EU financial institutions will need robust governance arrangements for the implementation of and ongoing compliance with DORA. The managing body of an EU financial institution is personally responsible for defining, approving, overseeing and implementing the ICT risk management framework under DORA. The managing body's ultimate responsibility is also important in light of the risk of regulatory sanctions and significant fines for DORA breaches (e.g. missed incident reports).
Against the background of the new requirements in DORA and increased enforcement measures by European regulators, operational risk management should be a priority topic for EU financial institutions in 2024 and beyond.
Why is the EU introducing DORA now?
The EU considers ICT to “have gained a pivotal role in the provision of financial services” with critical importance (see Recital 2 of DORA) but digital operational risks have only been partially addressed on an EU level. DORA intends to address the perceived gaps in the framework and strengthen overall digital resilience of the financial sector. In the view of the EU, DORA will therefore be the backbone of the digital transformation of the financial sector.
At the same time, regulators have become more proactive in enforcing the existing ICT risk management rules and have closely followed up on ICT incidents such as outage of online banking systems or payment infrastructure.
The European Central Bank (ECB) announced on 3 January 2024 that 109 ECB-supervised banks will be stress tested on their cyber-attack response and recovery. 28 credit institutions will undergo an enhanced assessment of their response. The stress test scenario assumes that a successful cyber-attack has disrupted daily operations. Findings will be communicated in the summer of 2024.
Who is in scope of DORA?
Unlike existing operational risk rules on an EU level, e.g. in the current Payment Services Directive ((EU) 2015/2366) (PSD2), DORA is not limited to specific financial services but covers the financial sector as a whole. DORA therefore applies to all financial entities in the EU (and the European Economic Area), including not only credit and payment institutions but also investment firms, crypto service providers, central securities depositories, trading venues, AIF managers, insurers, and other financial institutions. All financial entities regulated under DORA are set out in full in our Engage article here.
DORA applies both at group and at an entity level. For EU groups, this means that they also have to consider the implications for each financial entity within the group, including any intra-group ICT services. Third-country groups (e.g. with a U.S. or UK parent) are out of scope but their EU subsidiaries will have to ensure compliance. This includes assessing the applicability of DORA to the EU subsidiaries on a consolidated or sub-consolidated level.
An important new area of regulation will be the direct oversight of so-called critical ICT third-party service providers which do not require an authorisation under DORA. Critical ICT third-party service providers that are not already established in the EU must set up an EU subsidiary. The ICT risk management of critical ICT third-party service providers is directly assessed by EU regulators and EU regulators will be able to directly enforce requirements for robust information security processes of critical ICT third-party service providers.
We assess the direct oversight of critical ICT third-party service providers below and in our Engage article here.
What is in scope of DORA?
It is the stated purpose of DORA to introduce a comprehensive ICT risk management framework. DORA therefore applies to ICT in the broadest sense. As a general rule, financial institutions will have to treat all of their IT and communication systems as being in-scope, including even minor in-house IT tools.
DORA itself gives the example of telephone services: only traditional analogue telephone services are considered to be out of scope. Any means of electronic communications services (including over-the-top services, e.g. voice over IP) will, however, be considered to be in-scope of DORA.
One of the key requirements under DORA will be for financial institutions to identify all ICT supported business functions, roles and responsibilities as well as the relevant information and ICT assets (Article 8 DORA).
What needs to be implemented under DORA?
DORA consists of Level 1 and Level 2 regulation. The Level 1 regulation covers ICT risk management (including governance), incident management, classification and reporting, testing (including threat-led penetration testing (TLPT), management of third-party ICT risk, and cyber threat information sharing for financial institutions. These Level 1 requirements are analysed in more detail in our Engage Article here. The Level 1 regulation is supplemented by numerous Level 2 Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as certain guidelines and delegated regulations, which further specify the requirements under DORA:
- The first batch of draft technical standards was published in June 2023. The final drafts were published on 17 January 2024. The first batch includes various technical standards on the ICT risk management framework, the classification of ICT-related incidents as well as for the relevant information register for contracts for ICT third-party services and on the policy for the use of ICT third-party services.
- The second batch of draft technical standards was published on 8 December 2023. These drafts are expected to be finalised by 17 July 2024 and, in particular, include the technical standards for major incident reporting and on sub-contracting of ICT third-party services for critical and important functions. The package also includes a number of draft guidelines that provide additional guidance on the rules.
Many of the DORA requirements will sound familiar to financial institutions that comply with the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04) and to payment service providers that already have to report major incidents under PSD2. However, DORA will go beyond many of these requirements, in particular in relation to ICT third-party risk. Therefore, it will be necessary for all financial institutions to run DORA implementation projects to identify and close any gaps.
The number of RTS and the short period of time between the finalisation of critical regulatory standards and the effective date of DORA on 17 January 2025 means that it may be necessary to treat some of the requirements as a moving target and start with the implementation projects before all requirements have been finalised.
DORA is, however, also an opportunity for groups to streamline their use of ICT. The harmonised DORA framework will facilitate cross-border ICT services and make the use of group-wide policies more efficient. The entity-view of DORA will nevertheless require that the specific risks and requirements for each financial entity within the group are taken into account. This is particularly important as the entity's senior management will remain ultimately responsible for the implementation of DORA at an entity level.
What are the particular requirements for ICT third-party risk?
As a general requirement, financial institutions have to ensure that they have full control over their ICT risk, even where they rely on third-party suppliers. This also includes ICT incident reporting and testing. DORA requires that financial institutions define an ICT strategy (potentially including multi-vendor strategies) at an entity and group level. They also have to maintain a register of their existing ICT third-party service provider contracts on an entity, sub-consolidated and consolidated basis. A risk assessment is required for all ICT third-party services and it must take into account concentration risks.
Contracts must include the key contractual provisions specified in DORA and the RTS. These include access, control and audit rights. The contractual requirements required under DORA are broadly aligned with the requirements set out in the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) (EBA Outsourcing Guidelines), except that they are, in some respects, more granular in their requirements, and the requirements under the EBA Outsourcing Guidelines are only applicable to certain types of financial institutions (banks, investment firms, and payment and e-money institutions) whilst DORA applies its contractual requirements to a broader scope of financial institutions, and to a broader scope of services beyond outsourcing arrangements. Read our Engage Article covering DORA in the context of certain EBA guidelines here.
In line with the requirement to remain in control of the ICT risk, financial institutions also have to comply with specific rules for the sub-contracting of ICT third-party services for critical and important functions as specified in the RTS. Most importantly, the RTS will define minimum requirements for ICT third-party services that will be sub-contracted. If these minimum requirements are not met, sub-contracting for critical and important functions will not be possible under DORA.
In practice, a financial institution’s existing approach to complying with governance and contractual requirements in relation to outsourcing under the EBA Outsourcing Guidelines, may already go a long way to satisfying the equivalent requirements under DORA in relation to ICT services. DORA, however, brings a wider scope of financial institutions and services under the application of these requirements..
Financial institutions will have to review and revise their existing policies and procedures for their supplier management and, as a minimum, must prepare the register of ICT third-party services and ensure that the required key provisions are included in the ICT third-party service agreements. This requires more than a “re-papering” exercise because regulators will expect that the contract terms and the risk assessment have been aligned. For instance, regulators will require that a contract for a critical ICT third-party service includes longer notice periods if the service cannot be easily replaced. Regarding the risk assessment, this will in many cases have to take into account the specific information security arrangements of the service provider.
From the perspective of ICT third-party service providers, it may make sense for them to define common standard terms for their ICT services in line with DORA and to make efficient use of the flexibility provided under the DORA framework (e.g. use of certificates and pooled audits). This will be particularly relevant in relation to sub-contracting as sub-contracting for critical and important functions will only be possible if the DORA requirements are met. Depending on the scope of services, ICT third-party service providers may therefore want to prepare their own risk assessments of their services, including those of their sub-contractors, to support the use of their services by financial institutions.
What is the oversight framework for critical ICT third-party service providers?
In addition to the above general requirements for ICT third-party services, DORA introduces a European oversight framework for critical ICT third-party service providers. EU financial institutions can only use the services of a critical ICT third-party service provider if the service provider has established an EU subsidiary.
The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) (together the ESAs) have published joint technical advice on the criticality assessment. The proposal includes assessing criticality based on six quantitative criticality indicators (e.g. the percentage of financial institutions relying on a service provider) and five additional indicators (e.g. inherent criticality of the service). Cloud service providers will be a priority for the regulators (see Recital 20 of DORA) but cloud service providers are not automatically also critical ICT third-party service providers within the meaning of DORA. Service providers will be notified if authorities have reached the conclusion that they should be treated as critical ICT third-party service providers.
The lead overseer for critical ICT third-party service providers will be the ESA that is responsible for the largest share of users of the services (e.g. the EBA if credit institutions and payment institutions mainly use the service). The lead overseer has far reaching powers, including to carry out general investigations and inspections. There is also a power to issue recommendations. Lead overseers may also issue administrative penalties (up to 1% of the daily average worldwide turnover of the critical ICT third-party service provider) in case of non-compliance with certain requirements under DORA.
What is the personal responsibility of senior management?
Many aspects of the DORA implementation will be very technical, e.g. tools used for detecting anomalous activities or the requirements for threat-led penetration testing. Nevertheless, DORA remains the ultimate responsibility of the managing body of a financial institution.
In particular, senior management will be ultimately responsible for appropriate governance, internal ICT audit plans, definition and approval of a digital operational resilience strategy, and for including digital operational resilience in the financial institution's risk appetite, business strategy and risk culture. This also requires that appropriate budgets are allocated and employees are trained in relation to ICT risk.
In addition to the general requirements for the suitability of senior management (e.g. composition of the management board), DORA specifically calls on senior management to ensure that they actively acquire the knowledge and skills that are necessary to fulfil the ICT-related duties of the management body.
It is therefore recommended that the senior management of financial institutions – including at an entity level – allocate a specific budget to operational resilience and carefully document decisions relating to DORA implementation (e.g. management approval of implementation plans). Periodic and ad hoc reports on progress of the project will ensure that senior management can fulfil its duties under DORA.
What are the consequences of non-compliance?
DORA does not prescribe specific sanctions for breaches by financial institutions but requires that Member States introduce appropriate administrative penalties and other sanctions. This does not only include the power to issue binding remediation orders but may also include the power to appoint a special monitor to oversee the remediation, depending on the powers of regulators under national law.
In addition, DORA specifically requires that regulators should also be able to order payment of administrative fines. The amount depends on the implementation in the individual Member States but fines must generally be “dissuasive”. Depending on the respective Member State implementation, this may also include personal fines and sanctions against senior management of financial institutions.
The ECB's action to date in relation to fines for directly supervised significant credit institutions in ICT matters has already shown that regulators will consider non-compliance with ICT risk management rules to be a severe breach, including failure to submit timely incident reports to regulators even if the incident response in itself was adequate.
Significant fines are particularly likely where breaches are severe, repeated or systemic. This may be particularly the case were deficiencies in the ICT risk management were known to the financial institution but were not duly remediated. Also, breaches of reporting obligations for ICT-related incidents and for use of ICT third-party services (including sub-contracting) are potentially high on the agenda of regulators as their own work will depend on the information provided by the financial institutions.
Moreover, the appropriate management of ICT risk is part of operational risk which is subject to the Supervisory Review and Evaluation Process (SREP) and similar mechanisms. This means that non-compliance with DORA may result in higher capital requirements for credit institutions and increased focus by regulators. Regulators may also expect that financial institutions factor their ICT risk, in particular DORA gaps, into their risk-bearing capacity for capital requirements purposes. For instance, if there are known deficiencies in the detection of incidents, regulators may require that the financial institution includes additional amounts in its calculation of the risk-bearing capacity to account for potentially undetected - and therefore inadequately managed - threats to the financial institution and its customers.
What are the next steps for financial institutions?
The DORA RTS and other guidelines will be finalised throughout 2024. Financial institutions should closely follow the publication of the final technical standards and guidelines. During the course of the year, Hogan Lovells will be offering deeper dives into various aspects of DORA via webinars and articles published on our Engage thought leadership platform.
The limited period of time between the finalisation of the technical standards and the effective date of DORA on 17 January 2025 means that financial institutions cannot wait to start work on implementation until all technical standards have been published.
As a first step, financial institutions may, in particular, want to focus on the general strengthening of governance, review of existing IT policies and procedures and current remediation plans, and identification of ICT support business functions and the relevant ICT information and ICT assets.
Senior management of financial institutions, also on an entity basis, should put a particular focus on ICT strategy and including ICT risk in business strategy, risk appetite and culture as well as allocating adequate budgets and resources to ICT risk management to fulfil their personal responsibilities under DORA.
A thorough gap analysis and detailed implementation plan will also be helpful if it looks like not all DORA requirements can be fully implemented in time. The gap analysis and implementation plan should demonstrate that (i) the financial institution is in control of the process, (ii) sufficient resources have been allocated by senior management, and (iii) ICT risk has already been mitigated despite the remaining gaps. On this basis, it may be possible to lower the capital requirements for operational risk, including the risk-bearing capacity. This could help to mitigate the risk of regulatory intervention such as remediation orders or fines.
Adequate ICT risk management will be an on-going priority for financial institutions, even after the implementation of DORA. Compliance with DORA will require continuous efforts to identify, assess, mitigate and monitor ICT risks and EU regulators will be more proactive in enforcing ICT risk management rules. ICT risk should therefore be high up on the agenda of senior management even after successful DORA implementation.
This article is part of our Financial Institutions Horizons 2024 publication. To read more on related topics, click here.
Authored by Dr. Richard Reimer and Andreas Doser.
Hogan Lovells (Luxembourg) LLP is registered with the Luxembourg bar.