With the Digital Operational Resilience Act (“DORA” for short), the European Union has created a regulation for cyber security, ICT risks and digital operational resilience for almost all supervised financial institutions – we strongly recommend starting early implementation. As this regulation is intended to address the digital transformation and the increasing dangers posed by cyber threats, we strongly advise companies to start implementing it at an early stage. But what exactly is it about?

I. Introduction and subject matter

1. Introduction and implementation effort

Against the background of the very contract- and IT-heavy regulatory content, a considerable implementation period is to be expected. IT projects must be implemented in accordance with Banking supervisory requirements for IT (“BA-IT”) – it remains to be seen whether DORA will replace or completely “overhaul” these – but this will not save implementation in accordance with their (current) requirements. Furthermore, financial institutions are likely to have numerous internal guidelines that must be observed during implementation. Negotiations with Information and communication technology (“ICT”) service providers are also likely to take a considerable amount of time, as not only the financial institutions but also their ICT service providers will have to adapt to the DORA changes.

We therefore strongly recommend starting the implementation process at an early stage and not only involving the IT and compliance departments, but also seeking internal and external regulatory advice.

2. Further legal acts

DORA is flanked by numerous other legal acts:

1. EU Directive 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience in the financial sector of 14 December 2022 
2. EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) of 14 December 2022 
3. EU Directive on the resilience of critical facilities and repealing Council Directive 2008/114/EC of 14 December 2022
4. Drafts of RTS, ITS, guidelines, etc., which (in some cases) still need to be finalised and implemented.

3. Regulatory content, focal points

All legal acts deal with regulations on the digital operational resilience of financial organisations. This refers to the ability to keep all information and communication technologies (“ICT“) used by a financial organisation operational and to protect them from attacks. DORA aims to strengthen the digital operational resilience of the entire European financial sector in these six key areas: 

1. ICT risk management

• Reporting serious ICT-related incidents and – on a voluntary basis – significant cyber threats to the competent authorities; 
• Reporting of serious payment-related operational or security incidents by certain listed financial organisations to the competent authorities; 
• Tests of digital operational resilience;
• Sharing information and intelligence on cyber threats and vulnerabilities; 
• Measures for the sound management of ICT third party risk; 

2. Reporting of ICT incidents and significant cyber threats
3. Testing digital operational resilience including threat-led penetration testing (TLPT) 
4. Establishment of requirements in relation to contractual agreements between ICT third-party service providers and financial organisations; 
5. Rules on the establishment and implementation of the monitoring framework for critical third-party ICT service providers in the provision of services to financial organisations; 
6. information sharing and cyber crisis and emergency exercises, in particular rules on cooperation between competent authorities and rules on the supervision and enforcement by competent authorities of all matters covered by this Regulation. 

II. Timetable and consultations

The implementation of DORA is subject to an ambitious timetable for the implementation of EU Directives 2022/2555 and 2022/2557 (by 18 October 2024) and 2022/2556 (by 17 January 2025). Implementation in Germany is essentially carried out by the Financial Market Digitisation Act (FinmadiG). The FinmadiG aims to transpose the European Markets in Crypto-Assets (“MiCA”) Regulation, the revised version of the EU Funds Transfer Regulation and the DORA package into national law. The BMF published the draft bill for the FinmadiG on 23 October 2023.

1. Timetable

2. Completed consultations

The joint consultation of the ESAs on the first tranche of the technical regulatory and implementation standards for DORA from 19 June 2023 to 11 September 2023 contains the following drafts

1. Consultation on RTS on ICT risk management framework (Art. 15) and RTS on simplified ICT risk management (Art. 16)
2. Consultation on RTS on criteria for the classification of ICT related incidents (Art. 18.3)
3. Consultation on ITS to establish the templates for the register of information (Art. 28.9)
4. Consultation on RTS to specify the policy on ICT services performed by ICT third party service providers (Art. 28.10)) 2022/2554 with public consultation from 26 May 2023 to 23 June 2023.
5. The public consultation for the opinion of the ESAs (EBA, ESMA and EIOPA) for the European Commission on the delegated acts under the European supervisory framework in accordance with Articles 31 and 43 of Regulation (EU) 2022/2554 took place from 26 May 2023 to 23 June 2023.

3. Ongoing consultations

The public consultation of the European Supervisory Authorities EBA, ESMA and EIOPA on the following drafts will take place from 8 December 2023 to 4 March 2024:

1. Consultation of the RTS on Threat Led Penetration Testing (Art. 26.11)
2. Consultation of the RTS on the specification of elements in the subcontracting of critical or important functions (Art. 30.5)
3. Consultation of the RTS to determine the reporting of serious ICT incidents (Art. 20.a)
4. Consultation of the ITS to determine the details of reporting on major ICT-related incidents (Art. 20.b)
5. Consultation of the GL for cooperation between the ESAs and the CAs regarding the structure of supervision (Art. 32.7)
6. Consultation of the RTS on harmonisation of the conditions for carrying out monitoring activities (Art. 41)

III. Focus of DORA

DORA essentially focusses on (1) ICT risk management and (2) the monitoring of critical ICT third-party service providers. These are implemented in Germany by the FinmadiG. Implementation takes place through amendments to numerous laws and ordinances, which is why we have referred to the provisions and structure of DORA in the following brief summary for the sake of clarity:

1. Focus: ICT risk management

1. Art.5 DORA – Responsibility of the management:
   Management is responsible for ICT risk management. Management must actively keep abreast of ICT risks and attend regular ICT-specific training sessions.
   
2. Art.6 DORA – ICT Risk Management Control Function
   The function of the ICT Risk Management Control Function must be set up by the management. The tasks are similar to those of the Information Security Officer (ISO). Strict separation of the control function and first line (IT). Strong regulatory expectation to keep the ISB in-house.
   
3. Art.8 DORA – Knowledge of own information and systems
   ICT systems and information used in business functions must be identified and classified. This also applies to information that is not held in centralised systems (such as Office documents or IDVs).
   
4. Art.6 DORA – Stricter requirements for encryption
   Data must be encrypted in all states (at rest, in transit & in use). Internal as well as external network traffic must be encrypted. Lifecycle management must be set up for cryptographic keys.
   
5. Art.10 DORA – Prioritising the elimination of vulnerabilities
   Requirements for automated vulnerability scans and the elimination of vulnerabilities have increased. Automated vulnerability scans at least weekly. Supply chain risk is moving into focus. Elimination of vulnerabilities through patches has top priority.
   
6. Art.11 DORA – Detailed safety requirements
   Only use authorised software and storage media. Security must also be in place in the home office and when working remotely. Special training for employees who administer cloud access. Special protection for cloud access.
   
7. Art. 16 DORA – Testing the source code
   Authorisation must be obtained from specialist departments and asset owners for security measures, among other things. Test environments should adequately reflect the production environment. The integrity of the source code must be protected. Source code and software from third parties must be analysed and tested.
   
8. Art.13 DORA – Strengthening network security
   Creation of a visual network plan. Internal and external protection of network traffic. Regular testing and certification of firewall rules. Annual review of the network architecture. Creation of the option to temporarily isolate subnets, network components and devices.
   
9. Art.21 DORA – User identification
   Each natural person should be given a unique identity, which should also be retained in the event of reorganisation and after the end of the collaboration. Access and access management requirements remain largely the same.
   
10. Art.27 DORA – Test scenarios for cyber attacks
    Comprehensive specifications for emergency management. RTS focusses on the minimum content of recovery plans and on testing them. Minimum test scenarios increase from four (MaRisk) to nine.
    
11. Art.6 para.5 DORA – Regular review of the ICT framework
    Formal documentation of the current status of the ICT risk framework must be prepared. This must be made available to the supervisory authority upon request.

2. Focus: Monitoring of critical ICT third-party service providers

Financial companies may only use critical ICT third-party service providers from third countries if they establish a registered office in the EU within twelve months of being categorised. However, there is no obligation to store data only within the EU (although there may be data protection problems if this is not the case).

In particular, the supervisory authorities have the following powers vis-à-vis ICT service providers:

1. Request for information and documentation: relevant business or operational records, contracts, policies and guidelines, documentation, ICT security audit reports, ICT-related incident reports, and any information about parties to whom the critical third-party ICT service provider has outsourced operational functions or activities;
   
2. Investigations and inspections at the premises of the ICT third-party service provider in relation to: records, data, procedures, etc.; summoning representatives of the critical ICT third-party service provider, including making oral or written statements; interviewing any other natural or legal person who consents to such interview for the purpose of obtaining information about the subject matter of an investigation; transmitting recordings of telephone conversations and data transmissions;
   
3. to make recommendations that the supervisor considers relevant in relation to the following:

• the application of specific ICT security and quality requirements or procedures, in particular in relation to the issuance of patches, updates, encryption and other security measures necessary to ensure the ICT security of services provided to financial organisations;
• the use of conditions, including their technical implementation, under which the critical third party ICT service providers provide ICT services to financial entities in order to prevent the occurrence or amplification of sporadic failures or to minimise potential systemic impact in the Union financial sector in the event of ICT concentration risk;
• under certain conditions: any planned subcontracting that the critical third-party ICT service providers intend to enter into with other third-party ICT service providers or with ICT subcontractors established in a third country and which may entail risks for the provision of services by the financial undertaking or risks for financial stability;

4. Request reports detailing the actions taken or remedial measures implemented by the critical third party ICT service providers in relation to the issues referred to in point (2). 2) recommendations referred to in point (2).

The monitoring of critical ICT third-party service providers by the supervisory authority does not release financial companies from their obligation to monitor the service provider. The supervisory authorities examine how the financial companies take into account the risks identified in the recommendations for the critical ICT third-party service provider as part of their third-party risk management. If the risks are not or not sufficiently taken into account by financial undertakings, the supervisory authority shall notify the financial undertaking of its assessment and may, within 60 days of this notification, as a last resort, require financial undertakings to suspend the use of the critical third-party ICT service provider in whole or in part until the risks have been eliminated or to terminate the contracts with the critical third-party ICT service provider in whole or in part. 

Feel free to contact us at any time if you have any questions. We specialise in the realisation and implementation of compliance-related IT projects in the financial regulatory environment.

We can help you prepare for the new requirements of DORA.

We advise our clients to familiarise themselves with the regulation and the consultation versions of the RTS/IST/Guidelines, including the recitals.

Compare the requirements from DORA with the regulatory requirements that already exist (e.g. MaRisk, BAIT, EBA Guidelines on outsourcing arrangements, BaFin Cloud guidance).