New obligations

DORA brings a number of new obligations for financial institutions which – in short – can be categorized as follows:

Governance & organisation

Financial institutions are required to follow key principles for their internal control and governance structures, including responsibility for the ICT risk management framework at management board level.

ICT risk management framework

Financial institutions must have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which is periodically reviewed and audited.

ICT-related incident reporting

DORA will provide for consistent and – if applicable – expedited reporting in relation to ICT-related incidents. Incidents qualifying as “major” fall within strict timelines for the reporting requirement to the competent authorities. These notification requirements will require financial institutions to review and update their current internal incident reporting processes and, where relevant, outsourcing arrangements.

Digital operational resilience testing

To ensure digital operational resilience, financial institutions are required to implement robust and comprehensive testing plans within their firm. In certain cases, advanced testing is required, including the application of threat-led penetration (PEN) testing at least every three years (higher frequencies may be requested by the authorities).

ICT third-party risk management

DORA aims to control ICT third-party risk by (i) setting principle-based rules for monitoring the risk related to outsourced tasks (ii) require outsourcing agreements to comply with certain minimum contracting requirements (inter alia, on access to, recovery and return of data, service levels, ICT incident assistance and termination, participation in threat-led penetration (PEN) testing). DORA also introduces a framework for supervision of critical third-party service providers by European Supervisory Authorities (ESA’s).

Information sharing

In an effort to have financial institutions help each other information sharing in relation to cyber threats between institutions is allowed subject to certain conditions.

Timeline

The European Parliament has adopted DORA in November 2022 and the regulation and related directive is expected to be published in the Official Journal early 2023 and will apply 24 months following the publication.

As a result, DORA is expected to enter into force early 2025.

What now?

In order to comply with DORA, financial institutions will, inter alia, have to:

  • review and increase the resilience level of their current ICT landscape;
  • review and update their internal policies, procedures and governance and control framework implementing the requirements in DORA (whereby the management body must be involved to define, approve, oversee and be (ultimately) responsible);
  • define, establish and implement an ICT-related incident management process to detect, track, log, categorise, classify and notify ICT-related incidents in accordance with DORA; and
  • ensure that any contractual (outsourcing) arrangements comply with DORA.

DORA will therefore have a high impact and will require significant efforts to ensure timely compliance by qualifying financial institutions, their counterparts and ICT third-party service providers.

It is therefore time to start preparing for DORA!

Please feel free to reach out to our DORA Client Team on how to best implement DORA.

What is DORA?

The Digital Operational Resilience Act (DORA) is the new European legislation aiming to increase the digital resilience (i.e. the security of network and information systems, including throughout disruptions) of financial institutions within the European Union and mitigate the risks associated with outsourcing to third-party service providers.