A proposed text of the Digital Operational Resilience Act (DORA) was first published two years ago. At the time, the entry into force of DORA seemed a long way off. Meanwhile, the legal framework, which aims to ensure greater digital resilience among financial institutions in European member states, is beginning to take clear shape.
On 23 June 2022, the compromise text of DORA was published. This proposal is likely to contain the final text of the European law/regulation. High time, therefore, to start looking into DORA and its impact on your organisation.
DORA is a package of measures to promote digital innovation in the financial sector, while mitigating the resulting risks. It is the first legal framework on ICT resilience for many types of organisations and for the regulator, giving concrete substance to the ‘controlled operations’ standard for this topic. DORA builds on already existing legal requirements in the field of ICT risk management. DORA brings together all legal requirements in this area, with the aim of greater harmonisation within the EU, regulators and financial enterprises.
DORA is divided into five substantive chapters. Each chapter contains various requirements that financial institutions have to comply with.
|Chapter II (art. 4 -14)||ICT Risk Management, consisting of a Governance and ICT Risk Management section||Ensuring financial enterprises have adequate ICT risk management in place|
|Chapter III (art. 15 – 20)||ICT-related incidents: management, classification and reporting||Securing an adequate process/procedure for reporting, addressing and managing all ICT-related incidents.|
|Chapter IV (art. 21 -24)||Testing Digital Operational Resilience||Financial enterprises become responsible for continuously testing and assessing the adequacy of measures and resilience of ICT systems to uncover potential vulnerabilities.|
|Chapter V (art. 25 -39)||Management of third-party provider ICT risk:|
-Section 1: basic principles for sound third-party provider ICT risk management
-Section 2: supervisory framework for critical third-party providers of ICT services
|Ensure that financial enterprises set up thorough monitoring of ICT risk from third-party providers/ICT service providers/Cloud Service Providers/etc.|
|Chapter VI (art. 40)||Information exchange arrangements||The regulation allows information sharing between companies on cyber threats.|
The next question, of course, is whether DORA also applies to your company. Article 2(1) lists the financial institutions to which the Regulation applies. Paragraph 3 of the same article lists excluded firms. This list is considerably shorter. However, it does exclude, for example, AIFMD-light managers. Also, DORA does not apply to credit providers, financial service providers that advise or mediate on credit, and statutory auditors and audit firms. The latter category was still in scope in the previous version of DORA.
The table below shows which organisations DORA does and does not apply to.
|Applicable to||Not applicable to|
|Provider of asset-referenced tokens||AIFMD-light managers|
|Account information service providers||Institutions for occupational retirement provision with fewer than 15 members in total|
|Alternative investment managers||Natural or legal persons exempted from Mifid2/Directive 2014/65/EU as a result of Art. 2 and 3.|
|Key benchmark managers||Insurance undertakings meeting the condition in Art. 4 of Directive 2009/138/EC|
|UCITS managers||Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries classified as micro, small or medium-sized enterprises.|
|Central securities depositories|
|Crowdfunding service providers|
|Crypto service providers|
|Data reporting service providers|
|Third-party providers of ICT services|
|Electronic money institutions|
|Institutions for occupational retirement provision|
|Credit rating agencies|
|Insurance and reinsurance companies|
|Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries|
The European legislative process does not differ much from that of the Netherlands, in the sense that compromises are made. Thus, it regularly happens that the first proposal for new regulations is adopted in a modified version. At the end of June, the so-called ‘compromise text‘ of DORA was published. The compromise text introduced a number of changes.
The most important change is the addition of the proportionality principle, which can be found in section 3a. When implementing the requirements of chapter II (ICT Risk Management), the size, nature and complexity of the organisation and its services may be taken into account in relation to its overall risk profile. In Chapter III (ICT Incident Management), Chapter IV (Digital Operational Resilience Testing) and Section 1 of Chapter V (ICT Risks Third Party Providers) this may also be done, but only as specifically provided for in those chapters. It is up to the regulators to consider whether the firms have applied the proportionality principle correctly, by assessing the ICT risk framework.
Article 14a is entirely new and describes a simplified approach to the ICT risk management framework for organisations where Articles 4 to 14 do not apply. These include the ‘small and unconnected investment firms’, so-called category 3 investment firms. They do need to implement an ICT risk framework showing that key ICT risks are managed and assessed (on a periodic basis).
A second important change is the moment at which firms must comply with the requirements from DORA. In the first proposal, this was still 12 months after entry into force, but this has now been extended to 24 months. Not an unnecessary luxury, given the major impact of DORA.
On top of this, the European regulators (ESAs) still have to develop some ‘Regulatory Technical Standards’ to give the market more direction on the interpretation of certain articles. Think, for instance, of standards on ICT incident reporting.
Finally, several substantive changes and additions have been made. One of these is the obligation for companies to carry out a Business Impact Assessment as part of the Business Continuity Policy.
A second substantive change is that ICT incidents as well as cyber threats must now be classified and reported to the regulator. For ICT-related incidents, this was already the case. The ESAs will also develop Technical Standards for this.
On 17 January 2025, DORA will become applicable. Financial entities will then have to be compliant with DORA and the regulatory technical standards still being developed by the European Supervisory Authorities. We advise you to start implementing DORA now.
Also read: ‘DORA will apply in 2025; wait and see or time for action?’
The arrival of DORA puts an end to the fragmentation of legal obligations for ICT processes and security. We would like to help you understand the underlying requirements, and what impact DORA will have on your organisation.
Over the coming months, we will explain this comprehensive package of measures to you step by step. Among other things, we will discuss the Regulatory Technical Standards yet to be developed, the approach to Digital Operational Resilience Testing and the interpretation of ICT risk management. Would you like to stay up to date with our publications? Then sign up for our monthly newsletter.
Do you have any questions about DORA? Feel free to contact us.