Harmonisation of ICT Security Management
With digital developments moving faster than ever before, the financial sector is facing a new era of cybersecurity threats. To tackle the growing threat to cybersecurity in the sector, the EU has adopted the Digital Operational Resilience Act (DORA), which is a comprehensive new regulation that will change and harmonise the way financial entities manage ICT security. DORA entered into force on 17 January 2023 and will apply from 17 January 2025. For financial sector actors, the most interesting parts of DORA include: ICT risk management, incident management and stress testing requirements. In addition, DORA also develops new supervisory standards for third-party ICT service providers, where the European Supervisory Authorities will fulfil the roles of Lead Overseer, as well as rules around information sharing and competent authorities.
DORA is aimed at financial entities, which include the majority of companies operating in the financial sector, with the aim of harmonising the regulatory framework for ICT security in the EU. The regulation covers more actors than previous ICT regulations, such as companies that handle cryptocurrencies and cloud services. Payment service providers, credit institutions and investment firms currently covered by the current EBA ICT guideline EBA/GL/2019/04, will be covered by DORA. This includes the introduction of more detailed requirements for ICT risk management frameworks and stricter rules for third-party ICT service providers. Similarly, insurers and reinsurers currently covered by EIOPA's current ICT guideline EIOPA-BoS-20/600 to be covered by DORA. Among other things, this will affect incident reporting and increase the requirements for system testing.
Simplifications and exemptions will be provided for some smaller operators. The smaller operators will be subject to a simplified regulatory framework, which is less demanding but has a similar purpose. DORA justifies this with the principle of proportionality, which means that larger and more important systems require greater security.
The Purpose of DORA
In broad terms, DORA aims to increase preparedness for ICT threats in the financial sector. In particular, to minimise disruptions to the most critical financial systems, thereby ensuring their continuity and availability. To achieve this, DORA requires financial entities to create thorough business continuity and crisis plans, clearly delegate responsibilities within the organisation and establish clear lines of communication. Third-party risks are also recognised as important risk factors, as both the risk of blindly relying on external critical systems and the risk of reduced transparency increase.
In addition, DORA introduces new requirements for how systems should be tested and how responsibility for these tests should be allocated. Of particular importance is Threat Level Penetration Testing (TLPT) and how these tests are carried out. As TLPT under DORA must be carried out on active systems, the tests may affect the systems, which in turn may jeopardise data security and data integrity, including for third parties related to the systems. Therefore, great importance is attached to these tests being carried out by certified and credible parties with reasonable care with regard to the criticality of the systems.
Technical Standards
In the run-up to the implementation of DORA, a number of technical standards will be published to clarify certain elements of DORA, see table below. These will be released in two batches. The first set of technical standards will be finalised and published by 17 January 2024. The consultation documents of the second set of technical standards will be published in November or December 2023 and will be finalised and published by 17 July 2024.
| Round | Article | Public consultation | Finalised |
|---|---|---|---|
| First round | 15, 16.3, 18.3, 28.9 and 28.10 | 2023-06-16 to 2023-09-11 | 2024-01-17 |
| Second round | 11.11, 20(a), 20(b), 26.11, 30.5, 32.7 and 41 | November or December 2023 | 2024-07-17 |
Next Steps
Depending on the regulatory framework your organisation has followed in the past, the transition process may vary in scope. We therefore recommend that you start preparing well in advance to fulfil the new requirements of DORA on ICT security. Read more about our regulatory advice services or contact us if you have questions about the new regulation or need help with its implementation.
