Skip to main content

Cyber Risk for Financial Institutions: Preparing for the EU Digital Operational Resilience Act

The EU’s proposed Digital Operational Resilience Act (DORA) is designed to consolidate and upgrade information and communications technology (ICT) risk requirements. It seeks to subject all financial entities to a common set of standards, with the aim of mitigating risk. 

The draft legislation is part of a broader digital finance strategy that seeks to establish a global digital operational resilience framework for the EU’s 27 members, with rules for all regulated financial institutions.

The amending directive, as well as Chapter IX of DORA, will introduce specific changes to existing financial services legislation as obligations of the new regulations in those frameworks flow through. 

Four ways DORA aims to improve digital resilience

In a report published in February 2020, The European Systemic Risk Board (ESRB) identified cyber risk as a systemic exposure to the financial system that could have serious negative consequences for the world economy.

DORA is intended to improve digital operational resilience in four ways.

1. ICT risk management

DORA sets out key principles around internal controls and governance structures. An entity's senior management will be expected to be responsible for defining, approving, overseeing, and being accountable for a firm's ICT risk management framework.

To keep pace with a quickly evolving cyber threat landscape, entities are required to:

  • Establish and maintain resilient ICT systems and tools to minimise the impact of an event, identify on a continuous basis all sources of risk, and set up protection and prevention measures to promptly detect anomalous activities.
  • Put in place dedicated and comprehensive business continuity policies. These should include disaster and recovery plans, which will help to restart operations following ICT-related incidents, such as cyber-attacks, by limiting damage and prioritising safe resumption of activities. 

DORA also covers the integrity, safety, and resilience of physical infrastructures and facilities that support the use of technology, and relevant ICT-related processes and people, all of which are part of a financial entity’s digital footprint.

These requirements, inspired from relevant standards, guidelines, and recommendations, revolve around specific ICT risk management functions, including: identification, protection and prevention, detection, response and recovery, learning and evolving, and communication.

2. Classification and notification of ICT-related incidents

DORA seeks to harmonise the reporting of ICT-related incidents by: 

  • Establishing and implementing a management process to monitor and log ICT-related incidents, followed by an obligation to classify them based on materiality.
  • Reporting major ICT incidents only to a competent authority using a standardised, common template. The affected entities would submit initial, intermediate, and final reports, and inform their users and clients when the incident has or may have an impact on their financial interests. 

Competent authorities should provide pertinent details of the incidents to other institutions or authorities, such as the European Supervisory Authorities (ESA), European Central Bank (ECB), and the single points of contact designated under the Directive (EU) 2016/1148.

3. Advanced digital operational resilience testing

The functions included in the ICT risk management framework need to be tested periodically to assess preparedness, to identify weaknesses, and ensure corrective measures are implemented promptly.

DORA allows for a proportionate application of digital operational resilience testing requirements, depending on a financial entity’s size, business, and risk profile. While all entities should test ICT tools and systems, only those identified by competent authorities as significant and cyber mature should be required to conduct advanced threat-led penetration testing (TLPT). DORA also sets out requirements for testers and recognising TLPT results across the EU for financial entities operating in several member states.

Every three years, the processes, systems, and technologies that support essential functions and services should be tested. Tests can include: vulnerability explorations, network security assessments, scenario-based testing, physical security, compatibility and penetration tests, and source code security tests. 

4. Third-party risk and ICT service provider regulation

DORA seeks to establish sound monitoring of third-party ICT risk.

The regulation harmonises key features of financial entities’ relationships with ICT third-party providers and services. These elements cover minimum positions deemed crucial to enabling a complete monitoring by the financial entity of ICT third-party risk throughout all stages of a relationship.

Finally, the regulation promotes convergence on supervisory approaches to ICT third-party risk in the financial sector by subjecting critical providers to an EU oversight framework, which can be summarised as having three phases:

Phase 1: Designation of critical ICT third-party service providers by the ESA.

Phase 2: Appoint either the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), or European Insurance and Occupational Pensions Authority (EIOPA) as lead overseer. The ESA designated as lead overseer for a critical ICT third-party service provider will have the power to ensure that technology service providers that fulfil a critical role to the financial sector are adequately monitored at a pan-European level.

Phase 3: Supervision by the lead overseer, which has the right to inspect, investigate, request information, and make recommendations.

The oversight framework envisaged by DORA builds on the existing institutional architecture in the financial services area, whereby the ESA joint committee ensures coordination in relation to all maters on ICT risk. The committee is supported by the relevant subcommittee (Oversight Forum) carrying out preparatory work for individual decisions and collective recommendations to critical third-party providers. 

DORA timeline

DORA will affect a wide range of financial organisations

Within the financial sector, a range of institutions will be affected by and should be preparing for DORA’s implementation:

  • Regulated financial institutions, including traditional institutions, such as credit institutions, payment institutions, and insurers, and crypto-asset service providers (CASP), issuers of crypto-assets, and electronic money entities.
  • Other financial information managers, including data information service providers, credit rating agencies, legal auditors, and auditing companies.
  • ICT service providers, including ICT third party and providers of digital and data services, providers of cloud services, software, data analytics services, and data centres.

This is a marketing communication and should not be relied upon as legal advice.