party risks, special emphasis should be placed on possible concentration risks. Factors to be considered in this assessment include whether the ICT third-party service provider is easily substitutable or if several critical or important functions are outsourced to the same or closely connected ICT third-party service providers.
Financial entities should also assess the appropriateness of the supply chain; for example, a complex chain can affect the company’s (or the supervisory authority’s) ability to effectively monitor the agreed delivery. It is becoming increasingly important to have good control over outsourcing arrangements and maintain a clear register of both counterparties and their subcontractors.
ICT third-party service providers
DORA imposes on ESAs to introduce a classification of ICT third-party service providers that are considered critical to financial entities. The assessment is to be made from a system stability perspective, considering the system impact of a disruption in the services provided by the ICT third-party service provider on the stability, continuity, or quality of the provision of financial services in a broad sense.
Critical ICT third-party service providers will have a lead supervisory authority appointed to them, and in cases where they are part of a group, they must designate a legal person in the group to act as a focal point for communication with the lead supervisory authority. The Commission has been authorized to adopt delegated acts based on technical standards developed by European supervisory authorities to specify the criteria for the designation of critical ICT third-party service providers.
ESAs will annually publish a list of providers subject to the supervisory framework. Supervision will include, among other things, verifying whether the ICT third-party service provider has sound and effective rules and procedures for managing the ICT risk it may pose to financial entities. In order to carry out its mission, the supervisory authority has the right to request information, conduct investigations, and inspect the ICT third-party service provider.
Non-critical ICT third-party service providers will also be affected by DORA. Financial entities will be required to place increasingly detailed demands on their outsourcing arrangements. In addition, an ICT third-party service provider may be required to participate in its customers’ security tests and training efforts.
It is becoming increasingly clear that ICT security is something that needs to be taken seriously by any orgnaization that wants to be an ICT third-party service provider to a financial entity. It may also facilitate the consideration of how the contract terms required by DORA can be incorporated into the ICT third-party service provider’s general terms and conditions for its ICT services.
Arrangements for information exchange
Financial entities may engage in joint arrangements for the exchange of information and intelligence on cyber threats if the purpose of such arrangements is to enhance the digital operational resilience of companies and that due regard is given to the sensitivity of information, data protection and competition rules. If a financial entity will participate in such an arrangement, it is obliged to notify the supervisory authority.
Supervision and sanctions
FI will be the competent supervisory authority in accordance with DORA in Sweden. Administrative sanctions in connection with DORA include injunctions to cease actions that the authority considers to be in violation of DORA and to take measures, including financial measures, to ensure that a financial entity complies with legal requirements.
It is yet not clear whether any national, supplementary legislation regarding sanction possibilities will be introduced or whether FI’s intervention possibilities under existing legislation are considered sufficient.
Companies affected by DORA have until the beginning of 2025 to meet the requirements. The initial drafts of technical standards are currently in consultation and are expected to be submitted to the Commission for adoption on January 17, 2024. The next round of technical standards is expected to be adopted by the Commission on July 17, 2024. Hence, a draft proposal to be submitted for consultation in the first quarter of 2024 can be expected.
Philip Heilbrunn, partner, heads the Banking & Finance, Financial Services and Fintech departments in Sweden, Eversheds Sutherland. Sara Malmgren is a partner with extensive experience in providing IT-law advice with a focus on complex commercial contracts as well as privacy and security compliance; and Mattias Dacker is a principal associate working in the Banking & Finance group in the same office.
Disclaimer
Please note that this article is not designed to provide legal advice and it is advisable to consult with local legal counsel before any actual undertakings.
Eversheds Sutherland takes all reasonable care to ensure that the materials, information and documents, including but not limited to articles, newsletters, reports and blogs (“Materials”) on the Eversheds Sutherland website are accurate and complete. However, the Materials are provided for general information purposes only, not for the purpose of providing legal advice, and do not necessarily reflect the present law or regulations. The Materials should not be construed as legal advice on any matter. The Materials may not reflect the most current legal developments. The content and interpretation of the Materials and the law addressed in the Materials are subject to revision.
No representation or warranty, express or implied, is made as to the accuracy or completeness of the Materials and therefore the Materials should not be relied upon. Eversheds Sutherland disclaims all liability in respect of actions taken or not taken based on any or all of the contents of the Materials to the fullest extent permitted by law. The Materials are not intended to be comprehensive or to include advice on which you may rely. You should always consult a suitably qualified lawyer/attorney on any specific legal matter.
Any views expressed through the Materials are the views of the individual author and may not reflect the views of Eversheds Sutherland or any other individual lawyer/attorney.