DORA is increasingly becoming a priority for financial services firms, lawyers, ICT companies and regulators across the EU.
With less than nine months before the EU’s Digital Operational Resilience Act (DORA) will come into force, lawyers, QA teams and compliance officers are trying to make sense of the maze of rules.
While many affected companies see the new rules as an additional burden, some lawyers argue, however, that it may create interesting opportunities for UK businesses as it could give them “a competitive advantage,” as one legal mind puts it.
EU framework
Intended to address the rising threat of cyber attacks and the financial sector’s increasing reliance on digital technology, DORA sets out a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities in the EU.
Evidently, the legislation represents a major shift in the EU’s approach to ensuring the robustness and reliability of digital operations within the financial sector.
With the deadline for complying with DORA set for 17 January of next year, pressure is mounting on financial institutions and service providers across the industry to start preparing for the new regulatory framework.
The enforcement of DORA will be overseen by national regulators within each EU member state with the power to impose penalties for non-compliance. They will be directly supervised by lead overseers from the European Supervisory Authorities.
Moreover, DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.
However, DORA’s impact will not merely be limited to EU-based businesses, warned Charlotte Witherington, a partner at international law firm Taylor Wessing.
London-based Witherington pointed out that “as the UK navigates its post-Brexit relationship with the EU, it is important to understand how the UK’s equivalent plans to ensure operational resilience impact UK businesses but also how the more progressed EU legislation can impact a technology business in the UK, regardless of whether it directly serves FEs in the EU.”
Mass-test
In preparation for DORA, large banks, financial institutions and other financial services (FS) players across the European Union have been urged to take part in a voluntary mass-training exercise ahead of DORA coming into force, as QA Financial reported earlier this month.
Banks across all EU member states, as well as insurers, asset managers and other financial firms have been invited by the European Supervisory Authorities (ESA) to join the mass-testing exercise, which is scheduled to take place next month. An exact date has not been set yet.
The test is co-coordinated by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA).
Firms that agree to take part will be asked to hand over the agreements they have in place with any ICT third party providers they work with.
Starting in May, participating firms will be expected to forward their registers to the ESA through their relevant national watchdogs before the end of August.
Providing this information is an important part of DORA because, once in effect, financial firms will be required to register any contractual arrangements they have with third party ICT firms.
In the invitation letter to firms, which was sent last week, the ESA explained they plan to offer extensive help, support and guidance to firms to help them create and maintain a register.
The regulator indicated it will soon propose a standard format and data quality testing will become an important part of the process.
Firms will then be asked to hand over their registers to the ESA through their relevant national watchdogs, most likely between early July and late August.
UK equivalent
It is important for UK businesses, whether they are themselves FEs or they provide ICT services to FEs, to understand the implications of DORA in the context of the UK’s post-Brexit regulatory environment, Witherington continued.
She explained in a recent blog post that, before Brexit, the UK’s financial regulations were closely aligned with EU standards, including those related to digital operational resilience. This alignment allowed for cross-border operations for UK-based financial entities.
However, after leaving the EU, the UK retained a substantial part of the EU’s financial legislation but has since begun to review and, in some cases, diverge from EU regulations.
“To that end, the UK is in the process of introducing its own DORA equivalent (UK DORA), meaning that UK technology businesses with FE customers in the EU will need to navigate two regulatory regimes in parallel,” Witherington wrote in a recent DORA analysis.
“The EU’s DORA is significantly more progressed than UK DORA,” she added, although she did stress that “insights from the UK’s existing approach to operational resilience may be informative for making comparisons.”
“The UK is in the process of introducing its own DORA equivalent.”
– Charlotte Witherington
Both the UK and EU frameworks mandate the identification of critical business services or functions and require some form of operational resilience testing.
“The UK’s existing approach involves firms identifying ‘important business services’ and determining their ‘impact tolerance,’ with detailed considerations of various factors affecting service disruption,” Witherington pointed out.
“EU DORA mandates the creation of an ICT risk management framework, including digital resilience strategy and governance, but is less granular in requiring businesses to set impact tolerances for each critical function or service.”
Opportunities
Despite the uncertainty among many financial services firms, and the impression within the industry DORA will become a major challenge for many companies, the legislation should not be seen as an obstacle.
In fact, Witherington does see some opportunities for UK businesses with regards to DORA.
“As the UK seeks to build its status as a global technology hub, it’s worth mentioning the opportunities created by DORA for UK technology businesses,” she explained.
“FEs, and ICT providers, will need to strategically plan for DORA compliance, considering the implications for ICT risk management, third-party provider relationships, and incident response mechanisms.”
Witherington stressed this may involve investments in technology, processes, and skills development, creating an opportunity for those at the forefront of technological innovation as well as industry heavyweights, “whose trust and reliability in the eyes of customers, and regulators, could become an increasingly competitive advantage,” as she put it.
Nevertheless, “with details of UK DORA still to be finalised, we have yet to see how the landscape will evolve locally for UK businesses, noting that this will be a parallel regime to the one taking shape in the EU,” she did add.
Tighter regulation
DORA is among several recent and emerging regulations in the EU, created to enhance and standardise requirements for enterprise cyber resiliency.
The rules are specifically for financial entities operating across the EU 27 — including banks, insurance companies, credit agencies and more — and third-party service providers that serve them.
Ahead of the January 2025 deadline, the European Commission formally adopted a number of DORA stipulations in February.
The EU’s executive body issued a whole set of secondary legislation that set out detailed, technical rules specifying some of the key provisions of DORA.
Firstly, it has now been confirmed that DORA will introduce an ‘oversight framework’, which did not exist under pre-existing outsourcing regulations.
“DORA is less granular in requiring businesses to set impact tolerances for each critical function or service.””
– Charlotte Witherington
ICT third-party service providers that are designated as ‘critical’ will be made subject to regulatory scrutiny, largely overseen by the ESA, which are the above-mentioned ESMA, EBA and EIOPA.
This approach allows the ESA to investigate and inspect providers in relation to IT security, risk management and governance issues.
The framework also gives ESA the power to make recommendations and issue fines of up to 1% of the ICT third-party provider’s annual worldwide turnover.
Moreover, the EC also detailed the criteria “for the designation of ICT third-party service providers as critical for financial entities.”
In other words, it set out what ‘critical ICT providers’ are. In addition, the EU body also introduced a vast and fairly complex structure for oversight fees.
‘Critical’ providers
To determine whether an ICT third-party service provider is ‘critical’ for banks, insurance firms and other financial entities, the ESAs will use sub-criteria in a two-step approach assessment.
Firstly, the ESAs will take into account important ICT services and the diversity and number of financial institutions that use those services.
This is primarily done to “filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers.”
After this ‘first selection’ of ICT third-party service providers, a further in-depth analysis will be carried out that focuses on a range of sub-criteria.
So far, the EC has not set out these standards but has hinted that, in some cases, it will be left to individual member states to fill these gaps.
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
ON MAY 15 IN NEW YORK CITY
DO NOT miss our upcoming Financial Forum in New York City.
