The Digital Operational Resilience Act (Dora) aims to harmonise and reinforce the resilience of the information systems of financial sector entities and their information and communications technology (ICT) providers. What makes Dora different from previous regulations impacting the financial industry and outsourcing arrangements?
As already mentioned several times by the practitioners, from a legal perspective, Dora is a regulation not a directive; this means that it applies directly and consistently throughout the member states. The European Parliament has aimed to impose the same rules upon all financial entities within the European Union to ensure security and confidentiality of IT systems and data. Before Dora, the European and national regulators had regularly issued guidelines, ensuring a certain level of harmonisation within the EU but not achieving full harmonisation.
With respect to the governance liability, considering that financial entities are “better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers or for dealing with crisis management, to organise their ICT risk management according to the three lines of defence model, or to set up an internal risk management and control model, and to submit their ICT risk management framework to internal audits,” as stated in preamble paragraph 38, Dora (article 5) clearly stresses that the management body bears the ultimate responsibility for managing the financial entity’s ICT risk and is responsible and accountable for the following actions, amongst others:
-- putting in place policies to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality of data;
-- setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk;
-- allocating and periodically reviewing the appropriate budget to fulfil the Dora requirements in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training.
Dora has created the new status of critical ICT third-party service providers
Furthermore, Dora has created the new status of critical ICT third-party service providers. Due to their systemic importance, these types of providers are under specific supervision and shall implement comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk posed to financial entities. These providers are under the thorough supervision of their designated ESA, which is probably why article 80 of the law on the insurance sector dated 7 December 2015 has widened the option for the insurance undertaking to outsource the digital storage of documents and related data and their processing to a Dora critical ICT third-party service provider.
What is also quite new is the information sharing scheme
Finally, what is also quite new is the information sharing scheme. Dora also provides for information sharing arrangements at a European level. It is not an obligation but, under certain conditions, an option is given to exchange amongst financial entities (on a voluntary basis) cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber security alerts, and configuration tools, to the extent that such information and intelligence sharing aims to enhance the digital operational resilience (i.e., raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages).
Many more financial industry players are in the scope of this regulation. What would you say are some of the key challenges or obstacles with implementing Dora?
Amongst many key challenges, three key challenges can be considered as major.
The first one is obviously the cost incurred by compliance with Dora. Even if some financial entities are already complying with some of the requirements, additional costs will be incurred. Furthermore, there will be a need for additional resources to be allocated for compliance with and implementation of Dora. With respect to SMEs and micro-enterprises, this issue will be crucial. Indeed, even if Dora provides exemptions for certain types of entities and applies the proportionality principle, they will not be fully exempt.
Read also
The second key issue is the process of mapping all of the ICT providers within a financial entity. The work to be done may be huge as the definition of ICT services is quite broad.
Finally, the third key issue, which relates to the second, is sub-outsourcing. Financial entities shall list all of their ICT providers, but they will also need to be informed of the outsourced service providers of their ICT providers in order to be able to supervise and control the entire outsourcing chain.
Do you think this could cause a burden for smaller players?
There is no doubt that there will be a burden and this burden should not be underestimated.
Nevertheless, the proportionality principle remains applicable as set forth by article 4 of Dora. Indeed, paragraph 21 of Dora’s preamble states that “the digital operational resilience baseline for financial entities should be increased while also allowing for a proportionate application of requirements for certain financial entities, particularly micro-enterprises, as well as financial entities subject to a simplified ICT risk management framework”.
The regulation provides for some exemptions available to SMEs
Hence, even if SMEs remain in the scope of Dora, the regulation provides for some exemptions available to SMEs, defined as:
-- “microenterprises”, defined as a financial entity which hires fewer than 10 persons with an annual turnover and/or annual balance sheet total not exceeding €2m;
-- “small enterprise”, defined as a financial entity that hires more than 10, but fewer than 50 persons, with an annual turnover and/or annual balance sheet total exceeding €2m, but not exceeding €10m;
-- “medium-sized enterprise”, defined as a financial entity that is not a small enterprise and hires fewer than 250 persons with an annual turnover that not exceeding €50m and/or an annual balance sheet that not exceeding €43m.
As mentioned throughout Dora, some exemptions exist where appropriate and relevant (e.g. governance role (article 5), the ICT risk management framework (article 6 paragraphs 4, 5 and 6), the implementation of ICT business continuity policy (article 11), implantation of backup policies and procedures, restoration and recovery procedures and methods (article 12, etc.) but no full exemption exists. That is the reason why the burden remains high for the smaller players.
Financial entities and ICT service providers have until 17 January 2025 to comply. What would you say are some “overlooked” elements in the regulation that people need to pay attention to?
Due to all the regulations coming into force in the coming years, it is really very difficult to identity some overlooked elements. In fact, it is quite the opposite. Indeed, the main challenge will be to manage the overlaps of all the regulations i.e., Dora, GDPR and NIS2 [Network and Information Security Directive] and the potential weaknesses and vulnerabilities from an IT security standpoint created by the development of “open banking” and “open finance”. Indeed, the more data is shared the more secured, robust and resilient the IT systems and processes shall be.
Read also
A has found that as of 2022, over half (57%) of Luxembourg SMEs had no cyber insurance coverage at all, while a fifth (21%) didn’t even know whether they were covered. Only 13% had “comprehensive” insurance in case of a cyber attack. With the introduction of Dora, what are some implications for the insurance industry? Would you, for instance, expect to see an uptake in cyber insurance?
Definitely! Cyber insurance products have been designed for some years now but only a few insurance companies offer these types of products. In parallel, financial institutions require that their ICT providers to be insured for such risks.
Regarding the coverage, it often remains difficult to understand and have clear view of the coverage of such insurance products, the insurance deductible and the price (premium) are not negligible for small and medium size ICT providers. Indeed, when it comes to such insurance products, the premium and deductible are the same for SMEs as for big financial institutions as the IT risks essentially remain the same.
This article was published for the Delano Finance newsletter, the weekly source for financial news in Luxembourg. .