On 10 November 2022, the European Parliament approved the EU Digital Operational Resilience Act (“DORA”). Subject to the Council of the EU’s approval, DORA will impose far-reaching operational resilience requirements and management oversight requirements on financial services firms – including banks, insurers and private equity firms – as well as critical service providers that, for the first time, will be directly regulated by EU financial services regulators. While aspects of the regime, including details of incident reporting obligations, remain to be decided, the key requirements are now set.

In this Debevoise Data Blog post, we explore which entities are DORA-covered, its key provisions, and steps that businesses should consider to prepare for the new regime.

Our key takeaways are:

  1. For financial services firms – determine if you are covered as a “financial entity” and, if so, begin charting a path to compliance: it is likely to be a resource-intensive undertaking and one which demands ongoing engagement from across the business, including management.
  2. For ICT service providers – assess the risk of designation and, regardless of whether that is likely, consider how mandatory contractual provisions for financial entities may “flow-through” and necessitate updates to policies and procedures.

Who’s covered?

DORA imposes obligations on both “financial entities” and ICT third-party service providers. “Financial entity” is defined to include almost all entities operating in the financial sector, including, for example, banks, insurers and their intermediaries, investment firms, payment institutions, credit rating agencies, data reporting service providers, benchmark administrators, trading venues, crypto asset service providers, and management companies.

DORA may also apply to covered entities’ external and intra-group ICT service providers, such as cloud platforms or data analytics services:

  • Directly, to “critical ICT third-party service providers” designated as “critical” by European supervisory authorities (“ESAs”).
  • Indirectly, through contractual provisions that covered entities will be required to include in service agreements.

When does it come into force?

DORA is expected to be formally adopted and enter into force by the end of 2022. Covered entities must come into compliance with the provisions within 24 months after its entry into force, which will likely be December 2024 or January 2025.

What are the key requirements for financial entities?

DORA requires covered financial entities to comply with new rules in four key areas:

1. Risk management

Financial entities will be required to:

  • have an internal governance and control framework, with “management body” oversight, approval, and accountability;
  • implement a comprehensive ICT risk management framework, which is integrated into their overall risk management system;
  • assign responsibility for managing ICT risk to a control function and ensure an appropriate level of independence in order to avoid conflicts of interest;
  • put in place and maintain appropriate ICT systems and tools that are able to identify and mitigate ICT risks consistently and reliably;
  • assess and document potential risks associated with their ICT-supported business functions, roles, and assets; and
  • establish business continuity policies and disaster recovery plans, and backup recovery procedures.

2. ICT incident reporting and management

Financial entities will be required to:

  • establish and implement a management process to monitor, manage and notify ICT-related incidents;
  • classify incidents and cyber threats based on – yet to be produced – prescribed criteria;
  • report “major ICT-related incidents” to their designated authority, the format, timing and content of which remains to be decided;
  • have communication and responsible disclosure plans for major ICT-related incidents and vulnerabilities which may impact clients and counterparts; and
  • notify clients without undue delay where a major ICT-related incident has an impact on their financial interests and, for a “significant cyber threat,” notify potentially affected clients of possible protective measures.

3. Digital operational resilience testing

Financial entities will be required to:

  • perform standardised digital operational resilience testing, including vulnerability and network security assessments, gap analysis and software solutions testing, as well as scenario-based testing, performance testing and penetration testing;
  • conduct certain types of advanced testing if required by the relevant authority, including testing involving multiple financial entities and/or ICT third-party service providers;
  • cooperate with the Member States’ authorities that will be able to participate in the test procedures;
  • audit their operational resilience, including their ICT risk management framework, subject to conflicts of interest requirements; and
  • establish procedures and policies to implement corrective measures for weaknesses and deficiencies identified during testing and/or auditing.

4. Third-party risk management

Financial entities will be required to:

  • contract only with ICT service providers in compliance with appropriate information security standards and termination clauses;
  • assess and document potential ICT risks associated with their third-party ICT service providers;
  • conduct due diligence on prospective ICT service providers and audit existing providers to ensure suitability; and
  • implement exit strategies for ICT services supporting critical or important functions.

What are the key requirements for third-party ICT service providers?

Aside from complying with contractual requirements that financial entities will have to impose on them, critical third-party ICT service providers designated by the ESAs will be required to:

  • cooperate with document and information requests, inspections, investigations, and audits by relevant supervisory authorities;
  • notify, within 60 days of receipt, the designated financial services regulator of their intention to either comply with any recommendations by the designated financial services regulator or provide a reasoned explanation for not following such recommendations – such recommendations may relate to practically any ITC-related risk, including: physical security; risk management processes; governance arrangements; incident identification, monitoring and reporting; data and application portability and interoperability; testing; and audits.
  • pay their designated financial services regulator for the costs of oversight and examinations; and
  • establish a subsidiary within the EU.

What are the penalties for non-compliance?

Monetary penalties for financial entities have not yet been set. Member States will lay down frameworks in due course, and DORA also leaves the door open for potential criminal liability for non-compliance.

Monetary penalties for critical ICT third-party service providers will be up to 1% of their average daily worldwide turnover in the preceding business year, applied on a daily basis until compliance is achieved, for a maximum of six months.

What can you do now?

Financial entities and third-party ICT third-party service providers can begin taking steps now to establish the internal processes and documentation needed to prepare for DORA.

Financial entities may want to:

  1. begin a review of, or drafting, required internal policies, including for information security, business continuity, incident response and disaster recovery – DORA is highly prescriptive and the adequacy of existing policies will need to be carefully evaluated.
  2. prepare and begin to implement internal processes and systems to identify, classify, and document all ICT-supported business functions, roles and responsibilities, the information assets and ICT assets supporting these functions, and their roles and dependencies with ICT risk; and establish an annual review process for such classifications and applicable risk scenarios.
  3. identify and review (as part of the processes above) all ICT service providers and related contracts and documentation. Compliance with DORA may require contractual re-negotiations as all ICT provider contracts will have to contain, for example, robust audit provisions enabling the rights of access, inspection and audit by the financial entity or an appointed third-party.

ICT third-party service providers may want to:

  1. assess the likelihood of designation as a critical ICT third-party service provider under DORA.
  2. if designation is likely, prepare to participate fully in inspections, audits, and other investigations by the designated financial services regulator (and, if applicable, incorporate an entity in the EU).
  3. whether or not designation is likely, identify how flow-through contractual obligations may nevertheless require updates to policies and procedures.

Developments in the UK and US

Covered entities may wish to consider how DORA overlaps with existing and forthcoming regulation in other jurisdictions.

Many UK financial services firms will be covered by DORA if they operate in the EU. There are also proposals to expand the UK’s operational resilience regime. Proposing to build on existing operational resilience requirements, including under FCA Handbook SYSC 15A.2, in July 2022, the UK Parliament proposed amendments to various laws which would—like DORA—permit direct regulation by UK financial authorities of critical third-party service providers in the UK financial sector. Shortly thereafter, the UK financial authorities jointly published a discussion paper outlining options for implementing their proposed new powers. That consultation process closes in December 2022, but broader implementation timing remains unclear.

In the United States, the New York Department of Financial Services (“NY DFS”) is currently in the process of updating its 2017 Cybersecurity Regulation to, among other things, impose tougher business continuity and data retention obligations on large entities. While DORA imposes broader obligations on financial entities, the updated NY DFS cyber rules may be tougher in certain respects (e.g., in their requirement for external audits) – see our recent blog post for the latest on the NY DFS Amendment.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.