What happened?
On 16 January 2023, the Digital Operational Resilience Act (DORA) 1 entered into force, after two years of meticulous concoction by the European Union's legislator. DORA's primary objective is to increase the ICT security of financial entities. By harmonising the rules across the EU, DORA is to ensure that the European financial sector remains resilient when confronted with operational disruptions.
In Luxembourg, the Commission de Surveillance du Secteur Financier (CSSF) had already implemented many rules regarding ICT and security risk management.2 The CSSF has been actively preparing for the upcoming entry into application of DORA by monitoring by anticipation the readiness of Luxembourg financial institutions to comply with DORA's requirements.
In-scope entities and date of application
DORA will apply to most EU financial entities, including credit institutions, payment institutions, electronic money institutions, investment firms, (UCITS) management companies, alternative investment fund managers (AIFMs), insurance companies as well as ICT third-party service providers (including providers of cloud computing services, software, data analytics services and data centres).
To take into account the variety of players involved, their diverse nature and size, DORA provides for a proportionality principle.
In-scope entities will have to be digitally and operationally resilient by 17 January 2025.
Definition of digital operational resilience
DORA extensively defines digital operational resilience as "the ability of a financial entity to build, assure and review its operational integrity and reliability, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions".3
In other words, digital operational resilience means the ability to produce, possess and adapt, directly or with the help of ICT third-party service providers, safe, reliable and strong procedures about ICT risk management.
Key obligations imposed by DORA
Based on existing ICT risk management rules, DORA strengthens certain roles and responsibilities of in-scope entities through five pillars, as follows.
1. ICT risk management – governance and organisation
Management bodies of financial entities will play an important role in ensuring compliance with DORA's requirements as they will be responsible for establishing and overseeing internal risk governance and control frameworks. They must ensure the effective and prudent management of ICT risk through a sound, comprehensive and well-documented framework.
2. ICT-related incident management, classification and reporting
Financial entities will have to define, establish and implement ICT-related incident management processes to detect, manage and report ICT-related incidents. Financial entities must be prepared to ensure the integrity and resilience of their processing systems through the recording or classifications of ICT-related incidents and significant cyber threats. The reporting of significant cyber threats and incidents will be harmonised at the EU level through the establishment of a single EU Hub for major ICT-related incidents reported by financial entities.
3. Digital operational resilience testing
Financial entities will have to conduct appropriate testing to ensure the resilience of their ICT systems, at least annually. When identifying potential weaknesses, financial entities will have to fully address potential vulnerabilities. Entities designated by the national competent authority as meeting certain threshold of systemic importance and maturity will have to conduct "advanced" threat-led penetration testing every three years.
4. Managing of ICT third-party risk
As an integral part of their ICT risk management framework, financial entities will have to manage the risks linked to third-party service providers. Financial entities will have to assess the resilience of their critical service providers. They will also have to ensure that their contractual arrangements for the use of ICT services meet DORA's requirements, while remaining responsible for ICT third-party risk strategies, policies for critical or important functions and register of all such contractual arrangements. Contractual arrangements on the use of ICT services of third-party service providers will have to include certain key contractual provisions.4 Financial entities will have some obligations to notify regulators with respect to critical or important functions.5
5. Information-sharing arrangements
Financial entities may exchange amongst themselves cyber threat information and intelligence to the extent that such sharing aims to enhance the digital operational resilience of financial entities, subject to DORA's conditions.
Anticipation of DORA by the CSSF
On 3 April 2023, the CSSF addressed a compliance preparation survey to a certain number of investment fund managers, enquiring about the gaps identified and mitigation plans for each pillar of DORA. This survey had to be completed and returned by 15 June 2023.
On 5 January 2024, the CSSF published its Circular 24/847 on ICT-related incident reporting framework6 and the related FAQ. That circular expands the range of ICT incidents to be reported to the CSSF, which was previously limited to "frauds and incidents due to external computer attacks." In this context, Circular 24/847 is set to repeal and replace Circular CSSF 11/504 on frauds and incidents due to external computer attacks as of 1 April 2024. Supervised entities will be required to classify ICT-related incidents based on the criteria indicated in Circular 24/847 and notify major or significant incidents to the CSSF.
Circular 24/847 will enter into force on 1 April 2024 for all supervised entities and on 1 June 2024 for management companies and AIFMs.
The interplay between DORA, the GDPR and NIS 2
While DORA will not supersede the data protection rules set out under the General Data Protection Regulation 2016/679 (GDPR), it is not intended to operate in isolation. As such, DORA complements the GDPR as both regulations share common goals: ensuring the security, confidentiality and integrity of (personal) data and monitoring third-party service providers processing (personal) data on behalf of a principal. The GDPR focuses on 'personal' data protection whereas DORA addresses resilience. The challenge for in-scope entities will be to integrate ICT risk management and (personal) data protection principles into one comprehensive decision-making process.
On 18 September 2023, the European Commission published its Guidelines on the application of Article 4(1) and (2) of Directive (EU) 2022/2555 (NIS 2).7 According to Article 4(1) of NIS 28 , where sector-specific legal acts of the EU require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect, the relevant provisions of NIS 2, including the provisions on supervision and enforcement, shall not apply. These guidelines consider DORA as a sector-specific law covering NIS 2, emphasising the fact that DORA applies as lex specialis for financial entities.
Conclusion
To best prepare for January 2025, entities and third-party service providers active in the financial sector must first assess if they fall within the scope of application of DORA (and possibly be designated as having systemic importance and maturity). In-scope entities must assess as soon as possible their ICT management risks and any existing ICT contractual arrangements. All of this is, of course, without prejudice to compliance with CSSF Circular 20/750 on ICT and security risk management, as amended, Circular 21/787 on major incident reporting under PSD2, Circular 22/806 on outsourcing arrangements, Circular 24/847 on ICT-related incident reporting or Circular letters of the Commissariat aux Assurances 20/13 and 21/15 on cloud computing or 22/16 on the outsourcing of critical or important operational functions – to name but a few ICT-related examples.
For more information on DORA and its future implementation, please contact our dedicated ICT, IP, media and data protection team.
Footnotes
1. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
2. Such as Circular CSSF 22/806 on outsourcing arrangements or Circular CSSF 20/750 on requirements regarding information and communication technology (ICT) and security risk management.
3. Article 3(1) of DORA.
4. Article 30 of DORA.
5. Article 28(3) of DORA.
6. Please consult: https://www.cssf.lu/en/Document/circular-cssf-24-847/.
7. Please consult: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52023XC0918(01).
8. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 – to be transposed by Member States by 17 October 2024. On 21 February 2024, the Luxembourg Government Council approved the bill of law transposing NIS 2 into Luxembourg law. That bill shall hence soon be subject to the legislative process leading to its publication.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
