The Digital Operational Resilience Act (Dora), which entered into force in the European Union on 16 January 2023, aims to harmonise and reinforce the resilience of the information systems of financial sector entities and their information and communications technology (ICT) providers, explained Laureline Senequier during Deloitte Luxembourg’s professionals of the financial sector (PSF) conference on 5 December 2023.
After a two-year implementation period, during which regulatory technical standards and “Level 2” requirements will be released with more detailed information, compliance with Dora will begin on 17 January 2025. So what’s new in the regulation?
Dora consists of five pillars, Senequier told the audience. “The biggest pillar and first one to look at is the ICT risk management.” It’s key to have a framework in place in order to manage ICT risks. This doesn’t only refer to cyberattacks, she noted, but includes anything that can go wrong with ICT systems, such as issues that may arise when deploying new core banking systems. “You need to assess those risks… then develop measures. And those measures are about protecting, preventing, detecting, response and recovery.”
“The second [pillar] is incident reporting,” said Senequier. Once an incident takes place, it needs to be classified and reported to the competent authorities.
Digital operational resilience testing is the third pillar of the Dora regulation. “The name is new, but the concept is not new.” Financial entities and their ICT providers need to test their security and defence systems by carrying out exercises such as vulnerability scans and penetration testing.
“The fourth pillar is ICT third-party risk,” continued Senequier. “If you have your information system not within your house, but at an IT service provider, then this one needs to also be resilient. Looking at the PSF world, support PSF are typically those service providers.”
The fifth and last pillar focuses on sharing information on topics like cyberthreats, which may include indicators of compromise, tactics, techniques and procedures.
Direct and indirect application
An informal poll conducted before the conference found that the majority (77%) of attendees said that they have a service provider who provides a software licence. “And that comes in the scope of ICT services that needs to be managed through Dora.”
So what entities are impacted by the regulation?
Banks, investment funds, insurance entities, payment institutions and electronic money institutions are among some of the entities to which Dora is directly applicable.
“Then you have the ICT service providers, which are the support PSF, for which those requirements are not directly applicable, but will become indirectly applicable,” said Senequier. “If your client is in the financial sector--and Dora applies to them--then they’re going to ask you to have a resilient information system to support their operations.” Chapter five of the regulation relates to the management of ICT third-party risk and an oversight framework of critical ICT third-party service providers.
“As of today, specialised PSF are not in scope of this regulation,” she noted. “I’m saying ‘as of today,’ because it could be that the CSSF [Luxembourg’s Financial Sector Supervisory Commission] decides that it does come into the scope.”
The “next episode” of Dora
The “next episode” of the regulation concerns regulatory technical standards (RTS) that will provide more detailed requirements before firms need to start complying in January 2025. The RTS are coming in “two batches,” said Senequier.
The first batch is currently in consultation mode, she explained, and includes RTS on ICT risk management, RTS on incident classification, RTS on contractual arrangements on the use of ICT services supporting critical or important function and RTS to establish the templates of the register of IT providers.
The second batch of regulatory technical standards is expected to be published in July 2024, “and the consultation phase of this second batch of RTS should start at the end of this week [8 December].” These will cover information on oversight conduct, reporting on major ICT-related incidents, subcontracting critical or important functions, and threat-led penetration.
More details on ICT risk management
“The concept of ICT risk management is not particularly new, because there’s already EBA [European Banking Authority] guidelines that were applicable, and these were translated in the CSSF circular 2750, which is applicable to investment firms and specialised PSF,” said Senequier. What’s new is that entities have to publish a yearly report on their risk management framework and send it to the CSSF. In addition, there are 13 policies and procedures--just on ICT risk management--that need to be explicitly mentioned.
The amount of requested information has increased, she added, using encryption and cryptography as an example. “In the CSSF circular, the requirements on encryption and cryptography is one sentence. It says, ‘you need to encrypt your data at rest or in transit based on the classification of your information.’ That was one sentence in the circular. It becomes one page and a half of requirements in the RTS. So there’s no doubt of what you have to put.”
“Even if you’ve done a gap assessment on the regulation itself and you feel like you’re compliant, maybe with these more detailed requirements in the RTS, you become not compliant,” Senequier cautioned.
In terms of the classification of ICT incidents, primary criteria (the number of clients impacted, the number of financial counter parts, transaction amount, data loss or critical services) as well as secondary criteria (impact on reputation, duration of the incident, geographical spread and economic impact) need to be considered.
“If you put yourself in the shoes of a financial institution which is using many different ICT service providers, then if there’s an incident happening at the ICT service provider, at the cloud service provider, it may be a major incident that you have to report to the CSSF.” If an incident happens at a service provider, the service provider has to inform its clients and provide the necessary information for the client to classify the incident.
“Spread” of IT service providers gets bigger
“There’s nothing very new in terms of how you manage your IT service providers if you already apply the outsourcing regulation. But what is really new is actually the set of service providers… you have here, in one of the RTS, the categories of IT service providers, software licensing.” There’s also ICT development, security management services, data analysis, computation, ICT consulting, Senequier noted. “The spread and the population of your ICT service provider is really getting bigger.”
With Dora, there’s a “whole set” of IT service providers for financial entities that will have to get compliant with due diligence, risk assessment, contracts, exit strategies and more.