The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Introduction
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely easy for customers. As an inevitable consequence of such developments, on 24 September 2020, the European Commission (“Commission”) adopted a new digital finance package, including (i) a digital finance strategy, (ii) a retail payments strategy, and (iii) legislative proposals on crypto-assets and digital operational resilience. The said package aims to boost Europe's competitiveness and innovation in the financial sector, provide consumers and businesses more choice in financial services and modern payment solutions, and ensure consumer protection and financial stability. As part of this digital finance package, the Commission published the first draft of the Digital Operational Resilience Act (“DORA”). After approximately 2 years, DORA was published in the Official Journal of the European Union on 27 December 2022.[1] The regulation entered into force on 16 January 2023 and will apply from 17 January 2025.
What is the Digital Operational Resilience Act?
Since the financial sector becomes heavily dependent on digital processes, systems, and software, risks associated with disruption and threats to information and communication technology (ICT) systems have dramatically increased. Therefore, the Commission’s strategy, by adopting DORA, is to make sure the financial sector in Europe is competent to stay resilient through ICT-related incidents. Within this scope, DORA includes regulations and a number of obligations for financial institutions to promote, improve and ensure operational resilience within the respective sector. DORA also sets out specific obligations on certain ICT service providers that provide ICT-related services to financial institutions and are considered to be critical positions such as cloud platforms, data analytics, and audit services.
As per Article 2 of DORA, the regulation shall apply to financial entities such as credit and payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, managers of alternative investment funds, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries, credit rating agencies, crowdfunding service providers as well as ICT third-party service providers. Yet, some exemptions are determined in terms of the scope. As is seen, to ensure consistency concerning the ICT risk management requirements applicable to the financial sector, DORA applies to a wide range of financial entities.
Key Requirements of DORA
DORA mainly aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have been addressed separately in various EU legal acts. Unlike the other EU legislations in the field of cybersecurity, DORA fills in the gaps or remedies inconsistencies in some of the prior legal acts and explicitly refers to ICT risk through a set of rules on ICT risk-management capabilities, incident reporting, operational resilience testing, and ICT third-party risk monitoring.
In order to achieve a high common level of digital operational resilience, DORA lays down (i) requirements applicable to financial entities; (ii) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities; (iii) rules for the establishment and conduct of the oversight framework for critical ICT third-party service providers; and (iv) rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by DORA.
DORA foresees that financial entities ensure digital resilience on all levels of their operations based on these pillars: (i) ICT risk management; (ii) ICT-related incident reporting and notifying; (iii) operational or security payment-related incident reporting; (iv) digital operational resilience testing; (v) information and intelligence sharing and (vi) ICT third-party risk management.
Financial entities may implement the rules in accordance with the principle of proportionality, considering their size and overall risk profile, and the nature, scale, and complexity of their activities and operations.
Governance and ICT Risk Management
DORA expands existing requirements relating to ICT risk management with the obligation to ensure effective and prudent management of all ICT risks, based on the management body’s ultimate responsibility and accountability. As per Article 6/1 of DORA, financial entities shall have a comprehensive and well-documented ICT risk management framework as a part of their overall risk management system. The management body of the relevant entity is responsible to define, approve, oversee, and implement all the arrangements regarding this risk management framework. For the purposes of such responsibility, various policies, procedures, strategies, protocols, and tools shall be put in place, roles for all ICT-related functions should be set clearly, appropriate governance arrangements to communication and coordination shall be established, and the implementation of them shall be reviewed periodically to provide sufficient reliability, capacity, and resilience. This will help the entities to address ICT risk quickly and efficiently, protect ICT systems and minimize the impact of ICT risk, recover from adverse events, and have the backup and other recovery procedures, and thus ensure a high level of digital operational resilience.
The said framework also imposes obligations on the financial entities, such as assessing risks regarding third-party services, identifying and documenting all processes that are dependent on ICT third-party service providers, and monitoring the arrangements with them.
Articles 5 to 15 of DORA, which is related to the risk management framework, shall not apply to small and non-interconnected investment firms, some payment and electronic money institutions exempted under other EU laws, and small institutions for occupational retirement provision. However, Article 16 introduces simplified ICT risk management framework for such institutions and determines rules and obligations for them as well.
Digital Operational Resilience Testing
As an integral part of the above-mentioned risk management framework, financial entities must establish, maintain and review a digital operational resilience testing program for identifying weaknesses, deficiencies, and gaps, and promptly implementing corrective measures to assess preparedness for handling ICT-related incidents. It is also seen that DORA requires financial entities to periodically test all ICT systems and applications supporting critical functions. Certain firms are determined to be subjected to “advanced” testing by means of Threat Led Penetration Testing.
ICT-Related Incident Reporting, Classification, and Management
Moreover, according to the requirements set forth under Chapter 3 of DORA, financial entities must also establish and implement an ICT-related incident management process to detect, manage and notify incidents and cyber threats, by complying with the specific rules and criteria. This management process will serve to record significant ICT-related incidents and cyber threats and prevent their occurrence of them through monitoring the incidents and threats.
On the other hand, it is obligatory to notify the relevant competent authority if an incident is considered major. Where a major ICT-related incident has an impact on the financial interest of clients, financial entities should also inform the clients about the incident and the measures that have been taken to mitigate the adverse effect. Criteria for classifying the ICT-related incidents, materiality thresholds to report disruptions and time limits for incident reporting will be determined in the forthcoming regulatory technical standards (RTS).[2]
Management of ICT-Third Party Risk
ICT third-party risk is an integral part of the above-stated ICT risk management framework of financial institutions. Within this scope, it is regulated that financial entities must maintain and update a register of information regarding all contractual arrangements on the usage of ICT services provided by ICT third-party service providers. Moreover, certain elements and provisions are set out to be included in such contractual agreements. Full-service descriptions, notice periods, reporting obligations of service providers, and the right to monitor and exit strategies can be given as an example of these provisions.
DORA also includes additional requirements, such as ensuring that third-country TPPs (third-party providers) are governed by the law of an EU Member State.
Oversight Framework of Critical ICT Third-Party Service Providers
The European Parliament and the Council (known collectively as ‘European Supervisory Authorities’ or ‘ESAs’ such as the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority), will designate the ICT third-party service providers that are critical for financial entities following an assessment based on the criteria determined under DORA. The systemic impact on stability, continuity, or quality of the provision of financial services and the reliance of financial entities on the provided services about critical functions are some of the criteria to be considered during such designation. The assigned critical ICT third-party service providers are subject to direct regulatory oversight from a lead overseer that is appointed by ESAs. That lead overseer will assess whether each critical service provider has in place comprehensive, sound, and effective rules, procedures, and mechanisms to manage ICT-related risks that it may pose to financial entities. Cloud service providers will likely fall under the scope of this oversight.
Even if an ICT provider is not designated a critical third-party provider, ICT providers contracting with financial institutions will still need to review their existing contractual agreements and their addendum against the mandatory requirements of DORA and determine whether any update is necessary or not.
Conclusion
DORA includes a two-year implementation window with the new rules taking effect on 17 January 2025. It should be noted that DORA is a Regulation; thus, it is binding in its entirety and directly applicable in all EU Member States. In the meantime, the ESAs are required to submit a draft RTS to the Commission on various requirements set forth under DORA by 17 July 2024.
Even if the implementation period seems quite long, financial entities and ICT service providers subject to the rules of DORA, should urgently perform a gap assessment and prepare a roadmap to get into compliance. Prioritizing digital resilience should be a key element in their upcoming roadmaps and agendas since the coordination and harmony between all levels of the companies will take great effort to achieve.
- Regulation (EU) 2022/2554 of The European Parliament And of The Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2022:333:FULL, Access Date: 30.01.2023).
- Regulatory technical standards will be developed in the areas of ICT risk management, major ICT-related incident reporting, testing, as well as in relation to key requirements for a sound monitoring of ICT third-party risk. The Commission and the ESAs will ensure that those standards and requirements can be applied by all financial entities in a manner that is proportionate to their size and overall risk profile, and the scale and complexity of their services, activities and operations. RTSs will be crucial to understand the full spectrum of requirements that financial institutions will be subjected to under DORA.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
