Back in November 2022, we highlighted the enactment of the EU’s Digital Operational Resilience Act (“DORA”) that will impose far-reaching operational resilience requirements and Board oversight requirements on almost all financial services firms regulated in the EU – including banks, insurers, payment services providers, crypto asset custodians, fund managers, among many others. DORA also regulates critical service providers that, for the first time, will be directly regulated by EU financial services regulators. In this article, we take a closer look at the obligations DORA imposes on covered entity Boards.
Given Member States are required to provide for individual civil liability for Board members, and may also provide for criminal liability if they wish, there is an added impetus to address proactively the role of the Board. In particular, covered entities may wish to:
- put DORA on the Board’s radar early—we anticipate Boards will be interested to hear about DORA and what is likely to be required of them personally, and as an organisation, to become DORA-ready and ensure ongoing compliance;
- evaluate whether Board members have sufficient knowledge and skills to understand and assess ICT risk and its impact on the covered entity, as is now required, and provide training ahead of January 2025 to address any potential skills gaps;
- assess the intersection of Board obligations under DORA with management oversight obligations in other relevant jurisdictions, such as those under NYDFS Part 500 cyber rules to identify potential synergies in a joined-up compliance framework.
Below, we outline Board obligations under DORA and provide more specific implementation suggestions.
What is the “Management Body”?
DORA imposes obligations on the covered entity’s “Management Body”. For most covered entities, DORA adopts the definition of “Management Body” from the principal regulating legislation for that type of entity (e.g., PSD2, MiFID etc.). In most cases, this means that the obligations bite on the covered entity’s Board, even in group structures. Entity-level Boards may therefore need to assess whether they have sufficient oversight of, input into, and control over policies and procedures set at group level to discharge their obligations under DORA.
The Board has ultimate responsibility
Under DORA, the Board has ultimate responsibility for the covered entity’s ICT risk management and operational resilience strategy. This signals the likely increased regulatory expectation that Boards more closely oversee digital operational resilience-related risks than may currently be the case, including by ensuring, at a minimum, compliance with DORA’s varied and detailed technical and policy obligations.
In practice, we expect that during routine regulatory inquiries and formal investigations there may be more questions on the nature and extent of Board engagement, especially where systemic failings are suspected.
Mandatory skills and training for Board members
DORA requires that Board members keep up to date with sufficient knowledge and skill to understand and assess ICT risk and its potential impact on the covered entity, including by following specific training on a regular basis.
In practice this may mean that Board members need to develop and maintain at least an understanding of:
- basic technical and organisational features of ICT security and resilience;
- the importance of ICT security and resilience to the financial entity;
- the specific ICT-related risks facing the financial entity; and
- the measures the financial entity has in place to mitigate those risks and associated acceptable risk tolerances.
This training may usefully be delivered through a combination of periodic briefings, tabletop simulation exercises, and workshops. Covered entities will likely want to document these activities to be able to demonstrate the Board’s meaningful engagement. This might be a short document outlining the covered entity’s Board training program (including cadence and content) and attendance records.
Board to receive mandatory briefings
DORA requires the Board to receive reports from senior ICT staff at least yearly on lessons learned from testing, audits, and incidents. DORA also requires the Board to put in place reporting channels that enable it to receive reports about “at least major ICT-related incidents”.
Many covered entities will already have processes in place to ensure that Boards receive regular briefings from senior ICT staff and are notified about significant incidents. For some covered entities though, DORA may expand the scope of those briefings and lower the threshold for what incidents are notified to the Board.
Covered entities may therefore want to review existing briefing and reporting protocols and cyber incident response plans to ensure they align with DORA. In doing so, covered entities should also consider whether their risk profile means that more frequent briefings are necessary or appropriate to align with the likely greater regulatory scrutiny that DORA might bring.
Board has to approve and regularly review policies and procedures
DORA requires the Board to implement, approve and regularly review various key policies, plans and arrangements. This includes, for example:
- setting and reviewing clear roles and responsibilities for all ICT-related functions and establishing governance arrangements;
- establishing and reviewing reporting channels for ICT third-party service providers, planned material changes to ICT third-party service providers, potential impact of such changes on critical or important functions, and major ICT-related incidents;
- implementing and reviewing data availability, authenticity, integrity, and confidentiality policies;
- approving and reviewing the financial entity’s ICT business continuity policy and ICT response and recovery plan;
- approving ICT internal audit plans and modifications and reviewing results;
- allocating and reviewing the digital operational resilience
For many covered entities, these obligations may expand the scope of policies for which the Board assumes ultimate responsibility consistent with DORA’s expectation of more active involvement in overseeing ICT risk. Setting and being able to demonstrate procedures for the Board’s active engagement with the approval and review process is likely to be important. Covered entities could consider aligning approval and review processes with mandatory training (e.g., an initial briefing, tabletop exercise, or workshop) or the mandatory annual briefings from senior ICT staff, as mentioned above.
What is at stake
As noted above, DORA requires Member States to provide for individual civil liability for Board members and leaves open the option for Member States to provide for criminal liability too. Added to the potentially significant organisational penalties for non-compliant entities, it is clear that DORA raises the stakes around Board engagement on digital operational resilience risk issues. Given the structural, and in some cases, cultural changes that DORA might necessitate, covered entities may wish to start planning for how to make those changes now ahead of DORA’s January 2025 “go live” date.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.