The Digital Operational Resilience Act (DORA) goes into effect in exactly one year, on 17 January 2025. DORA is an EU regulation designed to strengthen the financial sector’s IT security posture. It sets requirements for the security of network and information systems of organisations in the financial sector — as well as critical third parties that provide information communication technologies (ICT) to them (e.g., cloud platforms and data analytics services). In practice, this means harmonising and strengthening existing obligations around ICT governance, risk management and incident reporting — with responsibility for compliance going to the board level.
DORA applies to a wide range of financial and financial-adjacent institutions and entities, including:
- credit institutions and investment firms;
- payment and electronic money institutions;
- central counterparties and trade repositories;
- alternative investment managers;
- (re)insurance undertakings and intermediaries;
- crypto-asset services providers and issuers; and
- crowdfunding service providers.
Although most of these organisations are already subject to some form of cybersecurity regulation in the EU, DORA significantly expands the scope of these laws and will apply to most of an in-scope entity’s business activities in the EU — including on an extra-territorial basis.
DORA also applies to ICT third-party providers that are considered to be “critical” by the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority, acting through their Joint Committee. Providers will be designated as critical based on several factors, including:
- the potential systematic impact on the provision of financial services in the event of a large-scale failure;
- the type and importance of entities that rely on the provider; and
- how easily the provider can be replaced.
DORA’s four core obligations
1. Governance and controls
Management must approve and oversee the implementation of an IT risk management compliance programme that aligns with and reflects the entity’s risk profile and tolerance. In other words, the board must maintain an active role in understanding and directing the company’s approach to ICT risk — including through regular training to keep their knowledge up to date. Given the speed at which the cybersecurity world is developing, this won’t always be an easy task.
- Next Steps: The board bears responsibility for its entity’s ICT risks and compliance, so you should:
- Make management aware now about the DORA assessment process and their role going forward.
- Help them understand what is needed to become compliant, including (i) roadmaps / gap assessments, (ii) institutional backing, and (iii) investments.
- Roll out training before DORA takes effect (i.e., starting as soon as possible).
2. ICT risk management
In-scope entities must have in place an appropriate and documented IT risk management framework that helps them address risks quickly and comprehensively. As a minimum it will include (i) implementing policies, procedures and tools, including reporting lines, and (ii) adopting robust security systems and advanced resilience testing at least once every three years. Helpfully, these measures can be applied on a proportionate and risk-based basis…
…However, DORA takes a prescriptive approach to certain of its obligations, such as making in-scope entities (i) conduct business impact analyses of their exposure to severe business disruptions, and (ii) establish a crisis management function for handling internal and external communications.
- Next Steps: Although most organisations are already subject to some form of cybersecurity regulation in the EU (e.g., the GDPR, NIS1), DORA significantly expands the scope of these laws and will apply to at least some — if not most — of an your business activities in the EU. As such, you should:
- Review your existing technical and organisation security measures (including systems, protocols and tools) against DORA’s requirements — which are similar, but not identical, to those under other EU cyber laws.
- Integrate DORA’s ICT risk management requirements into a wider organisational risk framework.
- Involve stakeholders from across the business, including legal, compliance and IT, with ultimate oversight by the board.
3. Incident reporting
In-scope entities must have processes in place to identify, manage and notify ICT security incidents. Reporting timelines are among the most involved in the EU, including initial and secondary notifications and a final report to competent authorities (the specific time periods for notification are still to be determined). Entities may also need to report incidents to affected clients — in addition to their obligations under GDPR/NIS2 — and senior ICT staff must provide reports and recommendations to management on a yearly basis.
- Next Steps: Existing reporting procedures are unlikely to be sufficient, meaning that you should:
- Assign roles and responsibilities for DORA breach reporting.
- Establish incident response procedures (these can be folded into a wider framework).
- Train relevant staff.
4. Third parties
In-scope entities must ensure that their (new and existing) contractual arrangements with third-party ICT service providers meet the prescriptive requirements set out in DORA. These requirements are similar to the EBA’s guidelines on outsourcing arrangements; the GDPR mandatory provisions will also be required if the services involve personal data (which is likely…).
Contracts must include provisions on (among other things): (i) a description of the services being provided and any conditions on sub-contracting; (ii) assistance with incident management (at no additional cost); and (iii) vendors taking part in the entity’s security awareness programmes and operational resilience training. In-scope entities must maintain information registers covering their contractual arrangements and report information to competent authorities every three years — and more often when engaging vendors for critical functions.
- Next Steps:
- Develop a register of contractual arrangements for the provision of ICT services.
- Review the provisions in your existing contracts with ICT vendors and identify those that will need updating (i.e., because those vendors are critical third-party providers).
- Ensure that new and updated contracts entered into from mid-2024 contain provisions that meet the DORA requirements.
Countdown to 2025
Although the requirements are different, you should leverage your GDPR compliance programme — and the experience gained through putting that in place — to inform your DORA strategy. Given the impact that DORA will have on in-scope entities, it should be treated as seriously as the GDPR. As a first step, we recommend taking the following actions:
- Assess which business lines will be impacted and identify key stakeholders (internal and external).
- Determine the extent to which current processes and procedures can be leveraged or updated.
- Identify compliance gaps — both organisational and technical — and agree on remediation priorities.
- Ensure that management is involved from the outset so it can help to play an active role in the journey.
Lastly, and most importantly, this is swiftly becoming a “today issue”, so you are advised not to bury your head in the sand. Twelve months feels like a long time, but our experience with the GDPR is that some organisations left it too late — and have been playing catch ever since.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.