Impact of DORA on Financial Services Technology Integration in EU.

Question

I'm a software engineer in a financial services company and we're integrating new technologies. I've been told that DORA might affect our work. How does DORA fit with other EU laws that we already comply with, like MiFID II or PSD2?

Executive Summary

In integrating new technologies in the financial sector, understanding the Digital Operational Resilience Act (DORA) is crucial for compliance alongside existing EU regulations such as MiFID II and PSD2. Here’s a concise overview addressing DORA’s impact:

  • Interaction with Existing Regulations: DORA introduces specific requirements for digital operational resilience that complement and add to existing rules under MiFID II and PSD2, centering on cybersecurity and third-party service provider management.
  • Uniform ICT Risk Management: Entities must have robust ICT risk management frameworks, reflecting DORA’s emphasis on managing digital threats alongside operational risks already covered in MiFID II and PSD2.
  • Incident Reporting and Cooperation: DORA mandates structured management and reporting of ICT-related incidents, encouraging the exchange of cybersecurity information, which aligns with the real-time reporting requirements of MiFID II and PSD2.
  • Enforcement and Supervision: Compliance with DORA will be overseen by familiar regulatory authorities, aiming to harmonize the enforcement of digital resilience with existing financial regulations.

This shortlist provides an executive synopsis of DORA’s role within the regulatory landscape for digital operations in the EU financial sector.

Assumptions

  1. Scope of New Technologies: Assume the technologies in question are essential for providing financial services and pertain to data processing, cyber security, and potential dependency on third-party ICT service providers.
  2. Company’s Role: Assume the company operates both as an investment firm under MiFID II and a payment service provider under PSD2.
  3. Current Regulatory Compliance: Assume the company is fully compliant with existing regulations mentioned (MiFID II and PSD2) as they pertain to financial transactions, services, and customer interactions.
  4. Specific Concerns or Scenarios: Assume the concerns about DORA primarily revolve around the management of ICT risks and the regulatory overlap in reporting obligations between DORA, MiFID II, and PSD2.

Legal trace

Introduction and Objectives of DORA

In the digital age, information and communication technology (ICT) supports complex systems used for everyday activities. It keeps our economies running in key sectors, including the financial sector, and enhances the functioning of the internal market. Increased digitalisation and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions. Recital 1

In setting the stage for the Digital Operational Resilience Act (DORA), this quote reveals that as our financial society leverages more digital technology, the risks associated with those technologies also grow. This underlying concern is the driving force behind DORA’s inception—balancing the benefits of tech with heightened operational resilience in the finance sector.

Scope and Applicability of DORA

This Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities… Article 1(1)

DORA sets forth unified requirements for digital operational resilience, encompassing risk management, incident reporting, and third-party ICT service management. It intersects with MiFID II and PSD2 in areas pertaining to operational risk control and reporting obligations.

Without prejudice to paragraphs 3 and 4, this Regulation applies to the following entities: [list includes credit institutions, payment institutions, investment firms]… Article 2(1)

This delineates DORA’s reach which includes entities already regulated under MiFID II and PSD2, imposing an additional regulatory layer they must navigate to ensure compliance across all fronts.

Definitional Clarity within DORA

’financial entity’ means any entity that operates within the financial sector… Article 3

The term ‘financial entity’ in DORA encapsulates a variety of institutions within the financial sector, including those regulated by MiFID II and PSD2. This broad definition means that many such entities will now have to consider the mandates of DORA when implementing new technologies.

‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialized, may compromise security… Article 3

The concept of ‘ICT risk’ in DORA covers threats to the security of networks, echoing themes in MiFID II and PSD2 but focusing on the nuances of cyber and digital threats.

Interaction of DORA with MiFID II

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 6(1)… Article 28(1)

Investment firms must manage ICT third-party risks in line with MiFID II, integrating these additional DORA requirements into their existing risk management efforts.

The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. Article 30(1)

The explicit contractual stipulations laid out in DORA mandate precise allocation of duties between financial entities and their ICT third-party service providers, aligning with MiFID II’s broader requirements for firms to manage risks and ensure market integrity.

DORA’s Overlap with PSD2

Financial entities shall only use testers for the carrying out of TLPT, that are of the highest suitability and reputability… Article 27(1)(a)

DORA mandates that payment service providers use reputable testers, which echoes PSD2’s emphasis on security, although DORA places a specific focus on resilience testing.

Financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy… Article 29(2)

Article 29 encourages financial entities to take legalities and data recovery into account, aligning with PSD2’s focus on continuity and resilience in payment services.

ICT Risk Management in Focus

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework… Article 6(1)

The requirement for a thorough ICT risk management framework under DORA suggests establishments will need to integrate these specific digital resilience measures into their broader risk management structures mandated by MiFID II and PSD2.

Reporting Obligations Detailed in DORA

Financial entities shall define, establish and implement an ICT-related incident management process… Article 17(1)

DORA introduces structured ICT incident management processes, which dovetail with existing reporting obligations under MiFID II and PSD2 but with an emphasis on digital operational resilience.

Coordinated Supervision and Enforcement

Financial entities may exchange amongst themselves cyber threat information and intelligence… Article 45(1)

DORA creates an environment encouraging financial entities to share intelligence on cyber threats which will necessitate coordination with regulatory authorities responsible for MiFID II and PSD2 compliance, potentially harmonizing cybersecurity measures across various regulatory frameworks.

Compliance with this Regulation shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts… Article 46

Article 46 integrates DORA oversight with existing regulatory bodies, suggesting that entities already complying with MiFID II and PSD2 will interact with familiar authorities, potentially simplifying the alignment process for the new ICT risk regulations.


By examining the objectives and provisions of DORA in alignment with other regulations like MiFID II and PSD2, we can conclude that DORA serves to bolster the financial industry’s resilience against ICT risks, adding a layer of specifics to existing compliance measures in cybersecurity, incident management, and third-party service management. Financial entities must now integrate these new mandates with practices already established under MiFID II and PSD2, creating a regulatory mosaic to navigate as part of future digital transformations.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

Recognizing the intricate landscape of regulatory compliance in the financial sector, we have further analyzed the implications of the Digital Operational Resilience Act (DORA) in relation to other EU laws such as MiFID II and PSD2, particularly in the context of your role in integrating new technologies. This supplemental answer provides additional insights that detail the practical steps and considerations required in adhering to these overlapping regulatory environments.

Legal trace

Governance and the Management of ICT Third-Party Risk

Financial entities, as part of their ICT risk management framework, should adopt, and regularly review, a strategy on ICT third-party risk. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 7

The implementation of ICT risk management frameworks, as outlined here, advances our previous analysis by specifying the continuous and strategic review processes for managing third-party risk. For your role, it emphasizes that not only should these risk management strategies align with the regulations but they also require regular updates and assessments as part of broader governance practices.

The management body of a financial entity shall adopt a written policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, and ensure its implementation on an individual and, as applicable, on a sub-consolidated and consolidated basis. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 10

This recommendation underscores the responsibility placed on the management body for the oversight of ICT third-party risks, bridging our original analysis with the specific governance requirements of DORA. It illustrates the level of engagement necessary from higher management to ensure new technologies comply across all organizational levels, reflecting a complex regulatory mosaic that includes MiFID II and PSD2 directives.

Risk Assessment and Due Diligence in Contractual Arrangements

Before entering into a contractual arrangement with an ICT third-party service provider a risk assessment shall be conducted […] taking into account all the relevant requirements under Regulation (EU) 2022/2554 and applicable sectoral legislations and regulations. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 13

This reinforces the notion that risk assessments are a critical preliminary step when entering contractual engagements with ICT third-party service providers, considering the comprehensive landscape of DORA and other sectoral laws. Integrating this requirement into the fabric of your operational risk management process can seamlessly accommodate both new technological integrations and ensure alignment with existing EU financial regulations.

The policy shall require that, before entering into a contractual arrangement, at least whether the ICT third-party service provider […] has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards […] (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 14

This quote highlights the importance of due diligence in the selection of ICT service providers. It presents a detailed outlook on the required standards ensuring a prospective provider’s suitability and operational resilience, facilitating a continuity between DORA and other regulatory frameworks, including MiFID II and PSD2, within which your company operates.

Contractual Arrangements and Operational Resilience

Financial entities shall only use testers for the carrying out of TLPT, that are of the highest suitability and reputability… (Article 27(1)(a))

By stressing the prerequisite of utilizing reputable testers for resilience testing, DORA echoes PSD2’s security emphasis. The directive specifically highlights the importance of operational resilience testing, directly connecting to your responsibilities in integrating new technologies and ensuring these technologies are robust against a multitude of risks.

Proportionality and Application within Financial Groups

The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers shall take into account, at least the following elements of increased or reduced risk or complexity […] (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 10

This quote elaborates upon the DORA’s call for a nuanced approach, considering each financial entity’s unique risk profile and complexity when drafting policies related to ICT services. It complements our initial answer by detailing how DORA’s requirements integrate and adapt to the size and structure of the entity, including within a financial group—elements that are equally paramount in PSD2 and MiFID II compliance efforts.

Conclusion

This supplemental answer has explored further details about the management of ICT third-party risk under DORA, presenting steps and considerations that directly respond to the need for establishing clear and robust policies. This guidance, consistent with the comprehensive approach to operational and market risks demanded by MiFID II and PSD2, should aid in integrating new technologies while satisfying various regulatory standards within the financial industry.