In the digital age, information and communication technology (ICT) supports complex systems used for everyday activities. It keeps our economies running in key sectors, including the financial sector, and enhances the functioning of the internal market. Increased digitalisation and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are today core features of the activities of Union financial entities, their digital resilience has yet to be better addressed and integrated into their broader operational frameworks.
REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
Launched as part of the European Commission’s Digital Finance Package in September 2020, the Digital Operational Resilience Act (DORA) aims to improve the overall digital operational resilience of the financial sector.
On 10th November 2022, the DORA EU Regulation has been voted by the European Parliament and shall apply as a horizontal framework across financial services firms regulated under EBA, EIOPA and ESMA.
In addition, it will apply to ICT third-party service providers through the oversight framework being established by the European Supervisory Authorities (ESAs).
The DORA objectives
DORA will aim to harmonise existing legislation and supplement existing gaps with the introduction of new regulations to establish a unified digital framework whereby firms ensure they can adapt and endure all types of ICT-related disruptions and threats, in order to prevent and mitigate cyber threats.
DORA sets out several objectives to increase the collective digital resilience of the financial sector including ICT vulnerability management, ICT risk management and ICT third party risk, exchange of ICT threat intelligence and streamlining the approach to regulatory reporting.
The global regulatory landscape
ICT and cyber resilience remain key focus areas for supervisory authorities. While cyber resilience structures and activities currently form part of the existing regulatory landscape across ICT risk management and operational resilience, further activity to tackle increasingly complex technological threats is required.
Scope of application
While the scope of the CBI Guidance on Operational Resilience applies to all regulated financial service providers, the scope of DORA is much broader and as such, a vast range of entities from large and complex organisations to small and simple businesses may be required to comply with this regulation. Many of these entities are not traditionally regulated financial service providers such as central counterparties, crypto-asset and crowd funding service providers, management companies, audit firms and ICT third party service providers.
Relevant marketplace movements
- The joint CPMI and IOSCO Guidance on cyber resilience for financial market infrastructures
- European Union Network and Information Security Directive (NIS2)
- National and European Guidelines on outsourcing arrangements
- US Securities and Exchange Commission ‘Cybersecurity and Resiliency Observations’
- Central Bank of Ireland (CBI) Cross Industry Guidance on Operational Resilience
- Senior Executive Accountability Regime (SEAR)
- Prudential Regulatory Authority (PRA), Financial Conduct Authority (FCA) and Bank of England Joint Policy Statement on Operational Resilience
DORA and the CBI perspective on operational resilience
While the CBI Guidance on Operational Resilience focuses on strengthening resilience against operational disruptions that impact a firm’s critical or important business services, DORA prescribes specific requirements regarding operational resilience from a technological perspective. The scope of application is also much broader and there are specific technical requirements of the key obligation areas set out in DORA.
Key obligation areas
There is a considerable amount of overlap between DORA and existing regulations that are currently in place, however, DORA sets out specific and technical requirements across key obligations in the following areas, proportionate to a firm’s size, business and risk profile:
- ICT Risk Management: Adopt ICT governance and control frameworks, including an IT risk management framework to be documented and reviewed at least yearly.
- ICT Incident Reporting: Streamline ICT incident reporting through the logging and classification of ICT incidents and reporting of major incidents to competent authorities using common templates and procedures.
- Digital Operational Resilience Testing: Performance of basic digital operational resilience testing at least yearly for all financial entities, and advanced threat-led penetration testing at least every 3 years for significant entities.
- Management of ICT Third-Party Risk: Monitor third-party contractual arrangements at all stages and enable European Supervisory Authorities (ESAs) oversight of ICT third-party service providers deemed ‘critical’.
- Information-Sharing Arrangements: Voluntary participation in intelligence sharing through the exchange of cyber threat information among financial entities, including tactics, procedures and signs of compromise.
Next steps
The Digital Operational Resilience Act (DORA) has entered into force from 16 January 2023 and apply from 17 January 2025.
The relevant European Supervisory Authorities (ESAs) including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupation Pension Authority (EIOPA) are in the process of developing technical standards for entities to abide by.
In addition, the ESAs plan to deliver to the European Commission after DORA enters into force a number of regulatory technical standards (RTS). The first of these include;
- RTS on ICT risk management framework;
- RTS to further specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by TPPs
- RTS on incident reporting
Key next steps for your organisation to consider are:
- Establish a DORA programme and appoint a programme director and sponsor
- Develop a DORA board positioning paper
- Define a Terms of Reference and build a business case to mobilise the DORA programme
- Establish a governance forum and understanding where the DORA programme interacts with broader firm initiatives
- Mobilisation of the design phase of the DORA programme
How KPMG can help
Our team also has deep technical expertise across the Digital Operational Resilience obligation areas including ICT Risk Management, ICT and Cyber Resilience and Incident Management, ICT Third Party Risk Management in addition to broad Governance, Risk and Compliance skills. We have also supported numerous clients on their broader Operational Resilience journeys over the last number of years.
If you would like to discuss the potential impact of the above on your business, please contact any of our Digital Operational Resilience experts below.