DORA – One year before the implementation deadline, more and more details are becoming known

The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) came into force almost a year ago and the implementation period runs until January 17, 2025. The aim of the new regulation is to strengthen IT security and resilience in the European financial sector and the insurance industry through uniform requirements for the operational stability and security of ICT systems (ICT – information and communication technology). The new requirements, some of which are comprehensive, have triggered the need for many financial companies to convert existing processes or implement systems to monitor third-party ICT providers. BaFin's info page on DORA has also been available online since October 2023. In addition, the European supervisory authorities (European Securities and Markets Authority – ESMA; European Banking Authority – EBA; European Insurance and Occupational Pensions Authority – EIOPA) are currently developing regulatory technical standards (RTS), implementation standards (ITS) and guidelines to further specify DORA. These are currently at the draft stage and are expected to be adopted in the course of 2024. In addition, the national Financial Market Digitization Act, the draft bill for which was published on 23 October 2023, is intended to serve the national implementation of the DORA (Heuking reported).

I. Area of application

The scope of the DORA extends to almost all supervised institutions and companies in the European financial sector. This includes not only credit, payment and e-money institutions, but also investment companies as well as insurance and reinsurance companies. The regulation also contains rules for ICT service providers that provide digital services and data processing. Exceptions apply in particular to micro-enterprises with fewer than 10 employees and an annual turnover or balance sheet total of less than EUR 10 million, but also to small and medium-sized enterprises that are not interlinked with a larger company.

II. Duties

The DORA itself, as well as the regulatory technical standards (RTS) and implementation standards (ITS), which have yet to be adopted by the Commission and are therefore only incomplete and provisional, impose comprehensive obligations on the companies and institutions concerned. In particular, they must ensure digital operational stability, document and eliminate risks, implement protection and documentation measures and maintain and regularly review recovery plans. There are also further obligations regarding the handling and reporting of security incidents.

1. ICT risk management

The companies concerned are initially obliged to establish an ICT risk management framework, which must be documented and reviewed at least once a year and continuously improved. Additional evaluations are provided for in the event of serious ICT-related incidents and following regulatory instructions or findings. The ICT risk management framework includes strategies to protect all information and ICT assets as well as other relevant physical components and infrastructures, such as rooms and data centers. In particular, this should include information on potential IT risks and the respective risk management. Responsibility for implementing the ICT risk management framework lies with the respective management body of the company.

Further guidelines are also required in connection with the ICT risk management framework. These include guidelines on information security, which include rules to protect the availability, authenticity, integrity and confidentiality of data and the information and ICT assets, on access and access rights, on ICT change management, on data backup (including the scope of the data to be backed up and the minimum frequency of backup based on the criticality of the information or the level of confidentiality of the data), and on patches and updates. It also requires an ICT business continuity policy that includes a business impact analysis (BIA) and ICT response and recovery plans. These serve to ensure the continuation of all critical and important functions of the financial company in the event of an ICT incident. In addition, an internal strategy for digital operational resilience is required, which specifically sets out how ICT risk management will be implemented. In particular, risk tolerance thresholds, clear objectives for information security (including key performance indicators and risk metrics) and mechanisms for detecting ICT-related incidents must be defined. In addition to a visual network plan, the companies concerned must also have a structure for network and infrastructure management that is based on the risk-based approach. To ensure that all internal guidelines and strategies are in place by January 17, 2025, it is advisable to start drafting them now.

Internal processes and mechanisms should also be established to ensure the continuous identification of all ICT risks and the assessment of cyber threats and ICT vulnerabilities where relevant to ICT-enabled business functions, information and ICT assets. In particular, these mechanisms should be equipped with alert thresholds and criteria to initiate response processes to ICT-related incidents and provide automated alerts to employees responsible for responding to ICT-related incidents.

Other necessary measures include training employees on ICT security and digital operational resilience, the identification and classification of ICT systems and information used in business functions (even if these are not held in central systems), the encryption of data in all states and lifecycle management for cryptographic keys

2. Tests

According to Art. 25 DORA, all financial companies are obliged to carry out regular tests of digital operational resilience. This includes the regular review of ICT business continuity plans, particularly in relation to critical or important functions that are outsourced to third-party ICT service providers. To ensure smooth implementation, a corresponding program should be implemented now. In particular, financial companies should define in advance the intervals at which the tests are to be carried out and which scenarios are to be taken into account. It is also important to define basic requirements for the test protocols, for example with regard to the assessment of vulnerabilities or network security. The tests themselves are carried out by independent internal or external auditors. When it comes to ICT systems and applications that support critical or important functions, appropriate tests must be carried out at least once a year.

Certain financial companies are also obliged to carry out extended tests based on threat-led penetration testing (TLPT). The identification and notification of the affected companies is carried out by the responsible supervisory authorities. The impact of the services provided on the financial sector, the significance for financial stability due to systemic characteristics of a company, the specific ICT risk profile, the ICT maturity level and relevant technological characteristics all play a role in the identification process. These criteria are also specified in an RTS, although the public consultation for this did not begin until December 2023. BaFin plans to notify the affected institutions and companies at an early stage. As part of the TLPT, tactics, techniques and procedures of real attackers are to be replicated in order to enable controlled and customized live tests.

3. ICT service provider

Financial companies should also develop a strategy for dealing with ICT third party risk. Third-party ICT risk is the risk that can arise for financial companies in connection with the use of ICT services from third-party ICT service providers or their subcontractors. On the basis of this strategy, a pre-contractual risk analysis must be carried out to check whether a third-party ICT service provider complies with appropriate information security standards. This requirement becomes more stringent when using third-party ICT providers for critical or important functions, where financial companies must check whether the latest and highest quality standards for information security are being applied. In addition, the type and number of new ICT contracts must be reported annually to BaFin. When commissioning third-party ICT providers, the minimum contract contents set out in Art. 30 DORA must also be observed. Ideally, the company should have standardized contract templates that are simply adapted as required when a new contract is concluded. In addition, there should also be a guideline for the use of ICT services to support critical or important functions.

The classification of third-party ICT providers is carried out by the European supervisory authorities based on the criteria of Art. 31 para. 2 DORA. Accordingly, a critical ICT service provider is deemed to exist if the cooperation with it has a systematic impact on the stability, continuity or quality of the services of the respective financial company, if the financial companies that use the service provider are systemically relevant or if the financial industry is dependent on the ICT third-party service provider and there is a high degree of substitutability. However, this does not apply to purely national or intra-group ICT third-party service providers. More detailed rules on when an ICT third-party service provider is to be classified as critical can be found in a delegated regulation of the EU Commission, which is also still pending final adoption following the conclusion of the consultation phase in June 2023 (see ESA's Discussion Paper on criticality criteria and oversight fees on DORA). Even if the final classification of the respective ICT service providers by the supervisory authorities will not take place until 2025, financial companies should already check or have checked now whether the third-party providers they use meet the above-mentioned criteria. This applies in particular to systemically important financial companies, as their ICT third-party service providers are generally considered critical ICT third-party service providers. In future, particular attention will be paid to providers of cloud services, which is why financial companies should also take particular care when selecting them.

Financial companies bear full responsibility for monitoring ICT service providers. For example, a critical third-party ICT service provider may only be used if it establishes a registered office in the EU within 12 months of being classified as critical. However, there is no obligation to store data within the EU. If financial companies do not or do not sufficiently take into account the risks of a third-party ICT service provider, the national supervisory authority may suspend the use of the critical third-party ICT service provider in whole or in part until the risks have been remedied or terminate the contracts with it in whole or in part. In addition, critical third-party ICT service providers are subject to monitoring by the European supervisory authorities, which have powers to request information and documents and to carry out (on-site) inspections. The authorities can issue recommendations and publish information on non-compliance with such recommendations. In addition, fines can be imposed for other violations. Overall, however, the powers of the supervisory authorities are less extensive than in relation to financial companies.

III. Handling and reporting incidents

The third chapter of the DORA contains guidelines for dealing with ICT-related incidents and for classifying incidents and cyber threats. An ICT-related incident is an event not planned by the company that affects the security of the network and information systems and has a negative impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial company (Art. 3 para. 1 no. 8 DORA). Most IT security incidents are therefore covered. In order to handle ICT incidents quickly, it is advisable to develop a process now that enables the identification, classification, handling and reporting of cyber threats. In particular, this process should include early warning indicators and clear functions and responsibilities for each incident. It should also include a process for identifying, tracking, logging, categorizing and classifying ICT-related incidents according to their priority and severity. In the event of serious incidents, a report should also be made to senior management and the executive board.

In the event of serious ICT-related incidents, a report must also be submitted to BaFin via the MVP portal (reporting and publication platform portal). Customers should also be informed if the incident has an impact on their financial interests. The exact classification criteria will result from one of the RTS, which will be published next year after final consultation. However, reporting significant cyber threats is voluntary and is recommended by BaFin if a financial undertaking believes that the threat is relevant to the financial system, service users or customers. (Art. 19 para. 2 DORA). If a disruption to the main activity of a financial company has occurred as a result of an ICT-related incident, an ex-post audit should also be carried out to investigate the causes of the disruption and improve ICT operations where necessary.

IV. Checklist

The DORA requires the financial companies and institutions concerned to implement comprehensive internal risk management. Even if some of the necessary guidelines or instructions for action should already exist due to the requirements of the German Banking Supervisory Requirements for IT (BAIT) or the Insurance Supervisory Requirements for IT (VAIT), these should already be revised and supplemented now on the basis of the DORA to ensure that all requirements are met at the beginning of 2025. This applies in particular to the following documents:

• ICT risk management framework;
• Governance and control framework;
• Strategy for operational resilience including performance indicators and key risk figures;
• Information security policy (regarding availability, authenticity, integrity and confidentiality of data and information and ICT assets);
• Policy on access and access rights to information and ICT assets;
• Guidelines for patches and updates;
• Policy for data backup (including recovery and restoration);
• ICT change management policy (regarding changes to software, hardware, firmware components, the systems or security parameters based on a risk assessment approach);
• ICT Business Continuity Guideline including a Business Impact Analysis (BIA), as well as ICT response and recovery plans;
• Guideline for the use of ICT services to support critical/essential functions;
• Visual network plan and annual review of the network architecture;
• Model contract for ICT third-party service providers, which contains the minimum content according to Art. 30 DORA;
• Document all processes that depend on third-party ICT service providers and identify all third-party ICT service providers that provide services to support critical or important functions;
• Strategy for dealing with the ICT third party risk (from 2025, in particular examination of whether they have already failed to implement recommendations of the supervisory authorities or have not implemented them sufficiently);
• Guideline for carrying out the pre-contractual risk analysis for third-party providers. Particular attention must be paid to the concentration risk in the event of multiple commissioning of the same service provider;
• At least annual review of the ICT risk framework (Art. 6 (5) DORA) and regular revision (less frequent for Kleist companies);
• Development of an internal process for the continuous identification of ICT risks and the assessment of cyber threats and ICT vulnerabilities;
• Definition of the requirements for a program to carry out the tests in accordance with Art. 25 DORA.

The following documents should also be kept in connection with ICT incidents:

• Definition of alarm thresholds and criteria to trigger and initiate response processes in the event of ICT-related incidents;
• Process for identifying, handling and reporting cyber threats;
• Guideline for the classification of ICT-related incidents, in particular based on the number of people affected and, where applicable, the value or number of transactions affected, the duration of the incident, geographical spread, associated loss of availability, authenticity, integrity or confidentiality of data, criticality and economic impact;
• Communication plans and strategies for disclosing ICT incidents to customers, business partners and the public.

V. Outlook

The RTS, IST, ESA guidelines, national circulars and ESA guidelines are to be revised again by the end of 2024 before DORA and the accompanying amending directive come into force on January 17, 2025. Even if more specific information on implementation becomes known in the coming months, financial companies should start revising and supplementing their ICT documents now.