What do you need to know about the new resilience regulation affecting financial entities and ICT-providers?
The Regulation on digital operational resilience for the financial sector, also known as the Digital Operational Resilience Act or DORA, was published in the Official Journal of the European Union on 27 December 2022. The Regulation entered into force on 16 January 2023 and will apply from 17 January 2025.
The European Commission proposed this entirely new regulatory framework for digital risk management for financial entities and certain ICT service providers already in September 2020.
DORA aims to improve ICT risk management in finance. In contrast to other EU legislation in the field of cybersecurity (most notably the GDPR and NIS), DORA is not a principle-based piece of legislation but contains detailed lists of requirements designed to boost operational and security capabilities of financial entities. Although DORA builds upon previous EU and Member State legislation, supervisory authority guidance and well-known international security and ICT risk management standards, DORA represents the first attempt to harmonise qualitative requirements on ICT risk management at an EU-level.
DORA lifts the requirements to a level of binding regulation and brings financial entities & TPP:s to the same table
Complying with the new requirements should be a common interest for financial entities and their critical third-party ICT providers (TPPs).
While not all the requirements are entirely new, it is worth noticing that the criteria that needs to be fulfilled are now based on binding EU and national laws and regulations - not only to ICT standards and authorities’ guidelines - which has largely been the case so far.
Another implication of importance is that ICT providers are becoming semi-supervised entities, that is, the ESAs will be authorized to assess and, accordingly, give them guidance and even sanctions in cases of non-compliance.
Not only financial services entities but also their critical ICT providers are also obliged to review their procurement agreements to comply with DORA. This intervention to the principle of freedom of contract may come unexpectedly to some.
Who does DORA apply to?
As one of the main goals of the Regulation is to harmonize the rules on ICT risk management, DORA’s scope of application is very broad. It covers all financial actors from credit institutions to AIFMs, payment institutions, insurance companies and statutory auditors, you name it.
Notably, DORA would also regulate critical third-party ICT providers. According to the proposal, critical ICT service providers will each have a Lead Overseer (either EBA, ESMA or EIOPA) supervising the provider’s procedures and arrangements to manage the ICT risks they could pose to financial actors. The powers of the Lead Overseer would range from asking for information to conducting investigations, to imposing periodic penalty payments on service providers. The agreed oversight framework is further tasked with supervising ICT concentration risk across the financial sector.
Financial entities regulated under DORA
| Credit institutions |
| Payment institutions and electronic money institutions |
| Investment firms |
| Crypto-asset service providers |
| Central securities depositories |
| Central counterparties |
| Trading venues and trade repositories |
| AIFMs and management companies |
| Data reporting service providers |
| Insurance and reinsurance undertakings and intermediaries |
| Institutions for occupational retirement pensions |
| Credit rating agencies |
| Statutory auditors and audit firms |
| Administrators of critical benchmarks |
| Crowdfunding service providers |
| Securitisation repositories |
What are some of the key obligations under DORA?
DORA sets out a comprehensive framework for managing risks associated with increased digitalisation of the financial sector. Requirements for financial entities are divided into the following areas of cyber security and operational resilience:
ICT Risk Management
The management body of the financial entity bears the final responsibility for managing ICT risk. To that effect DORA sets out a list of duties and obligations to which management is subject, including an explicit obligation on members of management to develop and maintain their knowledge of ICT risk.
Financial entities are further required to identify their ICT risk landscape and have in place a comprehensive ICT risk management framework guiding and steering all work relating to ICT risk management. Financial entities other than microenterprises are required to implement an internationally recognized information security management system.
Classification and Reporting of ICT-related Incidents
Financial entities are required to put in place an ICT-related incident management process and develop capabilities to monitor, handle and follow-up on such incidents.
Incidents are to be classified according to factors outlined in the Regulation, such as the geographical spread of the incident, the criticality of the services effected and the duration of the incident. Major incidents must be reported to the relevant competent authority in line with a three-tiered process set out in the Regulation.
Digital Operational Resilience Testing
DORA outlines an obligation to implement a proportional and risk-based digital operational resilience testing programme. The programme must provide for the execution of a full range of appropriate tests, such as vulnerability assessments and scans, open source analyses and network security assessments.
Critical ICT systems and applications must be tested annually, and certain financial entities are required to carry out so-called advanced threat led penetration testing once every three years.
Information and Intelligence Sharing between Financial Entities
Financial entities may share with each other cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial entities, takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets and competition).
Vendor Management
ICT third-party risk is considered an integral component of the ICT risk management framework. Financial entities are therefore required to adopt and regularly review a strategy on ICT third-party risk and to maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
Dora also sets out key steps for procuring new ICT services, requirements for ending them and specific contractual provisions to be included in contracts with ICT third-party service providers. It further requires financial entities to perform ICT concentration risk assessments before entering into new contractual arrangements.
Examples of documents to be included in the ICT risk management framework
| Digital resilience strategy |
| Information security policy |
| Policies on access management |
| Policies on ICT change management |
| Policies for ”patches and updates” |
| ICT multi-vendor strategy |
| Strategy on ICT third-party risk |
| ICT Business Continuity Policy |
| ICT Disaster Recovery Plan |
| Backup policy |
| Communication plans enabling responsible disclosure of ICT-related incidents or major vulnerabilities |
| Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers |
The regulative future
Luckily the big picture is now somewhat clarified. However, the details of the newly established requirements will be set by the European Supervisory Authorities (ESAs) using Level 2 measures such as Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). We recommend all interested parties to follow closely the oncoming Level 2 consultations giving strong indication of the final requirements in detail.
How can we help?
Financial entities and ICT service providers and outsourcing partners, including cloud service providers, that provide critical services to the financial sector are advised to plan the implementation of the vast range of tightened or totally new requirements to be compliant by end of 2024. Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.
We at KPMG frequently provide advice in the field of ICT risk management, resiliency, cyber security, TPRM and financial sector regulative framework. KPMG cross-professional teams are used to bringing together different stakeholders in our client organisations.
Please reach out to us if you’re interested in hearing more or request a proposal for e.g.
- Gap analysis to develop a roadmap to complying with the required operational resilience framework
- Identifying & registering your critical ICT providers
- Developing advanced digital operational resilience scenario testing
- Vendor management / outsourcing / third party risk management (TPRM)
- Legal review of your procurement / outsourcing agreements
- Improving your ICT risk governance including documentation
- Incident management & reporting
- Assessing your business continuity & disaster recovery
Jannica Boucht
Senior Manager, Legal counsel
+358 40 184 8863
Karri Tomula
Advisory Director
+358 40 749 0262
Tuomas Ilveskoski
Audit & Assurance Partner
+358 40 632 6088
