DORA: the implication for ICT and cloud suppliers, PART I

In a previous blog we have informed you about the EIOPA guidelines, which contain guidelines for insurance companies for the outsourcing to providers of existing and new cloud services. However, these are only mere guidelines addressing very particular services for a limited type of entities in the financial sector, namely insurance companies.

Already in 2019 the European banking Authority (‘EBA’) has asked for a coherent approach to cyberrisks. Its conclusion was that cybersecurity and digital resilience in the financial sector was only addressed in some areas and in different ways in national member states. Currently, the requirements related to the management of cyberrisks in the financial sector are provided for in eight different directives, each aiming at different type of financial entities and with a different scope. Each of these directives are implemented in national legislation creating differences (also via national guidelines such as the EIOPA guidelines or the DNB Good practice).

These legal disparities and uneven national regulatory or supervisory approaches with regard to ICT risks have a negative impact on the internal markets for financial services, especially for those financial entities operating in various member states and offering different financial services. For these reasons the Digital Operational Resilience Act (DORA) has been adopted and has been published in the European Journal dated 27 December 2022. DORA will be in full force on 17 January 2025.

Harmonization of the rules on ICT risk management is one of the main goals of DORA. Therefore the scope of application is very broad. It covers all financial actors (meaning those parties involved in any way in the provision of financial products and services related thereto) including credit institutions and investment firms, payment institutions, electronic money institutions, credit rating companies, insurance companies and statutory auditors. 

Does that mean that all the other directives will become null and void? No, that is not case. Those directives will be amended to ensure consistency with DORA. Alongside DORA, a special amendment directive has been published on 27 December 2022 in order to modify the general rules of eight other directives to apply the operational risk management obligations addressed in DORA to entities subject to these directives. This amendment directive needs to be implemented by the member states on 17 January 2025.

And to make it even more complex, also on 27 December 2022, the Network and Information Security directive (NIS-2) has been published in the European Journal. There is a certain overlap with DORA. NIS-2, as does DORA, has rules for cybersecurity risk management and reporting obligations for a broad range of organizations falling under the scope of NIS-2.

NIS-2 applies to financial entities and also its ICT third party providers. DORA has a level of ICT risk management and ICT related incident reporting that is more stringent than NIS-2, therefore DORA constitutes a ‘Lex Specialis’ with regard to NIS-2, meaning that financial entities, on top of NIS-2, will have to adhere to the stricter requirements of DORA.

We will inform you further about the relation between DORA and NIS-2 in another series of blogs.

DORA Framework

DORA basically has five areas of sets of rules to address ICT security and digital resilience (see table below).

ICT Risk management (I)ICT related Incidents (II)Digital Operational resilience testing (III)ICT 3rd Party Risk Management (IV)Information sharing (V)

ICT Risk management: The management body of the financial entity has the full responsibility for managing ICT risks. Financial entities are also required to identify the ICT risk landscape and need to have in place a comprehensive ICT risk management framework (including business continuity and disaster recovery). Financial entities are required to implement an internationally recognized information security management system. 

ICT related incidents: Financial entities are required to put in place an ICT related incident process and develop a policy in relation to the monitoring, action and follow up on such incidents. Incidents are to be classified according to the geographical impact of the incident, the criticality of the services effected by the incident and the duration of the incident. Materiality thresholds (determining what are ‘major incidents’) and reporting timelines for voluntary or mandatory notification still need to be worked out in delegated acts and to be aligned with the NIS-2 Directive.

Digital operational resilience testing: DORA includes an obligation for financial entities to execute a proportionate and risk based digital operational resilience testing program. Such a program must provide for the execution of a full range of tests, such as vulnerability assessments and scans, open source analyses and network security assessments. In addition, critical ICT systems and applications must be tested annually, and some financial entities are required to carry out advanced threat led penetration testing once every three years.

Third Party risk management: As an important part of the ICT risk management framework, financial entities are required to adopt and regularly review a strategy on ICT third party risk and to maintain a Register of Information summarizing all contractual arrangements with ICT third party service providers. DORA also outlines key steps for procuring new ICT services, requirements for ending these services and specific contractual provisions to be included in contracts with ICT third party service providers. It also requires financial entities to perform ICT risk assessments before entering into new contractual arrangements. 

Information sharing: sharing of information about cyber threats between financial entities is allowed, provided such exchange of information aims at enhancing the digital operational resilience of financial entities, takes place within trusted communities and is carried out in accordance with applicable legislation (such as trade secrets, competition law and privacy).

DORA does not apply in full to all financial entities but makes a distinction based on size and overall risk profile. DORA contains exemptions or a lighter requirements regime for certain financial entities qualifying as micro enterprises or as small or medium sized enterprises.

ICT third party service providers

In this blog series we want to take a closer look at DORA from the perspective of the 3rd party ICT service provider.

DORA covers a wide range of ICT services and therefore will apply to many ICT and cloud suppliers (‘ICT supplier’) including providers of cloud computing services, software, data analytics services and providers of data center services. In addition, undertakings which are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as ICT third party service providers under DORA.

Since Dora makes a distinction between regular and critical or systemic ICT suppliers and has various sets of rules attached thereto, we will look at DORA from the perspective of the regular ICT supplier (PART II) and the critical or systemic ICT supplier (PART III).

What will the implications of DORA be for the provision of services by ICT suppliers to financial entities and what does this mean for current and future ICT agreements between the financial entity and the ICT supplier? What implications DORA will have for the current framework (as outlined in EIOPA and the ‘DNB Good Practice’) governing ICT agreements between financial entities and ICT suppliers?

All these questions and more will be addressed in our next series of blogs.