Digital Operational Resilience Act (Regulation (EU) 2022/2554) or DORA as it is commonly known has been accepted as part of the Digital Finance Package and is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. For convenience, the act will also be referred to as “the Regulation”, “DORA” and/or “the Act” in this blog.
In this blog, we will cover the most significant aspects of DORA and their relation to blockchain, crypto assets and the newly adopted Markets in Crypto Assets Regulation (MiCA).
General Overview and Aim of DORA
DORA has been in force since January 2023, however, it will be fully applicable as of January 17th, 2025.
Article 1 elaborates that in order to achieve a high common level of digital operational resilience on an EU level, the Regulation lays down uniform requirements concerning the security of networks and information systems supporting the business processes of financial entities. These aims shall be achieved firstly by implementing strict rules for the financial entities, including:
- information and communication technology (ICT) risk management;
- reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
- reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);
- digital operational resilience testing;
- information and intelligence sharing in relation to cyber threats and vulnerabilities;
- measures for the sound management of ICT third-party risk.
It is further established that requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities; rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities; rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities are also covered.
DORA also sets obligations regarding the management, classification and reporting of ICT incidents; testing of the digital operational resilience where it should be based on a risk-based approach and conducted by an independent party; relations with third-party service providers and necessary measures to be followed.
Article 3 presents a list of the relevant definitions mentioned in DORA. Some of these will be commented on below due to their significance for the proper implementation and understanding of the Act.
According to the Regulation, ‘ICT services’ means “digital and data services provided through the ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. The regulation does not provide any further breakdown of ICT services. However, for the purpose of data collection and to facilitate the analysis, the following seven ICT service categories were used by the ESAa in their report related to the ICT third-party providers:
- software and application services (IT development; off the shelf software packages, licensing, and installation thereof etc);
- network infrastructure services (excluding telecommunication services);
- data centre (physical data centre space and basic utilities);
- ICT consultancy and managed ICT services;
- information security and cybersecurity services (including control and monitoring, penetration testing, security operations centre, etc.);
- cloud computing (covering all service models and types);
- data analysis and other data services (provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data-based business and decision support services);
Chapter II of the Act is dedicated to the ICT risk management. One of the first obligations mentioned here is the establishment of an “internal governance and control framework that ensures an effective and prudent management of ICT risk” (Art. 5, para. 1) whereas in para. 2 the responsibilities of the management body are pointed out. Some of these include adherence to high standards of availability, authenticity, integrity and confidentiality, of data; setting clear roles and responsibilities for all ICT-related functions; approving, overseeing and periodically reviewing the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans.
Relation to crypto-assets and crypto-assets service providers (CASPs)
Without a doubt, DORA implies new and rigorous obligations for CASPs. It is explicitly mentioned in Art. 2 that the Regulation applies to crypto-asset service providers and issuers of asset-referenced tokens as defined under MiCA.
What is more, attention is also driven to cryptographic keys, cryptography techniques and procedures to include all aspects of digital operational resilience.
Exemptions from the scope are also explicitly mentioned in Article 2, para.3 to bring clarity and uniform application of the Regulation. Some examples in this regard are insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises, etc. It shall be noted, however, that DORA is related to other numerous EU acts which shall be followed if an entity is willing to fall in the scope of the exemptions.
Furthermore, despite its wide-ranging application, DORA incorporates the principle of proportionality. The size, risk profile, scope of business and complexity of operations and services are just some of the criteria that will be taken into consideration when the applicability of the Regulation for the specific entity will be determined. Based on the exemptions list as well as on the proportionality principle, it might appear that DORA in its full scope will apply only to the biggest and most “significant” financial institutions.
Implementation and guidelines
- European Supervisory Authorities (ESAs):
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), collectively known as ESA, have already
- The Netherlands:
For entities operating in the Netherlands, it is important to mention that the Dutch Authority for the Financial Markets (AFM) has already developed 3 papers aimed at delivering the necessary information in a short and understandable manner so it can be easily applied by the obliged persons. The first one provides a general overview of the Regulation, an explanation of concepts such as ICT risk and related incident management and digital operational resilience testing. The second one is dedicated to the management of ICT risks for third-party providers. It also includes some practical tips about necessary clauses which shall be present in the agreement between the service provider and the obliged entity in order for the latter to be fully compliant with DORA. The last one for the moment dives deep into the ICT risk management and business continuity management.
What is the best about these papers is the fact that apart from the guidelines, there are timelines and deadlines explicitly mentioned so that one cannot get lost in the numerous paragraphs of the act itself. The AFM and the Dutch National Bank are expected to collectively supervise compliance with the regulation.
- Germany:
Germany has also provided information about DORA and its implementation on a national level.
It shall be noted that the legislation in Germany already imposes obligations to the financial sector in regard to ICT risk management which will lead to a swift adaptation to DORA.
- Future Development:
If you are implementing DORA, you must monitor the developments around the proposed Financial Data Access (FiDA) regulation. You can read the official paper here.
The European Systemic Risk Board (ESRB) has also published the paper “Advancing macroprudential tools for cyber resilience – Operational policy tools, April 2024.”
According to the paper, the pan-European systemic cyber incident coordination framework (EU-SCICF) should build on the Digital Operational Resilience Act (DORA) for the financial sector and should complement existing frameworks (e.g. related to financial and cyber incident) as well as the Network and Information Security (NIS2) Directive and the Resilience of Critical Entities Directive (CER).
The final versions of the related Regulatory or Implementing Technical Standards (RTS and ITS) are also expected:
First batch:
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
Second batch – the consultation phase has been already concluded and as a result the following drafts were adopted:
- Consultation of the RTS on Threat Led Penetration Testing (Art. 26 para. 11)
- Consultation of the RTS on the specification of elements in the subcontracting of critical or important functions (Art. 30 para. 5)
- Consultation of the RTS to determine the reporting of major ICT incidents (Art. 20.a)
- Consultation of the ITS to determine the details of the reporting of major ICT-related incidents (Art. 20.b)
- Consultation of the GL for cooperation between the ESAs and the CAs on the structure of supervision (Art. 32 para. 7)
- Consultation of the RTS on the harmonisation of the conditions for carrying out surveillance activities (Art. 41)
The feedback on the drafts will now be evaluated by the European working groups, with the aim of sending the final drafts to the European Commission by 17 July 2024. All of these new requirements mean that the obliged entities shall plan accordingly since a lot of time and human resources will be needed for the implementation of DORA.
.svg){kind=icon}
.jpg)
.png)
