EU's DORA regulation explained: New risk management requirements for financial firms

The proposed Digital Operational Resilience Act includes new incident response and third-party risk requirements for financial firms operating within the EU. Passage is expected, so plan now.

risk assessment - safety analysis - security audit

In October 2020, the European Union (EU) published draft legislation to codify how financial firms manage digital risk. Announced as part of the EU’s new Digital Finance Strategy, the proposed Digital Operational Resilience Act (DORA) is designed to “consolidate and upgrade ICT [information and communications technology] risk requirements” across the financial entities to ensure all firms are “subject to a common set of standards to mitigate ICT risks.”

This broad set of rules could affect almost all corners of the financial sector in businesses large and small. For many firms, the proposed legislation may be less burdensome than current requirements and merely solidify current resilience efforts. 

What is the Digital Operational Resilience Act (DORA)?

In February 2020 Europe’s systemic risk watchdog warned that a single cyber incident could lead to a systemic crisis that threatens financial stability. As financial firms rely more on their digital systems, the EU decided it should compel firms to ensure those operations are as resilient as possible.

The proposed act covers financial firms of almost all sizes across every sector of the finance industry, from credit institutions and investment funds to crypto-asset service providers. The aim is to create a single legislative act addressing ICT risk in finance across the union. The EU says DORA will reduce regulatory complexity—which is currently spread over regulations such as CRD IV, PSD2, Solvency II, EMIR and MIFID plus local requirements and overseen by a number of different bodies—and lower the financial and administrative burdens caused by the current patchwork of regulations.

The act covers these areas of ICT risk management:

Risk management: Firms would be required to set up and maintain resilient ICT systems and tools to identify and minimize ICT risk on a continuous basis, set up protection and prevention measures, and establish dedicated and comprehensive business continuity policies and disaster recovery plans.

Incident reporting: The act would require firms to establish and implement a management process to monitor, classify and report major ICT-related incidents to competent authorities (as defined under the NIS Directive).

Digital operational resilience testing: Firms would be required to test the operational resilience of capabilities and functions included in the ICT risk management framework to identify weaknesses, deficiencies or gaps. These tests would include vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source-code reviews, scenario-based tests, compatibility testing, performance testing, and penetration testing.

ICT third-party risk: As well as requiring firms to assess, monitor and document ICT third-party risk and ensure all contracts with such parties state their obligations under the act, DORA would also require critical ICT third-party service providers in the financial sectors to adhere to an oversight framework.

Intelligence sharing: DORA would allow and encourage financial entities to set up arrangements to exchange cyber threat information and intelligence amongst themselves.

Farhan Chaudhry, a technology executive and, until recently, CIO at State Street Corporation, says the DORA proposals formalize what firms are maturing toward. But DORA's impact will vary depending on the size and maturity of the firms in question.

“The DORA establishes a clear focus for driving maturity of cyber, operational and technology resiliency,” Chaudhry says. It brings together recent regulatory initiatives such as the European Banking Authority [EBA] guidelines on outsourcing arrangements and ICT and security risk management. DORA also aligns with Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) requirements to strengthen operational resilience in the financial services sector, he adds.

Which firms are affected by DORA?

Types of firms listed as being under DORA’s scope include:

  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers
  • Central securities depositories
  • Central counterparties
  • Trading venues
  • Trade repositories
  • Managers of alternative investment funds and management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance, re-insurance and ancillary insurance intermediaries
  • Institutions for occupational retirement pensions
  • Credit rating agencies
  • Statutory auditors and audit firms
  • Administrators of critical benchmarks
  • Crowdfunding service providers

“DORA is really an evolution of other standards and frameworks laid out in other parts of the sector and industry,” says Mike Butler, an independent resilience expert and advisor to orchestration startup Cutover. “There has so far been a fairly muted response from the industry. This was expected and is really the next iteration in a long line of EU legislation and a long line of standards and regulatory frameworks.”

Butler sees DORA having limited impact on most multinational banks because they already have strategies that incorporate operational resilience enhancements. “For smaller banks, fintechs, insurance firms, fund and wealth management firms, this could be a material change in strategy and divert funding away from business growth to rebuild the foundations of the firms,” he says, “but also an opportunity to use the regulatory ‘stick’ to deliver new resilient and secure technologies that will ultimately give the firm the ability to scale for the future.”

DORA and third-party risk

One of the most noteworthy aspects of DORA is its focus on third-party risk. The EU says that despite the financial sector’s increased reliance on IT firms, there is a lack of specific powers to address ICT risks arising from those third parties. The act would put critical ICT third-party service providers into the scope of regulators and subject them to an oversight framework at the EU level.

“DORA continues the impetus over the past decade in outsourced and third-party governance,” says Chaudhry, “with a focus on chain outsourcing and resiliency, with clarity that critical ICT third-party providers, including cloud service providers, need to be within the regulatory perimeter.”

Under these rules, European Supervisory Authorities (ESAs) would have the right to access documents, carry out inspections, and subject third parties to fines if deemed necessary. The fine will be 1% of the average daily worldwide turnover of the service provider in question for the preceding business year and issued daily for up to six months. The criteria for what would constitute an “essential” third party has not been defined yet.

William Rimington, managing director at Kroll’s Cyber Risk Practice, says that DORA’s focus on third-party IT suppliers is welcome and providing the scrutiny and authority to ensure suppliers' security ducks are in a row amounts to “fantastic support” for the financial services industry. “We've got third-party assurance standards—the SOC2-type standards—I'm sure those vehicles can be adapted and adopted to meet these regulations as they evolve,” he says. “I don't think anything there will be particularly new or different in terms of when financial institutions get their third-party suppliers audited and so on, but it will drive consistency in the behaviors and make sure that's been done to a standard consistently, which as consumers should give us all a bit more comfort.”

In its analysis of the regulation, Deloitte said that most firms in the sector will welcome the introduction of an oversight framework as it will provide more legal certainty around what is permissible, a level of assurance on the security of their assets in the cloud, and likely increase firms’ confidence and appetite for transitioning some of their activities to the cloud.

Anton Konopliov, founder and CEO of Palma Violets Loans, however, warns that while the proposed rules are beneficial for reducing risk they could “cause chaos” for many firms both on the customer and vendor side around budgets and contractual obligations. “Once passed, the Act will limit the contractual arrangements that financial entities can enter with ICT service providers,” he says. “Financial firms will also no longer have the freedom to curate their own contractual terms with IT third-party service providers. These stricter changes are expected to cause a surge in the prices of availing ICT third-party service providers. It will dismantle financial entities’ budgets.”

Incident reporting and threat sharing

As part of the incident reporting requirements, firms will have to provide root-cause analysis reports no later than one month after a major ICT incident occurs. As well as aiming to provide a standardized template for incident reporting across the financial sector in Europe, the act also potentially lays the groundwork for the establishment of a single hub for incident reporting by financial firms.

“The focus to harmonize ICT incident classification and reporting, resiliency testing and risk management rules is a welcome next step as we strengthen the operational resilience of the financial sector and of the individual firms within it,” says Chaudhry. “DORA builds on the TIBER-EU (European framework for threat intelligence-based ethical red-teaming), which is inspired from CBEST and other initiatives and further drives guidance on digital operational resilience testing. Coupled with NIST, firms have a clear set of standards, and threats to drive capabilities and consider from a cyber, technology and operational resiliency perspective.”

When will DORA be adopted in law?

In a blog post, Anna Carrier, Norton Rose Fulbright’s senior government and regulatory affairs advisor, said the draft legislation will next be transferred to the European Parliament and to the Council of Ministers for review, amendments and adoption. Reviews of such legislations can take between 18 and 24 months, followed by a transition period that will be prescribed in a final legal act.

Jim Pendergast, senior vice president of altLINE, a division of The Southern Bank Company, says that though DORA is still in its draft form many industry finance experts are preparing for it to be approved and adopted, and adds that it could inspire similar requirements in the US. “We tend to see digital and cyber regulations piggyback off one another, especially between the EU and the US,” he says. “Though expect that to take place over years, not months.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)