The EU’s Digital Operational Resilience Act for financial services has been saved
The EU’s Digital Operational Resilience Act for financial services
New rules, broader scope of application
Authors: Quentin Mosseray, Scott Martin, Simon Brennan, Sarah Black, Rick Cudworth
On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The legislative proposal builds on existing information and communications technology (ICT) risk management requirements already developed by other EU institutions and ties together several recent EU initiatives into one Regulation. The DORA aims to establish a much clearer foundation for EU financial regulators and supervisors to be able to expand their focus from ensuring firms remain financially resilient to also making sure they are able to maintain resilient operations through a severe operational disruption.
This note includes our assessment of the most important aspects of the DORA proposal, and the practical implications that these reforms could hold for firms. These include:
- Bringing ‘critical ICT third party providers’ (CTPPs), including cloud service providers (CSPs), within the regulatory perimeter. These would be supervised by one of the European Supervisory Authorities (ESAs), who would have the power to request information, conduct off-site and on-site inspections, issue recommendations and requests, and impose fines in certain circumstances.
- With a view to harmonising local rules across the EU, setting EU-wide standards for digital operational resilience testing, but leaving out automatic cross-border recognition of threat-led penetration testing (TLPT) for the time being.
- Harmonising ICT risk management rules across financial services sectors, based on existing guidelines.
- Harmonising ICT incident classification and reporting, and opening the door for the establishment of a single EU-hub for major ICT-related incident reporting by financial institutions.
The DORA proposal comes as regulators around the world have been looking more closely at how they can strengthen the operational resilience of the financial sector and of the individual firms within it. We analysed the most significant initiatives taken by other regulators around the world in our recently-published report: Resilience without borders.
We expect the DORA to be negotiated by EU institutions over the next 12 to 18 months, with further secondary legislation being developed thereafter. However, based on the present text, we believe firms should consider the following actions:
- ICT TPPs will need to evaluate whether they will deemed ‘critical’. Those who are may need to establish new regulatory teams and analyse how they can best comply with the oversight framework being developed.
- Larger firms should closely follow the ESAs as they flesh out the criteria requiring firms to carry out TLPTs. Those newly in scope will need to develop a strategy to make the best use of these advanced tests.
- While large firms will already be applying many of the DORA’s ICT risk management requirements, they should assess whether their response and recovery strategies and plans respond appropriately to the expanded rules in these areas.
- All firms will need to develop or amend their incident reporting processes in line with the new rules. Firms may want to consider aligning these to their internal reporting processes to optimise resource allocation.
CTTPs are being pulled into the regulatory perimeter, with broad powers for the ESAs
Regulators have been mulling over how to manage financial services’ (FS) increasingly large exposure to (CSPs) for some time. The proposed legislation would enable the designation of an ICT third-party provider (TPP) such as CSPs as ‘critical’, based on criteria such as the number and systemic character of financial entities that rely on the ICT TPP and the TPP’s degree of substitutability. Once designated as critical, oversight of the CTPP will be carried out by one of the ESAs, who will be able to conduct on-site and off-site inspections, issue recommendations and, importantly, levy fines of up to 1% of daily worldwide turnover in case of non-compliance or ask FS firms to terminate their arrangement with the CTPP.
Most FS firms will welcome the introduction of an oversight framework, as it will give them more legal certainty around what is permissible, and a level of assurance on the security of their assets in the cloud. On aggregate, this will likely increase firms’ confidence and appetite for transitioning some of their activities to the cloud, helped by the Commission’s development of voluntary standard contractual clauses. However, firms may need to navigate some potentially complex localisation rules, as EU FS firms will not be allowed to use the services of a TPP that is not ‘established’ (meaning it does not have a business presence) in the EU but would be deemed critical if it was.
The oversight framework for CTPPs does not however remove or reduce FS firms’ own regulatory responsibilities to ICT TPPs. The DORA contains – in line with existing EBA and EIOPA guidelines – third-party risk management requirements for firms that make use of CTPPs and TPPs, including with regards to auditing rights and mandatory contractual clauses.
Digital operational resilience testing: an EU-wide approach could help firms optimise costs
Threat-led penetration testing frameworks (TLPT) have been developed at national level for a number of years, and are already mandatory at the EU level for certain types of financial market infrastructures (FMIs).
The DORA expands this in two ways. First, the threshold criteria identifying firms where this testing would become mandatory, and the pan-EU application of TLPTs will likely increase the number of firms in scope to conduct mandatory and regular testing. The exact criteria will be fleshed-out by the ESAs in secondary legislation, but firms in countries that do not yet have a TLPT, or firms that were not in scope for their jurisdiction-led TLPT, may now need to develop an approach (aligned to their ICT risk management frameworks). This will involve working with a third-party penetration tester, educating the board on how these tests are run (on live production systems, which requires careful planning and execution), and the use of these tests as part of a wider risk-management approach. Importantly, the tests might require the participation of firms’ ICT TPPs, which may add complexity to the exercise.
Second, it builds on the voluntary TIBER-EU framework developed by the ECB, which introduced some cross-border recognition of tests, reducing the need for cross-border firms to carry out the same tests twice. The DORA builds on this, and asks the ESAs to develop standards and procedures for the mutual recognition of tests across EU Member States. This could mean that, so long as the TLPT tests are carried out according to a set of criteria (which will likely be very close to the requirements contained in TIBER-EU), these tests could more easily be recognised by other EU supervisors in jurisdictions where a firm is active, potentially avoiding the need for duplication. Firms that already carry out TLPTs and have activities in more than one EU jurisdiction will likely face relatively lower compliance costs in future, and may in time no longer have to rely on bilateral agreements for the recognition of tests. For firms that already carry out this activity, the testing function could be further centralised and optimised, and could ultimately become less complex to run.
ICT incident reporting: simpler, better reporting?
Firms have highlighted the recent proliferation of ICT incident reporting requirements, arguing that the multitude of requirements, timings, thresholds and associated fines for non-compliance may hinder their effective management of ICT incidents. The DORA will alleviate some of those concerns as it will harmonise reporting templates, as well as the conditions triggering a reporting requirement, that FS firms will need to follow and provide to their national competent authorities (NCAs – likely to be their FS supervisory authority). However, the regulation does not align with, or supersede, some other incident reporting requirements, such as those in the GDPR.
In time, the reporting requirement may shift from NCAs to an EU-hub, to streamline information gathering and ensure further supervisory convergence. Before that, however, firms will need to adapt to the new EU reporting rules, including providing root cause analysis reports no later than one month after a major ICT incident occurs. The measures, in aggregate, will provide EU regulators with a better picture of what kind of vulnerabilities are most common across firms, and potentially help them take further action – using their expanded rules and powers around ICT management.
ICT risk management rules: foundations for EU supervisors to build on
The streamlined and enhanced rules applying to firms’ ICT risk management emphasise the importance of board involvement. Expanding from existing Guidelines such as the European Banking Authority’s ICT and security risk ones, the board will need to determine the appropriate risk tolerance and impact tolerance for ICT disruptions, and review their firm’s business continuity and disaster recovery plans.
The ICT risk management requirements are organised around:
- Identifying business functions and the information assets supporting these.
- Protecting and preventing these assets.
- Detecting anomalous activities.
- Developing response and recovery strategies and plans, including communication to customers and stakeholders.
While the first three of these will be fairly familiar to most firms, albeit implemented with various degrees of maturity, the latter should focus minds. The European Commission, recognising the importance of maintaining business services, or functions, and the increasing reliance of the financial sector on technology to run these, will require firms to spend time and resources developing ways to restore their critical functions when faced with a severe disruption. This will require firms to think carefully about substitutability, including investing in backup and restoration systems, as well as assess whether – and how – certain critical functions can operate through alternative systems or methods of delivery while primary systems are checked and brought back up.
The DORA legislation proposed by the Commission is an important first step in creating a regulatory framework for financial services operational resilience in EU law. This proposal will now have to be negotiated by the European Parliament and European Council in what could be a protracted political process. Based on the past precedent of how similar FS legislative files have progressed in the EU, we can expect a final version of the primarily legislation to be agreed in the next 12 to 18 months, with further secondary legislation and technical standards fleshing out the specific application of the rules being developed thereafter by the ESAs.