On 16 January 2023 the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, entered into force, promoting, for the first time in Europe, a common set of rules and standards to mitigate Information and Communications Technology (ICT) risks for the financial sector[1]. The regulation, which will be applied as of 17 January 2025, is part of a broader digital finance package[2], whose aim is not just to make financial markets more resilient to cyber threats but to reduce fragmentation of rules in the field among Member States.
As outlined in Art. 4 DORA, ICT risks may vary basing on the size of the considered financial entity, the «nature, the scale and complexity of its services»[3]. This is why, in the drafting of the DORA, the EU Commission has adopted a coherent and proportionate method, midway between cybersecurity and financial regulation.
The present piece provides an account of DORA’s rules and provisions through a cyber-risk management perspective. Firstly, it will explain why DORA is needed inside EU financial markets, then it will analyse the regulation’s scope of application, namely its six pillars, showing some similarities with the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA).
Why is DORA needed?
Financial entities, such as banks, insurance companies, investment firms or trading venues, increasingly rely on ICT tools to deliver their services to clients[4]. These tools are often provided by third-party service providers that can be exposed to cyber threats, subsequently affecting financial service delivery and, potentially, create a domino effect. This scenario is compounded by the fact that ICT service providers are not directly supervised nor subject to the same regulatory frameworks as the financial entities, despite their crucial technical role in the sector. Many financial entities are even dependent or interdependent from ICT service providers, thus posing substantive threats to themselves and to the counterparts.
It is therefore clear the need to set rules on ICT risk management and to impose high standards of digital operational resilience among all EU financial operators. DORA does so through six fundamental pillars.
DORA’s six pillars
- ICT third-party risk management and oversight
As described above, the management of ICT third-party risks is crucial inside financial markets, since outsourcing of ICT services is very frequent. In order to safeguard the markets, in its first pillar the DORA states that financial entities must engage in contractual relationships only with diligent ICT service providers, defining elements relating to their selection process.
The DORA also makes it mandatory to perform controls and oversight of critical ICT third-party service providers (CCTPs) on an ongoing basis, in order to critically monitor the market and to prevent domino effects. In this regard, national competent authorities detain great power, alongside the European Supervisory Authorities’ (ESAs)[5] Lead Overseer, that is empowered to request all documentation, conduct inspections and obtain reports, as well as to impose a penalty payment in case of CCTPs’ infringements.
Anyway, contracts between financial operators and ICT service providers must contain key elements, such as termination rights and related minimum notice periods, service’s description, and location[6]. The aim of this obligation is to have a clear allocation of responsibilities related to cyber threats’ minimisation, enabling adequate coordination of digital initiatives.
- ICT risk management
As for the second DORA’s pillar, financial operators are obliged to have internal governance and control frameworks to ensure an effective detection, management and control of all ICT risks. Operators must implement and use appropriate strategies, policies, protocols, tools, and registers. They also have to identify, classify and document all ICT-related business functions, risks, systems, accounts, and processes, embedding digitalisation in the risk culture, thereby creating awareness and fostering digital proficiency across all business lines. This makes it possible to set top-down steering and monitoring processes and bottom-up reporting mechanisms, in accordance with a group-wide strategy aligned with the joint ESAs[7] technical adivices or other best practices and industry standards[8].
If analysed, the aforementioned provisions show significant points of contact with the GDPR. In fact, financial entities’ evaluation and implementation must include risks concerning data protection and, more precisely, the actual business scenarios in which a data breach may occur[9]. GDPR’s rules and principles must be observed, regarding, for instance, data minimisation and security, privacy by design and by default, storage limitation. Data governance is regarded as crucial to support data-driven digitalisation activities.
Art. 11(2) DORA specifically orders financial entities to put in place an ICT business continuity policy, whose aim is to limit cyber attacks’ damages «through dedicated, appropriate and documented arrangements, plans, procedures»[10], ensuring at the same time that the financial entities can continue to deliver their services to clients. Furthermore, the DORA makes it mandatory to develop back-up policies and recovery methods, as well as to communicate causes of significant disruption in the market, thus designing proper transparency rules.
In line with the proportionality principle set out in Art. 4 DORA[11], compliance with these obligations depends on the size of the operator considered, so that small actors and micro-entities are not overburned[12]. Non-interconnected entities are subject to a simplified regulatory framework, too[13].
- ICT-related incidents
As far as transparency rules are concerned, financial operators must define, establish and implement a process to notify cyber attacks and ICT-related incidents to the competent national authorities. These incidents are classified and their impact is assessed considering the criteria ex art. 18(1) DORA: number of users affected, the duration of the incident, its geographical spread, the economic impact, the criticality of the services impacted, and the data losses. The latter element emphasizes the necessity of a comprehensive and uniform reading of the DORA and the GDPR in order to formulate a well-articulated digital financial strategy[14].
- Reporting obligations
The DORA’s fourth pillar focuses on major ICT-related incidents. It is stated that these incidents must be reported to authorities expeditiously, basing on standardised forms of reporting, so that time and economic expenditures are reduced and countermeasures can be taken rapidly[15]. The institution of a single competent EU Hub is not excluded, as it can «facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence»[16]. This Hub could enhance a more effective data governance inside financial markets, covering data streams jointly and managing risks more impactfully than single national authorities.
- Digital operational resilience testing
Under the Chapter IV (artt. 24-27) of the DORA, financial entities have to establish and regularly review a testing programme of their digital operational resilience. Beyond traditional ICT testing techniques, the testing program should include a full range of appropriate tests, including the Threat Led Penetration Testing (TLPT), carried out at least every three years. The technical standards applied when conducting this type of test should be developed by the joint ESAs and are likely to be aligned with the TIBER-EU, published by the European Central Bank (ECB) in 2018[17].
These tests must be performed by internal or external independent parties at a frequency based on the entity’s size, scale, activity, and overall risk. The ratio of this obligation is to assess and identify weaknesses or gaps and to implement more resilient cybersecurity measures in conjunction with the national competent authorities.
In this regard, parallels can be drawn with Artt. 34 and 37 of the DSA. As the DORA, the DSA is part of the EU Digital Strategy and shows some similarities with the regulation under consideration with regards to the regulatory method adopted by the legislator[18]. More specifically, Art. 37 DSA states that, limited to Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), they «shall be subject, at their own expense and at least once a year, to independent audits to assess compliance»[19] with the regulation and to verify their committments. Audits are subjects who must verify a platform’s compliance to the DSA, acting independently from any operational function, similarly to what independent parties must do ex Chapter IV of the DORA.
Art. 34 DSA focuses, for its part, on risk assessment, imposing VLOPs and VLOSEs obligations to «diligently identify, analyse and assess any systemic risks in the Union stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services»[20], so to adopt preventive measures, just as the DORA aims to do through mandatory digital operational resilience’s tests.
- Information sharing
Concluding with the sixth and last DORA’s pillar, information sharing is promoted with regard to cyber threats, tactics and alerts to tackle them. This is a way to create a common and unified cybersecurity approach among EU financial entities, in compliance with the confidentiality rules and GDPR prescriptions that protect the information shared between the parties[21]. In any case, information-sharing arrangements have to be concluded among trusted communities of financial operators, as a sort of guarantee of compliance and mutual respect. This could help clustering financial operators according to their practices and use of technologies, tailoring supervisory work to the different stages in their digitalisation journey[22].
Conclusions
Through these six pillars, the DORA is able to build digital operational resilience inside EU financial markets with a new, harmonised approach, subsequently reducing the previous fragmentation of rules. It helps achieving the goals referred to in Art. 114 TFEU by strenghtening the internal market and achieving greater levels of cybersecurity among financial entities. The DORA does so not in an absolutely innovative way, but by showing similarities with other regulations, namely the GDPR and the DSA, making it clear that the EU strategy towards cyberspace’ governance is comprehensive and holistic[23].
Within 17 January 2025, all financial entities must fully assess their existing policies, tools and practices related to internal or third-party ICT risk management, so not to be fined by competent national authorities. By providing these obligations, the DORA balances financial entities’ ever-increasing exposure to cyber threats with their dependency and growing need for innovative technologies, benefiting in terms of higher certainty and awareness among actors who wish to be part of the digital revolution[24].
[1] European Insurance and Occupational Pensions Authority, Digital Operational Resilience Act, https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en (accessed 26/12/2024). For scholarly contributions, see D. Clausmeier, Regulation of the European Parliament and the Council on digital operational resilience for the financial sector (DORA), in International Cybersecurity Law Review, 4, 2023, pp. 79–90; J.-B. Poulle, A. Kannan, N. Spitz, S. Kahn, A. Sotiropoulou (edited by), Digital Operational Resilience Act (DORA), in EU Banking and Financial Regulation, Elgar, Cheltenham, 2024, pp. 670-676.
[2] COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on a Digital Finance Strategy for the EU, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0591 (accessed 26/12/2024). See also Pierre E. Berger, The Eu Digital Finance Package. Digital transformation in the financial sector, https://www.dlapiper.com/es-pr/insights/publications/2021/01/the-eu-digital-finance-package (accessed 28/12/2024).
[3] Art. 4 DORA, together with Recital 36, outline the «proportionality principle» inside digital financial market’s regulation. For more information see B. Sammut, Proportionality is vital for a regulation of this nature, https://ganado.com/insights/publications/proportionality-is-vital-for-a-regulation-of-this-nature/ (visited in 28/12/2024).
[4] F. Bontadini, F. Filippucci, C. Jona-Lasinio, G. Nicoletti, A. Saia, Digitalization of financial dervices, access to finance and aggregate economic performance, OECD Economics Department Working Papers, 1818, 20204, pp. 6- 59; E. McCaul, A key step in assessing SSM banks’ digitalisation journay and related risks, https://www.bankingsupervision.europa.eu/press/blog/2024/html/ssm.blog240711~db8cfa5ca6.en.html (visited 27/12/2024).
[5] The European Supervisory Authorities are the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). For further information, see European Insurance and Occupational Pensions Authority, Joint Committee, https://www.eiopa.europa.eu/about/governance-structure/joint-committee_en (visited 28/12/2024).
[6] Art. 30 DORA.
[7] See note 5.
[8] K. Bouaissi, How will DORA impact the financial sector, https://www.ey.com/en_lu/insights/wealth-asset-management/how-will-dora-impact-the-financial-sector (visited 27/12/2024).
[9] G. Olivi, A. Venditti, Tra DORA e GDPR: cybersecurity e privacy nel settore finanziario, in https://www.dirittobancario.it/art/tra-dora-e-gdpr-cybersecurity-e-privacy-nel-settore-finanziario/ (visited 27/12/2024); Data Guidance, EU: The interplay between DORA and the GDPR, https://www.dataguidance.com/opinion/eu-interplay-between-dora-and-gdpr (visited 27/12/2024); European Federation of Data Protection Officers, Synergies between DORA and GDPR: A comprehensive approach to data security, https://www.efdpo.eu/synergies-between-dora-and-gdpr-a-comprehensive-approach-to-data-security/ (visited 27/12/2024).
[10] Art. 11(2) DORA.
[11] See note 3.
[12] Art. 16 DORA.
[13] Ibid.
[14] See note 7.
[15] As an example, see the recent Bank of Italy’s guidelines available at Banca d’Italia, Comunicazione di gravi incidenti ICT e delle minacce informatiche significative, https://www.bancaditalia.it/compiti/vigilanza/dora-incidenti/index.html?dotcache=refresh (visited 27/12/2024).
[16] Art. 21(1) DORA.
[17] European Central Bank, What is TIBER-EU, https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html (visited 27/12/2024).
[18] A. Turillazzi, M. Taddeo, L. Floridi, F. Casolari, The digital services act: an analysis of its ethical, legal, and social implications, in Law, Innovation and Technology, 1, 2024, pp. 83–106.
[19] Art. 37(1) DSA. For further information, see G. De Gregorio, O. Pollicino, Auditing Platforms under the Digital Services Act, https://verfassungsblog.de/dsa-auditors-content-moderation-platform-regulation/ (visited 28/12/2024).
[20] Art. 34(1) DSA.
[21] See note 7.
[22] E. McCaul, op. cit.
[23] European Commission, Europe’s Digital Decade: digital targets for 2030, https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/europes-digital-decade-digital-targets-2030_en (visited 28/12/2024).
[24] BNP Paribas, DORA – Digital Operational Resilience Act – regulation memo, https://securities.cib.bnpparibas/dora-regulation-eu/ (visited 28/12/2024).
