European regulation no. 2022/2554 on Digital Operational Resilience for the financial sector (“DORA”) was adopted on December 14, 2022 and will apply from January 17, 2025.
European regulation no. 2022/2554 on Digital Operational Resilience for the financial sector (“DORA“) was adopted on December 14, 2022 and will apply from January 17, 2025.
The aim of this regulation is to reinforce the technological security and smooth operation of the financial sector. It lays down security requirements so that financial services can withstand and recover from disruptions and threats linked to information and communication technologies (“ICT“) throughout the European Union.
It applies to a wide range of players in the financial sector and their technology partners, including credit institutions, investment firms, payment institutions, asset management companies, insurance companies and third-party ICT service providers operating in the financial services sector.
The DORA regulation is structured around five chapters, which lay down a set of rules with a major impact on internal security procedures and the contractual relations of players in the financial sector.
The main measures are as follows:
1° ICT risk management
The DORA regulation requires the adoption of internal governance and control frameworks to ensure effective and prudent management of all ICT risks.
Financial entities will also need to put in place an ICT risk management framework tailored to their activities, enabling them to deal with ICT risks quickly and efficiently.
As a preventive measure, they must :
- Use and maintain appropriate, reliable and technologically resilient ICT systems, protocols and tools;
- Identify all forms of ICT risk;
- Ensure permanent monitoring and control of the operation of ICT systems and tools;
- Implement mechanisms to detect abnormal activity;
- Define continuous improvement processes and measures, a business continuity policy, a backup policy, and restoration and recovery procedures and methods.
The companies concerned will need to have the capacity and manpower to gather information on vulnerabilities, cyber threats and ICT-related incidents. As part of this, they will have to carry out post-incident reviews following major incidents that have disrupted their core activities.
The new regulations also require the formalization of crisis communication plans to promote responsible disclosure of major ICT-related incidents.
It should be noted that the regulation provides a simplified ICT risk management framework for certain small players, such as small non-interconnected investment companies
2° ICT-related incident reporting
Financial entities are required to formalize and implement an ICT-related incident management process for the management, classification and reporting of incidents. The DORA regulation introduces a standard methodology for classifying security incidents according to specific criteria (duration of the incident, criticality of services affected, number of clients or financial counterparts affected, etc.).
Financial entities will be obliged to report ICT-related incidents classified as major to competent national authorities designated according to the type of financial entity (notably the ACPR and AMF in France). These notifications will have to be made within deadlines subsequently set by the European supervisory authorities.
In the event of a “major” incident affecting the financial interests of clients, financial entities will also have to inform the latter, as soon as they become aware of the incident, of the measures taken to mitigate its effects.
3° Digital operational resilience testing
In order to assess their preparedness in the event of ICT-related incidents, and to implement corrective measures where necessary, financial sector players will need to formalize a robust digital operational resilience testing program, comprising a series of assessments, tests, methodologies, practices and tools to be applied.
Every three years, they will also have to carry out threat-based penetration tests, performed by independent, certified testers.
4° Managing of ICT third-party risks
The DORA regulation introduces general principles to be respected by financial entities in their relations with ICT third-party service providers.
They will need to adopt a third-party risk strategy, and keep a record of information relating to all contractual agreements concerning the use of ICT services provided by ICT third-party service providers.
At least once a year, financial entities must provide the competent authorities with information on new agreements relating to the use of ICT services, and must inform them of any draft contractual agreements concerning the use of such services supporting critical functions.
It also requires companies to enter into contracts with such ICT third-party service providers only if they meet appropriate information security standards.
The rights and obligations between financial entities and ICT third-party service providers must be defined in a written contract, which must include the following conditions:
- A clear and exhaustive description of the services provided;
- Where the ICT services will be provided and what data will be processed;
- Provisions on the accessibility, availability, integrity, security and protection of personal data;
- Service level descriptions ;
- The obligation for the ICT third-party service providers to provide the financial entity with assistance in the event of an ICT incident, at no extra cost or at a cost determined ex ante;
- The ICT third-party service providers obligation to cooperate fully with the competent authorities;
- Right of termination and minimum notice period.
Where ICT third-party service providers supply ICT services supporting critical or important functions, contracts will need to define additional conditions including:
- The provider’s obligation to cooperate in threat-based penetration testing;
- The obligation for the service provider to implement contingency plans and put in place security measures providing an appropriate level of security;
- Unlimited rights of access, inspection and audit by the financial entity;
- Exit strategies, such as setting an appropriate mandatory transition period.
In addition, the regulation introduces a supervisory framework for critical ICT third-party service providers, based on a series of criteria (systemic effect on service provision in the event of failure, systemic importance of financial entities dependent on the provider, degree of substitutability of the provider, etc.). Critical ICT third-party service providers will be subject to a monitoring framework based on a set of criteria: security requirements, risk management processes, availability, continuity, governance arrangements, etc.
These service providers will be assessed by the supervisory bodies, which will have the power to request information, carry out general inspections and on-site checks, and make recommendations.
The DORA regulation introduces guidelines for the exchange of information between financial entities on cyber threats. These exchanges should aim to improve the digital operational resilience of financial entities in particular, and should be carried out in full respect of business confidentiality. In addition, financial entities will be required to notify the competent authorities when participating in information exchange schemes.
Lastly, the regulation provides for the various competent authorities to have powers of supervision, investigation and sanction in the event of non-compliance with its provisions.
The Member States will be responsible for laying down the rules providing for administrative sanctions and appropriate remedies in the event of a breach of the DORA regulation, and for ensuring their effective implementation. It should be noted that, unlike the GDPR, the DORA regulation does not provide for a ceiling in the event of a pecuniary penalty but requires that penalties be “effective, proportionate and dissuasive“.
Our IT-Digital and Data team at Joffe & Associés is at your disposal to support you in your compliance process in order to best anticipate the implementation of this regulation, particularly when negotiating contracts with ICT service providers but also to audit current contracts. Note that the DORA regulation has a broader scope than the French decree of November 3, 2014.