Digital Operational Resilience Act (DORA)
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (“DORA”) is an EU regulation that entered into force on 16. 01. 2023 and will apply as of 17. 01. 2025.
It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
DORA harmonises the rules on operational resilience for the financial sector across 20 different types of financial institutions, as well as for third-party ICT service providers.
2. Who is covered by DORA?
DORA covers more than 22.000 financial entities and ICT service providers operating across the EU. The regulation introduces specific and prescriptive requirements for all financial market participants, such as banks, investment firms, insurance and reinsurance companies, intermediaries, crypto-asset providers and cloud service providers.
It also covers critical ICT third parties that provide ICT related services to financial institutions, such as cloud platforms, data analytics and audit services.
DORA provides a comprehensive framework for the effective management of risks as well as the operational capabilities of ICT third party providers and cyber security.
DORA provides a very specific set of criteria, templates and guidelines that will shape the way financial organisations manage ICT and cyber risks.
The uniqueness of DORA lies in the introduction of a Union-wide framework for the supervision of third-party providers of critical ICT.
3. What are the differences between NIS 2 and DORA?
Although the background to the publication of NIS-2 and DORA may appear similar at first sight, the two EU laws have different objectives and differ in other respects. What exactly are these differences and which of the two pieces of legislation?
a) Legal form
NIS 2 - Directive
NIS 2 as a directive sets out certain objectives that must be achieved. However, it is not directly applicable; each EU Member State is free to determine how it transposes the content of the Directive into national law.
DORA – Regulation
Unlike a directive, a regulation such as DORA comes into force simultaneously for all Member States at a certain time. It is binding and must be enforced unchanged.
b) Different objectives
NIS 2
NIS 2 was adopted to standardise the overall level of cyber security in the EU. The aim of NIS 2 is to ensure that entities essential to the proper functioning of our society achieve a high level of digital security.
DORA
DORA, in turn, focuses on strengthening the operational resilience and security of digital systems in the financial sector.
Different objectives are also reflected in different manifestations of similar requirements. To illustrate, we give a few examples:
NIS 2 focuses on supply chain security, while DORA focuses on risk management of third-party ICT providers,
NIS 2 provides for high and already defined financial penalties for non-compliance. In contrast, tDORA leaves the assessment of sanctions to the Member States and their competent authorities.
Entities covered by the NIS 2 Directive must demonstrate compliance every 2 years through a security audit. In contrast, DORA sets even stricter requirements for security audits: penetration testing based on a specific threat must be carried out at least once every 3 years and a resilience testing programme at least once a year.
4.) What regime should apply if the company is subject to both NIS 2 and DORA?
If your company is part of the financial sector and therefore falls under both scopes, which legislation will prevail, DORA or NIS 2?
DORA is a Lex Specialis regulation for financial sector entities. Which means that, in practice, the requirements of DORA take precedence over any overlapping regulatory texts such as NIS
5. The 5 pillars of the DORA Regulation
The regulatory substance of the DORA is divided into 5 main pillars, which address different aspects and areas within ICT and cyber security and provide a comprehensive digital resilience framework for relevant actors.
a) ICT risk management
DORA sets out a set of requirements for an ICT risk management framework, including:
Establishing and maintaining resilient ICT systems and tools that minimise the impact of ICT risk,
All sources of ICT risks should be identified on an ongoing basis in order to put in place protective and preventive measures,
Have in place mechanisms to promptly detect anomalous activities,
Dedicated and comprehensive business continuity policies and disaster recovery plans should be in place to ensure rapid recovery from an ICT-related incident,
Put in place mechanisms to learn and evolve from external events as well as own ICT-related incidents.
b) ICT-related incident reporting
Requirement to establish and implement a management process to monitor and log ICT-related incidents
Classify the incident according to the criteria detailed in DORA and further elaborated by the European Supervisory Authorities (ESA).
ICT-related incidents that are deemed should be reported to the competent authorities using a common template and harmonised procedure as set out by the competent authority.
Submitting initial, interim and final reports on ICT-related incidents to the company's users and clients.
c) Digital Operational Resilience Testing
The capabilities and functions included in the ICT risk management framework need to be periodically tested for preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt implementation of corrective measure
Digital operational resilience testing requirements must be proportionate to the size, activities and risk profiles of the entities.
Conducting threat-led penetration testing (TLTP), also known as red/purple team assessments, to address higher levels of risk exposure.
d.) Sharing information
DORA encourages cooperation between trust communities of other financial entities. This cooperation aims to:
Increase the digital operational resilience of financial entities,
Raise awareness of ICT risks,
Minimise the ability of ICT threats to spread,
Support the defensive and detection techniques of actors, mitigation strategies or response and recovery phases.
Financial actors are encouraged to share cyber threat information and intelligence with each other through measures that protect the potentially sensitive nature of the information shared.
e) ICT third-party risk
Ensure close monitoring of risks arising from dependence on third-party ICT providers.
Harmonisation of key elements of services and relationships with third party ICT providers to enable 'full' monitoring.
The contracts that govern that relationship will be required to contain a complete description of services, indication of locations where data is to be processed, full service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service providers, notice periods and reporting obligations of the ICT third-party service providers, rights of access, inspection and audit by the financial entity or an appointed third-party, clear termination rights and dedicated exit strategies.
As some of these contractual elements can be standardized, DORA promotes a voluntary use of standard contractual clauses which are to be developed for the use of cloud computing service by the Commission.
AUTHOR
