DORA Requirements for Financial Entities

Question

Can you list the main requirements DORA imposes on financial entities?

Executive Summary

DORA sets out expectations for the robust digital operational resilience of financial entities in the EU, encompassing a range of institutions including banks and crypto-asset services. The core elements of compliance are as follows:

  • Broad Application and Definition: DORA covers various financial entities and focuses on the continuous provision of services amid digital disruptions, emphasizing the need for comprehensive management of operational integrity.
  • ICT Risk Management: Institutions must implement a detailed ICT risk management framework, with strong governance structures to manage potential digital operational risks actively.
  • Incident Management and Reporting: Formal incident management and classification processes are required, along with the reporting of major incidents to competent authorities, ensuring transparency and prompt responses.
  • Testing and Third-Party Risks: A robust testing regime is mandated to uncover vulnerabilities, and risks from third-party ICT service providers must be integrated into the overall risk management framework.
  • Collaboration and Oversight: Financial entities are encouraged to share cyber threat intelligence, and there are provisions for the oversight of critical third-party ICT providers to manage systemic risks.
  • Enforcement and Consequences: Competent authorities have the power to oversee and enforce the regulation, with Member States expected to impose penalties and remedial measures for non-compliance.

These points encapsulate the main requirements that DORA imposes on financial entities, with a focus on preemptive actions, structured responses, and collective efforts for resilience in the digital ecosystem.

Assumptions

Given the clarity of the user’s question and the specificity of the regulation in question (DORA), there are no additional assumptions needed to conduct the legal analysis or to develop the plan for the junior lawyer.

Legal trace

Scope and Definitions Under DORA

”Without prejudice to paragraphs 3 and 4, this Regulation applies to the following entities…” Article 2(1)

The Digital Operational Resilience Act (DORA) has a broad application, covering traditional financial institutions, such as banks and insurance companies, as well as modern players like crypto-asset service providers. Its design addresses the rising importance of digital operations in the financial sector. Financial entities, from a regulatory viewpoint, are the numerous entities listed within the scope of DORA.

“‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability…” Article 3(1)

‘Digital operational resilience’ is about maintaining the integrity and continuous provision of financial services, despite disruptions. This foundational concept in DORA indicates the comprehensive approach financial entities must take, which includes managing direct operations and ensuring the resilience of third-party ICT service provisions.

ICT Risk Management Framework

”Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk…” Article 5(1)

DORA requires a strong governance structure within financial entities to continuously manage ICT risks. By placing an emphasis on internal control frameworks, DORA ensures that financial entities actively uphold digital operational resilience.

”Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system…” Article 6(1)

A meticulous ICT risk management framework is mandated, ensuring entities are proactive and efficient in identifying and managing ICT risks. DORA shapes the operational practices to incorporate both strategic oversight and specific actionable responses to potential ICT risks.

”Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” Article 17(1)

Financial entities are expected to have formal processes in place that not only manage but also notify appropriate parties about ICT-related incidents, evidencing the regulation’s aim for transparency and prompt reaction to potential threats.

”Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria…” Article 18(1)

Financial entities must classify incidents according to specific criteria such as impact on clients, data losses, and economic impact. This classification process aids in determining the response and potential escalation regarding an ICT incident.

”Financial entities shall report major ICT-related incidents to the relevant competent authority as referred to in Article 46…” Article 19(1)

Reporting major ICT-related incidents to competent authorities highlights DORA’s priority for regulated communication, signaling the wider governance ecosystem’s involvement in managing digital operational resilience.

Testing and Third-Party Risk

”Financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme…” Article 24(1)

A rigorous testing regime, including advanced testing, is an essential requirement for most financial entities. These tests are intended to identify weaknesses and ensure readiness to manage digital resilience effectively.

”Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework…” Article 28(1)

DORA mandates that financial entities must manage risks associated with third-party ICT service providers directly within their overall ICT risk management frameworks, addressing one of the significant facets of digital risk today.

Oversight and Information Sharing

”The ESAs, through the Joint Committee and upon recommendation from the Oversight Forum established pursuant to Article 32(1), shall designate the ICT third-party service providers that are critical for financial entities…” Article 31(1)

An oversight framework is established for ICT third-party service providers, reflecting the significant role these providers play in the financial sector’s digital operational resilience. Designating critical service providers ensures that systemic risks can be monitored and addressed at an EU level.

”Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools…” Article 45(1)

Facilitation of cyber threat intelligence sharing among financial entities underpins the collaborative aspect of DORA’s approach to enhancing digital operational resilience. Such exchange is intended to be conducted within trusted communities and governed by rules protecting sensitive information.

Enforcement and Penalties

”Compliance with this Regulation shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts…” Article 46

Competent authorities are granted investigatory and sanctioning powers to enforce DORA. This implies that there are established mechanisms for supervision and accountability in place which financial entities must reckon with.

”…Member States shall lay down rules establishing appropriate administrative penalties and remedial measures for breaches of this Regulation…” Article 50(3)

Member States must institute penalties and remedial actions for breaches of DORA, illustrating the importance of compliance and the consequences of lapses in digital operational resilience practices. These reinforced measures follow DORA’s goal of ensuring a robust digital environment within the financial sector.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

This supplemental answer provides additional insights into the operational requirements of the Digital Operational Resilience Act (DORA) for financial entities. It delves deeper into specific components of the ICT risk management framework, ICT asset management policy, vulnerability management, safeguarding cryptographic keys, and incorporation of third-party risk management as mandated by DORA.

Legal trace

ICT Security Policies Integration

Financial entities shall ensure that their ICT security policies concerning information security and related procedures, protocols and tools are embedded in the ICT risk management framework. (Final Report on Draft) Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of DORA, page 46

This quote underlines the integration of ICT security policies within the broader risk management framework, providing detailed guidance on developing an effective ICT security culture as mandated by DORA. It accentuates the need for documented, comprehensive policies and protocols that enhance the digital operational resilience of financial entities.

ICT Asset Management Policy

Financial entities shall develop, document and implement a policy on management of ICT assets necessary to preserve the availability, authenticity, integrity and confidentiality of data. (Final Report on Draft) Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of DORA, page 49

The quote specifies the requirement for financial entities to manage ICT assets deliberately, upholding critical data characteristics, as per DORA’s principles. This contributes to the resilience of financial services by ensuring that the management of these assets aligns with the broader goals of promoting stability in the digital operational environment.

Vulnerability Management Procedures

Financial entities shall develop, document and implement vulnerability management procedures with a view to ensuring the security of networks against intrusions and data misuse. (Final Report on Draft) Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of DORA, page 54

This extract specifies the necessity for established procedures that address threats and vulnerabilities in ICT systems, mapping directly to DORA’s directive for institutions to maintain robust management of ICT-related incidents. The proper documentation and execution of such procedures contribute to reducing systemic risk through prompt detection and management of potential intrusions and data misuse.

ICT Third-Party Service Provider Risk Management

For ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience…shall consider at least the following: (Final Report on Draft) Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of DORA, page 56

The significance of this quote is in its explicit extension of DORA’s resilience requirements to the services and assets managed by third parties, accentuating the need for thorough risk considerations and management processes that include all ICT contributors, not just internally managed systems, in the broader operational resilience framework.

Protection of Cryptographic Keys

Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure and modification. (Final Report on Draft) Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of DORA, page 51

This statement highlights the specific directive under DORA that necessitates comprehensive controls for cryptographic keys to ensure their protection from various security threats during their entire lifecycle. Reflecting DORA’s focus on encryption and data security, it details part of the broader expectations for maintaining digital operational resilience within financial entities.

Each of these points adds a layer of specificity to the original analysis, offering clarity on how financial entities can implement the functional elements required to meet and maintain DORA’s operational standards for digital resilience.