DORA Making Digital Resilience Real: EU Regulation on Financial Industry Operational Resilience

DORA Brings ICT Service Providers Under the Direct Scrutiny of the EU’s Financial Supervisory Authorities

The EU Digital Operational Resilience Act (DORA) proposal is a game changer in risk management. The digital transformation of the financial industry has led to a highly interconnected and interdependent ecosystem, entailing a systemic risk across the industry. In the digital era, no single financial organisation can operate as an independent entity.

With DORA, EU regulators acknowledge financial organisations’ growing dependency on ICT and cloud service providers. Therefore, the digital resilience regulation proposal addresses the concerns of a possible systemic risk stemming from the prominent role of critical ICT service providers in the financial industry. Regulators are moving to have a direct and active involvement to mitigate the systemic risk that could impact the industry. With the regulation proposal, one of the financial services’ European supervisory authorities (EBA, ESMA, EIOPA) will have direct supervision over ICT service providers to enhance the overall financial industry’s digital resilience. The underlying reasoning, as outlined in the DORA proposal, is that “digitalisation and operational resilience in the financial sector are two sides of the same coin“.

Enhancing the Security of Financial Entities Beyond the Brick-and-Mortar Space

Financial organisations have had to redesign their operating models to address their customers’ demands for innovative and personalised solutions, offering seamless real-time customer experience. The omni-channel experience is a consolidated need for final customers and for B2B interactions. Consumers want to access their financial services from everywhere, at any time, and they want a fast and seamless customer experience.

Meanwhile, demand for speed and the need to optimise the high operating costs have led financial entities to deploy more advanced and scalable architectures. In a recent IDC survey, 94% of the FSIs that responded said they use cloud services (IDC Industry Acceleration Survey, April 2021, n = 197 FSIs). While digital transformation was already ongoing, COVID-19 has boosted this trend. Customers have become used to remote interactions with their suppliers and organisations have had to cope with severe restrictions that have challenged the “business as usual”. In the past, remote working was the preserve of some forward-looking companies. During the pandemic, hybrid workplace arrangements have proved to be powerful business continuity enablers and have now become widespread.

The digital transformation of financial organisations has led to a digital infrastructure ecosystem that also includes a holistic approach to risk management. This is why EU regulators have introduced a paradigm shift to expand their oversight to the digital infrastructure ecosystem across all components of the distributed digital infrastructure (a potential weak point in the security chain). The purpose is to enhance the overall financial industry’s resilience by going for a holistic approach that encompasses the end-to-end oversight over the operational risk.

Who Is Impacted by DORA?

DORA applies to all financial entities in the EU and to the ICT providers servicing the industry. The financial entities definition under the DORA proposal is very wide and encompasses all kinds of players in the financial industry, from banks and credit institutions to payment institutions, pension funds, insurance companies, investment firms and all players in capital markets.

The DORA proposal also applies to the critical ICT third-party providers, as defined in the regulation, that service the financial industry and could have a systemic impact on financial services provisioning in Europe.

The Five Pillars of the DORA Proposal

The key regulatory requirements can be grouped into five pillars: ICT risk management, digital operational resilience testing, ICT third-party risks, ICT-related mandatory incident reporting and voluntary information sharing.

• Risk management: Financial entities should have a robust, well-documented ICT risk management framework to effectively deliver greater digital operational resilience. Adopting a risk-based approach, financial entities’ business continuity policies and disaster recovery plans must also consider the key functions that have been outsourced or are delivered through arrangements with ICT third-party service providers.
• Incident reporting: Regulators recognise how difficult it can be for financial entities to meet all mandatory incident reporting requirements, stemming from all the rules and regulations (GDPR, NIS, e-IDAS, SSM, PSD2, etc.) that could apply when tackling a single ICT-related incident. The DORA proposal foresees a harmonisation of reporting content and templates. Regulators also envisage centralising the reporting of major ICT-related incidents and will investigate the feasibility of setting up a single EU hub for major ICT-related incident reporting by financial entities.
• Digital operational resilience testing: Financial entities should carry out a comprehensive digital operational resilience testing programme at least annually. The DORA proposal also has a specific provision that requires financial entities to ensure the involvement of ICT third-party providers in their digital operational resilience testing whenever applicable. Threat-led penetration testing, to be undertaken by financial entities at least every three years, should also be done with the direct participation of the relevant ICT third-party service providers.
• ICT third-party risk: ICT third-party risk should be managed by the financial entities as an integral component of their ICT risk management framework. DORA will bring critical ICT third-party providers under the direct supervision of one of the three European supervisory authorities that oversee the financial industry.
• Information sharing: With DORA regulators acknowledge the importance of exploiting the data-rich ecosystem to strengthen the financial industry’s incident prevention and response capabilities, overcoming existing regulatory barriers that hindered this. The proposal encourages financial entities to share cyberthreat information and intelligence to enhance the industry’s digital operational resilience. Voluntary information sharing should take place through well-structured information-sharing arrangements within trusted communities. Financial entities will also be asked to notify their competent authorities of their participation in such information-sharing arrangements, so that the supervisory authorities can ensure a proper balance between cybersecurity and privacy protection.

It’s also worth mentioning the DORA provision under art. 28, which establishes that “financial entities shall not make use of an ICT third-party service provider established in a third country that would be designated as critical pursuant (…) if it were established in the Union.”

What Are the Risks for ICT Third-Party Service Providers?

DORA will bring critical ICT third-party service providers under the direct scrutiny of the EU financial supervisory authorities. The European Supervisory Authorities’ joint committee will identify and list the designated ICT third-party service providers that are critical for financial entities. Each ICT provider will need to verify if its organisation is among the designated providers. If this is the case, they will need to meet all the DORA requirements and help their customers comply with them. If this is not the case, the ICT provider can apply to the joint committee to be included on the list.

What Is the Impact on Financial Entities?

DORA puts the relationship between the financial entities and their technology partners in a new light to jointly address the regulatory requirements. Financial entities and ICT third-party service providers should increase their collaboration to tackle the upcoming EU regulation. Financial entities need to be reassured by their providers that they are qualified partners to prepare them for the paradigm shift. Without this reassurance, financial entities will need to look for alternative providers.

How Should the Industry Prepare for DORA?

The final version of DORA is expected in the next 12 months. Meanwhile, it’s important for financial entities and ICT service providers to get started by focusing on five initial areas:

1. Awareness: ensure a proper understanding of the DORA regulatory requirements, as applicable to your organisation, and also involve the management board
2. Roles and responsibilities: set up a DORA programme involving all relevant internal stakeholders
3. Gap analysis: undertake a preliminary self-assessment; the gap analysis will help your organisation assess whether the existing ICT risk management approaches meet the requirements proposed in DORA
4. Planning: define a risk-based road map to bridge any compliance gaps
5. Collaboration: identify and prioritise the relevant partners to collaborate with

Financial entities and ICT third-party service providers should foster collaboration to tackle the upcoming EU regulation on digital operational resilience: are you ready for the paradigm shift?

To find out more about DORA, please join our webcast on May 10, 2022, or see the IDC Perspective Digital Operational Resilience: New European Regulatory Initiatives Herald Significant Change for the Financial Services Sector and ICT Third-Party Service Providers

To learn more about our upcoming research, please contact Maria Adele Di Comite or George Briford, or head over to https://www.idc.com/eu and drop your details in the form on the top right.