Digitalisation of financial services has progressed rapidly in recent years with the result that financial entities have become increasingly reliant on technology and technology service providers to operate their businesses. This digital step change is increasingly attracting the attention of legislators and financial supervisors in the EU and one recent response from the European Commission was the proposed Digital Operational Resilience Act ("DORA").
DORA is a draft regulation published by the European Commission and forms part of the European Commission's wider Digital Finance Strategy to support the development of digital finance while mitigating associated risks. In particular, DORA is designed to uplift existing ICT risk management requirements for financial entities and to consolidate these requirements into a single legislative instrument. DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Importantly, DORA will also result in major ICT service providers formally coming within the scope of supervision by the European Supervisory Authorities1 for the first time.
The current draft of DORA includes two distinct parts which are each considered below.
Key impact for financial entities
DORA is due to impose a range of ICT-related requirements on financial entities. The key requirements include:
ICT risk management: financial entities must maintain a sound, comprehensive and well-documented ICT risk management framework. This framework must include strategies, policies (including business continuity policies), procedures and tools to appropriately protect ICT infrastructure. This framework must also be reviewed and audited by the financial entity on an ongoing basis and steps must be taken by the financial entity to identify sources of ICT risk on an ongoing basis.
ICT-related incident reporting: financial entities must introduce and maintain processes for monitoring and logging ICT-related incidents. Financial entities will have to classify these incidents using a materiality threshold that is to be developed by a Joint Committee of the European Supervisory Authorities. All major ICT incidents will also need to be reported to the financial entity's national regulatory authority. Financial entities should also bear in mind that the obligation to report an ICT incident will be separate, and additional to, their reporting obligations under the General Data Protection Regulation where the ICT incident also constitutes a personal data breach.
ICT third party risk: specific contractual provisions must be included in the contract between the financial entity and its ICT service provider. Unlike EBA and EIOPA guidelines, DORA requires these contractual provisions be included in all contracts for ICT services and not just in contracts for "critical or important functions". DORA is also more prescriptive as to the provisions required in the contract between the financial entity and the ICT service provider. For example, DORA requires that a contractual obligation be imposed on the ICT service provider to provide assistance in respect of an ICT incident at no additional cost to the financial entity or at a cost determined by the parties in advance. It will be interesting to see how ICT service providers adapt to this obligation to provide assistance.
Information sharing: financial entities will be permitted to set up information exchange arrangements which are designed to support ICT risk awareness amongst them and to spread best practice within the financial services industry in relation to defensive capabilities and cyber-threat detection techniques. Such information exchange arrangements may also end up being supplemented and enhanced by increased information sharing and cooperation which is proposed under the draft NIS II Directive published by the European Commission on 16 December 2020.
Key impact for ICT service providers
Arguably, the impact of DORA will be just as significant for major ICT service providers given that it may result in such providers coming within the scope of supervision by the European Supervisory Authorities for the first time.
DORA envisages that the European Supervisory Authorities will designate certain ICT service providers as being "critical" to the proper operation of the financial sector. Once an ICT service provider is so designated, one of the European Supervisory Authorities will be appointed as Lead Overseer in respect of that ICT service provider. The Lead Overseer will assess whether the ICT service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities. In the course of fulfilling its role, the Lead Overseer will have extensive rights to access information from the ICT service provider and will be able to conduct on-site inspections of the ICT service provider. The Lead Overseer will also be able to issue recommendations and instructions to the ICT service provider and require remedial action.
Significant penalties can also be imposed on the ICT service provider by the Lead Overseer for non-compliance. A daily penalty of 1% of the average daily worldwide turnover of the ICT service provider in the preceding business year can be applied by the Lead Overseer for up to six months. The Lead Overseer will also charge the ICT service provider oversight fees to cover the Lead Overseer's administrative costs of overseeing the ICT service provider.
DORA is currently progressing through the EU's ordinary legislative procedure and is likely to be subject to some change before it is finalised and comes into law. This final version of DORA is expected in the next 18 to 24 months. In the interim, it is important for financial entities and ICT service providers to be mindful of the significant change in regulatory requirements around operational resilience that is likely to be introduced by DORA and to begin assessing how this change will impact their ICT risk management framework.
Our team at Arthur Cox has significant experience in advising financial entities and ICT service providers on regulatory requirements relating to operational resilience. If you would like more information on DORA or any aspect of operational resilience regulation, please contact the authors of this briefing.
1 The European Supervisory Authorities are comprised of the European Banking Authority ("EBA"), the European Securities and Markets Authority ("ESMA") and the European Insurance and Occupational Pensions Authority ("EIOPA")
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.