Navigating DORA: Strengthening the Financial Sector’s IT Security

On 27 December 2022 Regulation (EU) 2022/2554 on digital operational resilience for the financial sector was published in the Official Journal of the European Union. This regulation is better known as the Digital Operational Resilience Act (“DORA”). DORA creates a new harmonised regulatory framework across the EU with respect to the use of information technology systems (or in DORA terminology, “information communication technology”).

DORA will require certain entities including fund managers as well as investment firms to comply with an entirely new set of rules relating to their usage of information technology. An overview of these rules and steps to be taken in order to achieve compliance with DORA are discussed below.

1. Purpose

The overall purpose of DORA is to strengthen the Information and Communication Technology (“ICT”) security and resilience of financial entities. In real terms, this means requiring financial entities to take measures to prevent and mitigate against disruptions and threats to their ICT systems as such threats could have a negative impact on the business and stability of the financial entity[1]. This is achieved by requiring financial entities to adhere to a common set of standards to mitigate these types of risks thereby increasing the operational resilience of financial entities. In most cases this will require financial entities to re-assess their IT security framework and processes.

These requirements are set out in DORA itself and supplemented by Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”) which aim to ensure a consistent and harmonised legal framework by providing further details and requirements with respect to the requirements contained in DORA.

2. Who does DORA apply to?

DORA applies to a wide range of Financial Entities (“FEs”) including but not limited to:

• Alternative Investment Fund Managers (“AIFMs”)[2]
• UCITS Management Companies
• Investment firms (MiFID authorised firms)
• Crypto-asset service providers
• Electronic money institutions and credit institutions
• ICT service providers (such as cloud computing service providers)
• Data reporting service providers
• Benchmark administrators

3. Obligations under DORA – 5 Pillars

The key obligations under DORA can be broken down into 5 Pillars covering different key obligations:

Pillar 1:  ICT risk management and governance; this requires FEs to establish an ICT risk management framework including governance and control frameworks. Draft RTS providing detailed guidance as to the risk management framework have been released.

Pillar 2: ICT related incident management, classification and reporting; this entails the detection, management, classification, and reporting of ICT incidents. FEs will be required to effectively classify, manage and crucially, report any ICT related incidents. Draft RTS providing the criteria for the classification of ICT-related incidents have been released.

Pillar 3: Digital operational resilience testing; FEs will be required to have a comprehensive testing programme covering a range of assessments, and methods such as vulnerability assessments and penetration testing.

Pillar 4: ICT third party risk management; FEs will be required to manage the ICT risk presented by the usage of third-parties who are providing ICT services to the FE[3]. This includes, among other aspects, ensuring contracts with third party ICT service providers meet certain requirements, maintaining a register of third parties providing ICT services to the FE as well as due diligence obligations. Draft ITS which detail the form and content of the register of third parties providing ICT services and draft RTS that set out the requirements for financial entities on their use of ICT third party service providers, including ICT intra group service providers have been released.

Pillar 5: Information sharing arrangements; this allows FEs to exchange cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools[4]. This pillar is intended to raise awareness of ICT risks amongst financial market participants. FEs should consider whether and how they wish to engage in such exchanging of information.

The extent to which obligations under DORA will apply to FEs depends broadly on the size and scope of the operations of the FE. Additionally, a principle of proportional application of DORA applies, allowing FEs to take a risk-based approach. Accordingly, FEs should analyse the impact of DORA having regard to the nature and scope of their operations.

4. What do FEs need to do?

In short, DORA creates specific obligations which FEs must comply with. FEs need to assess their current state of IT preparedness and risk management against the requirements of DORA and make improvements where necessary in order to comply with DORA.

FEs should determine the extent of their obligations under DORA and the degree to which they are presently aligned with DORA’s requirements. FEs based in Luxembourg who are already compliant with the IT rules in Circular CSSF 18/698 and CSSF Circular 22/806 or FEs based in Germany who comply with the BaFin’s Supervisory Requirements for IT in Financial Institutions or management companies (BAIT / KAIT)will likely have a framework which partially satisfies DORA requirements. Those Fes in EU Member States who are not subject to the same extensive level of regulation as for in example in Luxembourg or Germany may require additional time to prepare a compliance framework which is suitable for DORA.

The first step for an FE is to determine what obligations it has under DORA. Following on from this, an analysis should be undertaken to understand what level of DORA preparedness the FE already has while identifying deficiencies in the FE’s current framework. Once gaps in the ICT compliance framework are identified, a plan should be created to rectify these deficiencies prior to applicability of DORA.

5. Challenges and timeline

DORA represents an acknowledgement on the part of the EU Commission and Parliament that ICT risks represent a systemic threat to the stability of the financial services sector in the EU. Accordingly, DORA aims to reinforce the stability of the sector as a whole by requiring entities to increase their oversight of these types of risks which represent existing (such as DDS attacks and viruses) but also new and emerging threats, indeed, DORA specifically requires FEs to have an evolving risk management framework.

DORA represents a significant regulatory change for FEs as this area was predominantly the subject of light regulation differing from EU Member State to EU Member State. This has now become the subject of landmark legislation, and FEs will need to ensure that sufficient time is given to implementing structures aimed at compliance with DORA as it expected to be an area that will be subject to a high degree of regulatory scrutiny. While not confirmed, the coming into force of DORA may be closely followed by joint supervisory action of the regulators in EU Member States to ensure compliance.

In light of the scope of the obligations under DORA, FEs should begin to dedicate resources and personnel as well as create an action plan to ensure DORA compliance in advance of its applicability on 17 January 2025. It is expected that FEs may require significant lead time in order to understand their obligations under DORA. Following the release of the draft RTS and ITS, FEs are now able to begin to prepare for compliance and should do so begin well in advance of the in-force date. The RTS and ITS are expected to become final on 16 respectively 17 January 2024.

How can Zeidler Group support?

If you have any questions or require support, the Zeidler team is here to help. Our global team of professionals remains up to date on the latest legal, regulatory and compliance changes affecting the asset management industry.

[1] i.e. ICT Risks

[2] Excluding registered AIFMs.

[3] Article 3(18)(19), 28(1) DORA

[4] Article 45(1) DORA