New requirements on cybersecurity: Overview of the DORA Regulation

SFF Magazine March 2024

Topics: ICT, Tax

Introduction

On 16 January 2023, the EU’s Regulation 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA” or “Regulation”) entered into force. Financial entities and third-party information and communication technologies (“ICT”) service providers have until 17 January 2025 to comply with DORA before enforcement starts.

The European Union is placing a strong focus on the digitalization of the financial sector and the related increased security risks. This has resulted in the implementation of a harmonized rules framework in cybersecurity.

The general objective of DORA is to strengthen the digital operational resilience of the EU financial sector and to ensure that the latter stays resilient through a severe operational disruption.

For that purpose, DORA streamlines and upgrades existing rules, but it also brings new obligations on both financial entities and critical third-party providers to strengthen the security of the IT systems they use and to ensure they recover from any ICT-related threats.

Financial institutions should start performing its gap assessment based on the Regulation and the regulatory technical standards (“RTS”) that have been released by the European Supervisory Authorities (ESAs), i.e., EBA, EIOPA and ESMA, on 17 January 2024.

What are the key takeaways of the DORA? To whom does this regulation apply?

(1) DORA’s scope of application

DORA covers a wide range of financial entities regulated at the EU level, including credit institutions and investment firms, payment and electronic money institutions, central counterparties and trade repositories, alternative investment managers, (re)insurance undertakings and intermediaries, crypto-asset services providers, and issuers and crowdfunding service providers.

Although most of these entities are already subject to some form of cybersecurity regulation in the EU, DORA significantly expands the scope of these regulations and will apply to most of an in-scope entity’s business activities in the EU.

In addition, ESAs will be able to designate “critical ICT third-party service providers” based on preset criteria and the potential systemic impact they could cause if they were to experience a large operational failure.

(2) DORA’s key provisions

DORA requires all financial institutions regulated at EU level to ensure that they can withstand all types of ICT-related disruptions and threats.

This means implementing measures across the following core areas, which are called the five pillars of resilience:

a) ICT risk management. The first pillar concerns the adoption of a comprehensive ICT risk management framework and governance to address evolving digital risks. In particular, financial institutions shall ensure that their ICT documentation (procedures, policies, controls, tools) complies with DORA requirements. In this respect, the Regulation requires that the ICT risk management framework covers the identification, protection and detection of ICT risks and puts in place mechanisms that allow to learn from external and internal incidents.

ICT governance shall also be adapted. The Regulation explicitly requires that members of the management body of the financial entity actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by regularly following specific training commensurate to the ICT risk being managed. Furthermore, members of the management body must play an active and central role in steering and adapting to DORA the entity’s ICT risk framework and overall digital resilience strategy.

b) ICT incident management and reporting. The second pillar concerns ICT incident management and reporting. Financial institutions shall use a streamlined procedure to log and classify ICT incidents, and report major incidents to authorities.

This minimizes the possible impact of cyber threats on consumer trust and financial stability by ensuring a prompt and coordinated response.

DORA also provides requirements to notify, voluntarily, competent authorities about an important cyber threat.

c) Digital operational resilience testing program. The third pillar requires that financial institutions regularly perform assessments, such as vulnerability assessments, penetration testing, and scenario-based exercises.

All critical systems and processes will be put through rigorous and thorough testing by DORA to ensure that they can resist and bounce back from operational shocks.

d) Strategy for ICT third-party risk. Obligations are imposed on financial institutions which shall adopt and regularly review a strategy in order to regularly assess the risks coming from ICT third-party service providers, including cloud computing services.

The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting “critical or important functions” provided by ICT third-party service providers.

In addition, financial organizations must make sure that their third-party providers meet the same demanding requirements for operational resilience. This involves carrying out due diligence, monitoring performance, and making sure contractual agreements have clauses that mandate compliance with DORA requirements.

A register of information related to all contractual arrangements on the use of ICT services shall be maintained.

e) Information and intelligence sharing. The fifth pillar provides for the possibility, on an optional basis, for financial entities to exchange information and intelligence about cyber threats, enhancing the financial sector’s overall capacity to identify, respond to and reduce ICT risks.

“DORA covers a wide range of financial entities regulated at the EU level, including credit institutions and investment firms, payment and electronic money institutions, central counterparties and trade repositories, alternative investment managers, (re)insurance undertakings and intermediaries, crypto-asset services providers, and issuers and crowdfunding service providers.”

(3) DORA’s newly published technical standards

ESAs have been mandated to jointly develop several policy instruments, which shall complement DORA’s pillars.

In this respect and as indicated above, on 17 January 2024, the ESAs published the first set of draft regulatory technical standards (RTS) and one new Implementing Technical Standard (ITS), which represent guidelines for concerned parties to adhere to concretizing the requirements of DORA.

The RTS and the ITS cover the following:

a) RTS on ICT risk management framework and on a simplified ICT risk management framework

The regulatory standards outlined in this document specify the specific criteria outlined in Articles 15 and 16.3 of the DORA.

These criteria pertain to the guidelines and procedures for safeguarding, preventing, identifying and responding to ICT risks within the realm of management.

The standards highlight the essential components that financial institutions operating under the simplified regime and possessing lower levels of scale, risk, size and complexity must adhere to. They establish a simplified framework for managing ICT risks, emphasizing the principles of proportionality and a risk-based approach.

The ICT Framework is regulated by RTS, which requires a comprehensive set of 20 policies and procedures covering areas such as ICT asset management, encryption and cryptographic controls, ICT project management, acquisition, development and maintenance of ICT systems, physical and environmental security, human resources, identity management, access control, ICT-related incident management, and ICT business continuity.

Additional technical standards for advanced testing of ICT systems utilizing threat-led penetration testing will be released on 17 July 2024.

Furthermore, the ESAs may consider developing further guidelines in the areas that have been removed for the time being from the RTS, and also on cloud computing security aspects.

b) RTS on criteria for the classification of ICT-related incidents

These new RTS specify the criteria for the classification of major ICT-related incidents, including the approach for the classification of major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other member states, and the details of the incidents to be shared in this regard.

These RTS also set out a list of seven classification criteria for determining whether an incident constitutes a “major ICT-related incident,” as well as detailed materiality thresholds for each criterion. The criteria are as follows: clients and financial counterparts affected, reputation impact, geographical spread, duration and service downtime, data losses, critical services affected, and economic impact.

Details of the draft incident notification templates will be published on 17 July 2024.

c) RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers

These new RTS specify parts of the governance arrangements, risk management and internal control framework that financial institutions must put in place regarding the use of ICT third-party service providers. Their objective is to guarantee that financial organizations maintain authority over their operational risks, data security and business continuity for the duration of their contractual arrangements with these ICT third-party service providers.

They focus on ICT third-party service providers (intra-group) contractual arrangements. The draft RTS have been developed considering already existing specifications provided in Guidelines on outsourcing arrangements published by the ESAs and other relevant specifications provided in the EBA Guidelines on ICT and security risk management.

On 17 July 2024, further technical standards will be published on how to evaluate ICT third-party service providers in the context of sub-contracting of “critical or important functions”, as well as on how to conduct oversight for ICT TPPs identified as critical.

d) Implementing Technical Standards (ITS) to establish the templates for the register of information

The provided templates establish the framework for an ICT-outsourcing register that financial entities must maintain and regularly update with regard to their contractual agreements with ICT third-party service providers.

The ICT Outsourcing Register will play a vital role in the management of ICT third-party risks for financial institutions and will be utilized by competent authorities to monitor compliance with DORA and identify critical ICT third-party providers subject to DORA supervision. Establishing this register will require significant effort for many companies, whether it involves introducing new tools or making extensive modifications to existing systems.

The ESAs will submit the final draft RTS to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these RTS is 17 January 2025.

(4) Luxembourg implementation

On 4 August 2023, draft law No. 8291^[1] (“Draft Law”) was submitted to the Luxembourg Parliament (Chambre des Députés).

Considering that the provisions of the Regulation will be directly applicable in Luxembourg law as of 17 January 2025, the main objectives of the Draft Law are confined to the following:

a) Designating the competent Luxembourgish authorities responsible for ensuring that the Regulation is applied by the in-scope entities subject to their supervision, namely, the Commission de Surveillance du Secteur Financier (CSSF) and Commissariat aux Assurances (CAA).

b) Providing the CSSF and CAA with the supervisory and investigative powers they need to perform their duties.

c) Establishing an appropriate system of sanctions and other administrative measures

“The ESAs will submit the final draft RTS to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these RTS is 17 January 2025.”

Based on the Draft Law in its current version, the CSSF and the CAA will be notably empowered to pronounce, within the limits of their respective powers, specific sanctions against persons subject to their respective supervision if certain provisions of DORA are violated.

In addition to implementing DORA, the Draft Law transposes into Luxembourg laws Directive (EU) 2022/2556 of 14 December 2022 (“DORA Amending Directive”), which amends specific European financial sector directives to implement digital resilience and ICT security requirements.

In this respect, the Draft Law introduces targeted amendments to nine Luxembourg laws relating to the financial sector, such as the law of 5 April 1993 on the financial sector (as amended) (“LFS”); the law of 10 November 2009 on payment services (as amended) (“LPS”); the law of 17 December 2010 on undertakings for collective investment (as amended); the law of 12 July 2013 on alternative investment fund managers (as amended); and the law of 7 December 2015 on the insurance sector (as amended).

“Based on the Draft Law in its current version, the CSSF and the CAA will be notably empowered to pronounce, within the limits of their respective powers, specific sanctions against persons subject to their respective supervision if certain provisions of DORA are violated.”

(5) Practical implications: What does DORA mean for Luxembourg financial entities?

a) Outsourcing arrangements

In February 2019, the European Banking Authority (EBA) issued revised guidelines on outsourcing arrangements, which were integrated by the CSSF into its administrative practice and regulatory approach by means of CSSF Circular 22/806 on outsourcing arrangements dated 22 April 2022 (“Circular CSSF 22/806″).

Given the implementation of DORA and the transposition of the Directive into Luxembourg’s national laws, we can expect that Circular CSSF 22/806 will be impacted. Indeed, outsourcing arrangements shall, at all times, comply with the organizational requirements for outsourcing in accordance with the provisions of the LFS and the LPS.

As these two laws will be amended to incorporate/follow DORA’s new regime, it ultimately means that the aforementioned Circular CSSF 22/806 will require revision as well.

Still, relevant entities currently following the outsourcing rules implemented in the Circular CSSF 22/806 will have some degree of comfort in knowing that there will be significant elements of compliance already in place.

b) Impact on third-party contracting

DORA’s application is broad. Not only does it apply to outsourcing arrangements, but also to ICT services as a whole.

In practice, this broader scope means that financial services entities that have already completed a project to comply with regulatory guidance on outsourcing will need to review those services that were not considered to be outsourcing but that will fall under the DORA definition of ICT services.

They will then need to assess those contracts against the contractual requirements of DORA.

For all contracts involving a financial entity and ICT third-party service providers on the use of ICT services, DORA sets out contractual requirements, with more stringent standards applying to providers that support “critical or important functions.” Article 3 of DORA defines the functions as follows:

“The disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of which would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services law“.

These will have an impact on both new and existing contracts. The rights and obligations of the financial entity and the ICT third-party service provider must be expressly set forth in any relevant contracts, which must be in writing.

DORA’ s contractual criteria closely follow the EBA Guidelines for outsourcing contracts referred to above. Several clauses will be familiar, such as the following:

An exhaustive list of contractual specifics (e.g., description of the services, locations of services provision, and data storage and processing).
Requirements to include specific termination rights
Obligations on the ICT. provider to, among others, comply with appropriate information security standards.
Provisions to ensure access, recovery and return of data in the event of the insolvency, resolution or discontinuation of the operations of the ICT provider, or in the event of the termination of the contract.

DORA goes one step further, requiring the incorporation of new contractual provisions (e.g., ICT providers shall offer assistance “at no additional cost or at a cost that is determined ex-ante” when specific ICT-related issues have an impact on the service).

c) “Critical ICT third-party service providers”

As indicated above, the ESAs shall be entitled to review ICT third-party service providers on the basis of criteria specified in Article 31 of DORA and classify them as “critical” if necessary, based on several factors, including the following:

The potential systematic impact on the provision of financial services in the event of a large-scale failure.
The type and importance of entities that rely on the provider.
How easily the provider can be replaced.

Where the ICT third-party service provider belongs to a group, the criteria referred to above shall be considered in relation to the ICT services provided by the group as a whole.

For each critical ICT third-party service provider, one of the ESAs is appointed as the “Lead Overseer.” The powers of the Lead Overseer under Article 35 paragraph 1 of DORA include the following rights:

To request all relevant information and documentation it deems necessary for the performance of its duties.
To conduct general investigations and (on-site) inspections.
To request reports upon completion of oversight activities.
To issue recommendations, such as on ICT security and quality requirements or on subcontracting

The Lead Overseer shall notify the ICT third-party service provider of the outcome of the assessment leading to its designation as “critical ICT third-party service provider.”

After designating an ICT third-party service provider as critical, the ESAs, through the Joint Committee,^[2] shall notify the ICT third-party service provider of such designation and the starting date from which they will effectively be subject to oversight activities.

Such starting date shall be no later than one month after the notification. The ICT third-party service provider shall notify the financial entities to which they provide services of their designation as critical.

Conclusion

Although most financial institutions are already subject to some form of cybersecurity regulation in the EU and in Luxembourg (for instance NIS 1 and upcoming NIS 2), DORA significantly expands the scope of these regulations and will apply to at least some their business activities in the EU.

As such, we strongly recommend financial institutions to carry out the following:

a) Review existing technical and organisation security measures (including systems, protocols and tools) against DORA’s requirements.

b) Determine the extent to which current processes and procedures can be leveraged or updated.

c) Integrate DORA’s ICT risk management requirements into a wider organisational risk framework.

d) Involve stakeholders from across the business, including legal, compliance and IT, with the board having ultimate oversight.

^[1] Draft law No. 8291 aimed at: (i) implementing Regulation (EU) 2022/2554 of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011; (ii) transposing Directive (EU) 2022/2556 of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards the digital operational resilience of the financial sector; (iii) amending (a) the amended law of 5 April 1993 on the financial sector; (b) the amended law of 13 July 2005 on institutions for occupational retirement provision in the form of a SEPCAV and an ASSEP; (c) the amended law of 10 November 2009 on payment services; (d) the amended law of 17 December 2010 on undertakings for collective investment; (e) the amended law of 12 July 2013 on alternative investment fund managers; (f) the amended law of 7 December 2015 on the insurance sector; (g) the amended law of 18 December 2015 on the failure of credit institutions and certain investment firms; (h) the amended law of 30 May 2018 on markets in financial instruments; (i) the amended law of 16 July 2019 on the implementation of European regulations in the field of financial services.

^[2] “Joint Committee” means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.