26 Jun DORA: A new concept of Digital Operational Resilience for financial institutions

Authors: Andrea Sudano and Alessandro Fratini

Introduction

After the global financial crisis of 2008 unfolded, the need to strengthen the integrity and resilience of banking and financial systems (e.g., banks, insurance companies and investment firms) became prominent in the context of European institutions and their national governments.

As a result, the so-called Digital Operational Resilience Act was created [1] (hereinafter the DORA Regulation or DORA), a measure that aims to meet the need to implement standardized, Europe-wide legislation on digital finance. It should be emphasized that prior to this regulatory intervention, the European legislator had shown little interest in the digital operational security of financial institutions.  Regulatory interventions were largely marginal – often based on unclear principles and of difficult interpretation – resulting in the stratification of national regulation according to disparate and unbalanced approaches.

In September 2020, with the proposal of the DORA Regulation, which is part of a broader regulatory programme, the so-called “digital finance package” (digital operational resilience for the financial sector) was introduced. It includes further regulatory interventions on the cryptocurrency market (so-called MiCA – Markets in Crypto-Assets – proposal[2]) and for distributed ledger and blockchain technologies (Pilot Regime for Market Infrastructures based on Distributed Ledger Technology, hereinafter DLT proposal[3]). The goal of the “digital finance package” is to balance the inexorable development of technology with the need to ensure the stability and security of the banking and financial system as a whole in order to protect consumers.

Specifically, the DORA Regulation establishes a regulatory framework for “digital operational resilience”, referring to an organization’s ability to create, ensure and review its operational integrity from a technological point of view. Through such procedure, a shield of protection can be ensured to deal with threats and security events involving ICT (Information and Communication Technology, in Italian the so-called TIC – Tecnologie per l’Informazione e la Comunicazione) tools, either directly or indirectly (if third-party ICT service providers are used). The effectiveness of such approach about the so-called “digital resilience” of financial institutions was also confirmed with the outbreak of the COVID-19 pandemic and later with the conflict between Russia and Ukraine. These are two recent historical events that, together with the exponential growth of cyber threats, are recalled by the European Systemic Risk Board’s 2022 report[4] as evidence of the need for a change in the way financial sector security issues are conceived and addressed.

Objectives of the proposed Regulation

By targeting EU Member States, DORA will apply to all European financial services entities, involving an estimated total of more than 20,000 companies. One of the subjective elements of this Regulation is seen in its application to traditional financial companies (e.g., credit institutions, stock exchanges, investment institutions) and to newer financial entities (e.g., cryptocurrency service providers, issuers of crypto assets), in addition to the aforementioned third-party ICT service providers.

This is a particularly broad and subjective field of application, which is nevertheless functional for a homogenous application of risk management strategies to the entire ICT landscape, which also ensures a level playing field between financial services. Below is a description of the main points of the proposed Regulation.

Governance (Art. 4 – DORA Regulation)

With reference to the definition of the roles and responsibilities of the top management connected to the correct implementation of the regulatory requirements dictated by the proposed Regulation, the active role entrusted to the Management Body emerges. The Management Body is called upon to act as a guide in adapting the organization’s ICT risk management framework, as well as to supervise the company’s correct cybersecurity posture, contributing in fact to the definition of a global strategy. Full responsibility lies on the Management Body for risk management too.  It will be required to identify roles and responsibilities within the functions related to ICT services, to control and monitor the development of related risks, to map and manage all approval and control processes, and to ensure the allocation of resources for ICT-related investments, including training.

Risk management (Arts. 5-14 – DORA Regulation)

Regarding IT risk management, the digital operational resilience referred to in the draft Regulation is based on fundamental principles which are the result of legislative drafting as well as substantial input from the European Supervisory Authorities (so-called ESAs). For the purposes of proper ICT risk management, it is first and foremost considered essential to assign roles and responsibilities to corporate functions called upon to manage ICT risk (e.g., the figures in charge of identifying risks; the figures called upon to prepare security and protection measures).

Financial entities must be able to ensure that ICT-related risk management is effective, efficient and properly documented, achieving a level of digital operational resilience appropriate to the needs, size and complexity of their business activities.

What has been stated is actually expressed in numerous prescriptions addressed to financial entities, with reference to which no specific standardization is envisaged, but rather a simple reference to sector standards and best practices recognized at European and international levels.

Examples include, but are not limited to, processes of:

• • • • constant identification of all sources of risk;
      • introduction of protective and preventive measures;
      • early detection of abnormal activities;
      • implementation of business continuity strategies and disaster recovery plans.

Finally, the aforementioned ICT risk management framework must be reviewed at least once a year, i.e., in the event of serious ICT-related incidents or following instructions from the supervisory authorities to this effect, so as to ensure continuous monitoring. Finally, it should be emphasized that the risk management strategies deployed by financial institutions should not be limited to the implementation of appropriate tools to ensure the resilience of the ICT infrastructure. In fact, it is necessary to consider and involve, more generally, all business processes that make up the organization’s business, as well as to promote a culture of awareness of cyber risks with reference to personnel. Indeed, the ultimate aspiration (vision) of the proposed DORA Regulation seems to be to devise a new approach to “digital resilience” that is not limited exclusively to the ICT context but involves the entire business organization as a whole.

As mentioned in the introduction, the security risks that undermine the stability of financial entities also derive from sources outside the ICT and cyber contexts. As a result, risk management activities must, consequently, make a further and more extensive effort to develop a “comprehensive” approach that also considers economic and geopolitical factors, to be included in the assessment of all possible threats and risk scenarios. Only through this does it become possible to ensure, with greater efficiency, the security of business in financial institutions.

Incident management (Arts. 15-20 – DORA Regulation)

Regarding the management of security incidents, the draft Regulation requires financial entities to put in place a security incident management process that allows for the effective monitoring and recording of ICT-related incidents, in order to harmonize and streamline detection and report procedures. It also provides for an obligation to classify incidents on the basis of criteria dictated by the Supervisory Authorities (so-called materiality thresholds), as well as the obligation to report ICT-related security incidents deemed particularly serious to the competent Authorities. The competent authorities are listed in detail in Art. 41 and are differentiated according to the financial entity required to report the incident.

Under these articles, financial institutions are also obliged to keep documentary records of incident management by way of initial, intermediate and final reports. In addition to this, there are reporting obligations towards customers impacted by the incident, the relevant bodies within the ECB (European Central Bank), and the single points of contact defined by the NIS Directive.

Resilience testing (Arts. 21-24 – DORA Regulation)

A further relevant point that emerges from the draft Regulation is related to the obligation to carry out appropriate tests that measure the resilience of the organization’s ICT infrastructure at regular intervals in order to proactively identify threats and determine the appropriate corrective measures to avoid mitigation. While from the perspective of ICT risk management, the new Regulation seems to standardize all financial entities, with reference to the activities set forth in Articles 21-24, the European legislator provides a differentiation between the subjects falling within the scope of the Regulation. The draft Regulation, in fact, circumscribes the obligation to perform advanced penetration testing (PT) activities only to large financial institutions. These PT activities may only be carried out by authorized and appropriately certified subjects, with the consequent provisions on the manner in which the relative outputs must be communicated. However, even small companies are required to periodically check the integrity of their ICT systems, including through PT activities.

Beyond the scope of application of the provisions regarding resilience testing activities, what seems useful to emphasize is, once again, that paradigm shift that the proposed DORA Regulation takes, as does not limit itself to the topic of risk management (through the aforementioned “holistic” knowledge of threats and risks) but extends to the field of countermeasures. Specifically, an analysis of the normative text repeatedly reveals a concept of “dynamism”, which influences not only the approach to risk analysis (no longer of a ‘static’ type but instead, one that is capable of identifying and assessing risks and threats “on an ongoing basis”) but also the activity of verifying the countermeasures put in place, through “effective testing” based on threat intelligence activities (e.g., Red Teaming).

Third-party ICT service providers (Arts. 25-40 – DORA Regulation)

Finally, it should be noted that the DORA Regulation is designed to ensure robust monitoring, on a regular basis, of the risk arising from third-party ICT services. In general, the Regulation emphasizes the importance of establishing effective third-party management processes throughout the entire lifecycle of the relationship with the financial institution.

In addition to this, it should be noted that the ESA (European Supervisory Authorities) is called upon to carry out actions, with vigilance, especially regarding ICT suppliers that make up the organization’s supply chain, as these entities will be considered critical suppliers in terms of digital operational resilience. Furthermore, all contractual agreements governing ICT supplies should feature a full description of the services offered, in accordance with the guaranteed SLAs. In this context, the use of standard contractual clauses drawn up for specific services is also favored. The obligations and responsibilities of financial entities and third-party ICT service providers must be clearly assigned and defined in writing. Financial entities must ensure that the ICT services provided by the third-party provider are covered by an appropriate contractual structure governing the management of risks to which the financial entity may be exposed (e.g., cybersecurity risk, cloud risk, compliance and reputational risk). Finally, the necessary powers of inspection by the financial institution to verify the soundness of the supplier’s technical and organizational infrastructure must be ensured.

Conclusion

In conclusion, by following the proposed DORA Regulation, the European legislator takes the high road to achieve the digital operational resilience of financial entities. DORA constitutes a real “digital revolution” for European finance and will contribute – also in the face of the threat of sanctions – in strengthening and consolidating the cybersecurity posture of all the entities to which the Regulations applies. Lastly, it will also contribute to the benefit of a healthy development of economic life in the various countries and to the protection of European citizens.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0593

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0594

[4] https://www.esrb.europa.eu/pub/pdf/ar/2022/esrb.ar2021~8c51ab2011.en.pdf?47a0f0bd3342116ff2443410a6dd3d8f