The European Commission proposes the Digital Operational Resilience Act

On 24 September 2020, the European Commission adopted a new Digital Finance Package, including Digital Finance and Retail Payments Strategies, and legislative proposals on crypto-assets and digital resilience. A new regulation called ‘Digital Operational Resilience Act’ (‘DORA’) is proposed and it aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks.

TIME DANOWSKY has reviewed the proposed text and notes that, while DORA intends to standardize and harmonize already regulated areas, it will also capture a broader scope of financial entities and address new areas of regulation, and by this broadly impact entities and service providers operating in the financial market and their ICT contracting.

On 24 September 2020, the European Commission adopted a new Digital Finance Package, including Digital Finance and Retail Payments Strategies, and legislative proposals on crypto-assets and digital resilience. A new regulation called ‘Digital Operational Resilience Act’ (‘DORA’) is proposed and it aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks.

TIME DANOWSKY – a law firm specializing in Information and Communications Technology (ICT) – has reviewed the proposed text and notes that, while DORA intends to standardize and harmonize already regulated areas, it will also capture a broader scope of financial entities and address new areas of regulation, and by this broadly impact entities and service providers operating in the financial market and their ICT contracting.

In this article TIME DANOWSKY summarizes some elements of DORA that may have an impact on professional ICT customers and providers in the financial sector.

The full text of DORA can be found here:

If you have questions about this this article or DORA, please contact Mats Ohlén and Ulrika Geissler, partners at TIME DANOWSKY.

• The wide scope of DORA is a novelty. It is a clear initiative to harmonize, but many companies that have not previously been subject to specific ICT regulations will now be subject to DORA. For example, banks and other credit institutions have already been subject to similar guidelines and regulations and can be assumed to have a high degree of adaptability. The question is how well prepared other financial companies are?

• The following financial entities are covered by DORA: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers.

• In one of its initial chapters DORA addresses minimum requirements on financial entities’ conduct of ICT risk management and internal controls schemes to ensure an effective and prudent management of ICT risks. The requirements are recognizable from other guidelines and regulations in the financial sector but may be a novelty for companies that now fall within the wide scope of DORA.

• Financial entities must have robust functions for ICT risk management. The purpose is to create resilience by quickly identifying, counteracting, and managing ICT risks and reducing its potential impact on the business. DORA contains detailed requirements on how these management systems shall be built up and maintained. Again, the fact that only ‘microenterprises’ (i.e. employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million) benefits from some exemptions from these requirements indicates that DORA really is intended to set a standard for the financial market.

• DORA contains a separate chapter on ICT-related incidents. The financial entities’ incident management processes shall address all ICT incidents and these processes shall meet basic requirements. All ICT incidents must be classified as well as their impact determined. Furthermore, the European supervisory authorities will define thresholds for what is called “major ICT-related Incidents” for which specific and strict reporting and handling requirements will apply. Among other things, financial companies will have to report “major ICT-related Incidents” to the supervisory authority complying with strict deadlines. If a “major ICT-related Incident” affects the financial interests of the entities’ clients or service users, the financial entity shall also inform them about the incident and what measures have been taken to mitigate adverse effects.

• DORA introduces general requirements on annual digital operational resilience tests of ICT tools and systems, and threat led penetration tests every three years for those financial entities identified by competent authorities. There are also specific requirements for those who perform the tests and special requirements if external companies are hired to perform the tests.

• A specific chapter in DORA addresses how financial entities should manage ICT risks in connection with third-party deliveries. Performing risk analysis of the deliveries and keeping a register of which deliveries have been chosen to be outsourced are components of this. Furthermore, the financial entity must report at least annually to the supervisory authority on the content of these deliveries and any changes in the register. Minimum requirements for how the third-party contracts are to be designed and their content form a significant part of this chapter, but also how dependencies and risks in connection with the choice of supplier are to be assessed, followed up during the contract period and how termination and exit of the contract is to be handled. Some of these rules are recognizable from other sector regulations and guidelines, but again as this regulation will have wide scope, the impact on ICT contracts concluded on the ICT financial market is expected to be noticeable.

• A novelty in DORA is the establishment of an oversight framework of so-called ‘critical ICT third-party service providers’. These service providers will be identified by the European supervisory authorities based on, among other things, potential systemic impact and actual interchangeability in the event of large-scale operational failure. The European supervisory authorities shall annually publish a list of these suppliers at EU level. ICT providers not included in the list, may request to be included. The EU will establish an ambitious reporting, audit, and oversight regime for critical ICT third-party service providers which, if not complied with, may lead to significant periodic penalties and that financial entities be ordered to temporarily suspend or completely cease using their services. In relation to this a question is to what extent the financial entities and service providers should be able to rely on the oversight framework as an ‘approve stamp’ or ‘safe haven’ when selecting vendors? Probably not in the regulators view, the oversight framework is just a tool for the regulator to get an overview of the overall financial system risks, but this could be clarified. Another point worth noting is that financial entities will not be permitted to engage a service provider in a third country if the provider would have been designated critical if it was established in the EU (i.e. providers not established in the EU and accordingly not included on the authority’s list). The assumption appears to be that all service providers of relevance should be established in the EU, but if not, should the assessment of criticality, including EU potential system impact be made by the financial entities themselves?

• Finally, DORA opens for financial entities to establish information sharing arrangements on cyber threat information and intelligence, with or without the participation of authorities, provided that they are set up within trusted communities and respect business confidentiality, protection of personal data and competition laws. Membership in such arrangements must, however, be notified to the competent authorities.