Digital Operational Resilience for the Financial Sector (DORA): 10 things to know

(1) Scope

DORA will have a very broad application and it will cover all authorised European financial entities, altogether 20 types of them. This includes credit, payment and e-money institutions, investment firms, crypto-asset service providers (CASPs) that will be authorised under the Markets in Crypto-Assets Regulation (MiCA) as well as issuers of asset-referenced tokens, central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories. As mentioned earlier, DORA will also apply to ICT third-party service providers.

Notwithstanding its intentionally broad scope, DORA provides some elements of proportionality. In line with a general principle of proportionality, in-scope financial entities will be required to comply with DORA by taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. DORA also provides limited exemptions for certain financial entities, including sub-threshold AIFMs, small insurance and re-insurance undertakings exempt from Solvency II, small institutions for occupational retirement provision, persons exempt from the Markets in Financial Instruments Directive (MiFID), insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises, as well as certain post-office giro institutions.  Conversely, some of the most advanced digital testing requirements will be applicable only to the biggest, “significant” financial entities.

In addition, for the purpose of the application of DORA it is necessary to consider the scope of ICT services that will be subject to its requirements. Whist DORA defines the term “ICT services” in high-level terms, there are a lot of uncertainties about the practical identification of the relevant in-scope ICT services. In particular, there is an ongoing debate about delineation between the financial services and ICT services, guidance on which is expected to be provided by the Commission.

(2) ICT Risk Management and Internal Governance Arrangements

DORA will require financial entities to have in place comprehensive internal governance and control frameworks for the “effective and prudent” management of ICT risks. It puts an explicit and ultimate responsibility upon a management body of a financial entity for defining, approving and overseeing the implementation of all arrangements relating to the ICT risk management framework. The relevant elements of the management body's responsibilities are set out in the legislation. In addition, financial institutions, with an exception for microenterprises, will have to establish a role to monitor the arrangements concluded with ICT third-party service providers, or designate a member of senior management for the purpose of overseeing the related risk exposures and documentation.

Financial entities will be obliged to build, maintain and subject to regular audits a sound, comprehensive and well-documented ICT risk management framework, consisting of strategies, policies, procedures, ICT protocols and tools. DORA is documentation-heavy: financial entities will be required to use and maintain updated ICT systems, protocols and tools, as well as identify and detect developments that pose a potential source of ICT risk, especially those configurations that interconnect with internal and external ICT systems. Secondary legislation lays down detailed rules on these tools, methods, processes and policies. DORA sets out prescriptive measures that financial entities will need to comply with for the purpose of protection and prevention, detection, response and recovery from ICT risks, including having a dedicated and comprehensive ICT business continuity policy and plans, notably in respect of critical or important functions outsourced or contracted through arrangements with ICT third-party service providers. Secondary legislation further specifies the required content of this policy. As part of their business continuity policy, financial entities will have to conduct a business impact analysis (BIA) of their exposures to severe business disruptions; they will also have to establish a crisis management function, ready to manage internal and external crisis communications in case an ICT business continuity plan gets activated.

Finally, financial entities will have to have in place measures establishing backup policies and recovery methods (including, for example, a specific obligation for CSDs to maintain at least one secondary processing side), as well as establish appropriate “learning and evolving” frameworks allowing them to gather information on vulnerabilities and cyber threats for the purpose of analysing their likely impacts on their digital operational resilience. Their staff and senior management will have to undertake compulsory digital operational resilience training. Financial entities should have measures in place allowing them to monitor the effectiveness of the implementation of their digital resilience strategy as well as bespoke crisis communications plans as well as internal and external communication policies.

(3) ICT Related Incidents: Management, Classification and Reporting

DORA will require financial entities to establish and implement a specific ICT-related incident management process to detect, manage and notify ICT-related incidents, and to record them together with significant cyber threats. Financial entities will also have to classify ICT-related incidents and determine their impact in accordance with a set of prescribed criteria, details of which are set out in secondary legislation. Adding to the already existing complexity of regulatory reporting, DORA will require financial entities to report major ICT-related incidents to competent authorities; this obligation could be outsourced to a third-party service provider. Draft Regulatory Technical Standards (RTS) setting out reporting templates, their content and time-limits for the submission of initial notifications and reports were proposed by the European Supervisory Authorities (ESAs) in July 2024 following a public consultation in the beginning of the year. The Commission has yet to endorse and adopt these RTS.

(4) Digital Operational Resilience Testing

Within the context of their ICT risk management framework, financial entities will have to put in place a sound and comprehensive digital operational resilience testing programme, comprising of a range of assessments, tests, methodologies, practices and tools. Testing should be applied on a risk-based approach, by an independent party – either internal or external. In addition, significant financial entities will be required to carry out every three years advanced testing by means of threat-led penetration testing (TLPT). The ESAs have developed detailed rules that specify elements related to this threat-led penetration testing, including threshold-based pre-classification of financial entities that will be subject to TLPT. 

(5) Management of ICT Third-Party Risks and Contractual Arrangements

As indicated earlier, one of the objectives of DORA is to provide a framework for a principle-based sound management of ICT third-party risks. The legislation sets out the relevant principles, including in respect of contractual arrangements, taking into account the principle of proportionality. Financial entities will have to establish a strategy on ICT third-party risk, and will only be able to enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. DORA specifies circumstances in which such contractual arrangements should be terminated and requires that for ICT services supporting critical or important functions, financial entities will have to have in place exit strategies. Among other obligations, financial entities will have to perform a preliminary assessment of ICT concentration risk at the entity level, weighting the benefits and costs of alternative solutions if applicable. DORA sets out a list of elements that a contractual arrangement between a financial entity and an ICT third-party service provider will have to include. This includes controversial rules on subcontracting which are to be set out in secondary legislation and are yet to be finalised. Finally, financial entities will have to include detailed information about all ICT third-party service providers in a register of information, distinguishing between those that cover ICT services supporting critical or important functions and those that do not. As recently demonstrated in a sample dry-run exercise hosted by the ESAs, completion of the register of information might be a complex task, in particular when the financial entity procures many ICT services from third-parties. To add to the complexity of things, the draft implementing technical standards (ITS) that will set out templates for the registers of information has been rejected by the Commission and sent for re-drafting to the ESAs.

(6) Critical ICT Third-Party Service Providers and Oversight Framework

As indicated earlier, DORA sets out a separate set of provisions applicable to critical ICT third-party service providers, which in accordance with the Commission’s proposal, would be designated by the ESA's Joint Committee and on the basis of a list of criteria set out in DORA and specified in secondary legislation. DORA sets out limited exemptions from the designation rules, including for intra-group provision of ICT services. As an alternative to a top-down designation process, DORA foresees a possibility for an ICT third-party service provider to opt-in to the oversight regime. In respect of cross-border arrangements, financial entities will not be able to use the services of an ICT third-party service provider that is deemed critical but established in a third country unless such a service provider has established a subsidiary in the EU within the twelve months following designation. As the ESAs will be using information on ICT third-party service providers that will be included by financial entities in their registers of information, it is expected that the first critical ICT third-party service providers will be designated in H2 2025.

DORA sets out a structure of an Oversight Framework, composed of the Oversight Forum and the Lead Overseer (this being one of the ESAs). The latter will have far-reaching powers, including power to request access to relevant information and conduct general investigations and inspections, and imposing periodic penalty payments in cases of non-compliance with measures the Lead Overseer requires a critical ICT third-party service provider to undertake. DORA sets out modalities for the Lead Overseer to exercise its powers outside the EU. In July 2024 the ESAs published final draft RTS and guidelines that aim to harmonise a number of conditions that would enable the ESAs to work within the Oversight Framework. The Commission has yet to endorse and adopt these RTS.

(7) Information sharing arrangements, supervision and enforcement

DORA will permit – albeit not mandate – financial entities to exchange amongst themselves information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.

(8) Supervision and Enforcement

In terms of the supervisory framework and enforcement, DORA places supervision of compliance with its requirements with the respective competent authorities responsible for overseeing the in-scope financial entities. To this end, the competent authorities will have all supervisory, investigatory and sanctioning powers necessary to fulfil their supervisory duties and including, among other powers, access to any document or data, carrying out on-site inspections and investigations, as well as imposing administrative penalties and remedial measures.

(9) Interlinkage with other regulatory requirements

With all its complexity, DORA should not be considered in isolation. Throughout its legislative review much focus has been dedicated to DORA’s interlinkage with other initiatives, notably the revised Directive on Security of Network and Information Systems (the NIS 2 Directive) and pre-existing initiatives such as the European Banking Authority’s (EBA) guidelines on outsourcing arrangements and the EBA guidelines on ICT and security risk management. To provide more clarity on the relationship between DORA and the NIS 2 Directive, the Commission has published guidelines. In this context it is also important to note a new regime for critical third-party providers that is currently being developed in the UK, which is likely to be an important point of consideration for firms with both EU and UK presence.

(10) Next steps

DORA will become applicable on 17 January 2025. In the meantime, a whole set of secondary legislation that will set out detailed, technical rules specifying some of the key provisions of DORA will have to be developed. This work is already well under way, with the relevant rules being at different stages of development and the great majority still pending formal approval.  This means that intense regulatory work is likely to continue until the very last moments ahead of the DORA’s application.

Practical considerations

As outlined above, DORA sets out very detailed rules for financial entities and critical ICT third-party service providers. While some of them might be a harmonisation of what certain financial entities already do or are already subject to, for some others, including those smaller firms or those that will enter the European regulatory perimeter by means of authorisation as CASPs, compliance with DORA’s requirements might prove to be a challenge. Overall, DORA will have a significant impact on in-scope firms’ governance structures and processes. While some of the biggest and most sophisticated financial services firms’ are already likely to have complex ICT systems and procedures in place, conducting their review and adaptation to DORA’s standards will be a complex task. Integrating financial institutions’ management bodies so that they play an active role in the ICT risk management framework may require an in-depth evaluation of the internal governance arrangements.

As 17 January 2025 is fast approaching, in-scope entities, including European financial entities as well as entities that can potentially be designated as critical ICT third-party service providers should start reviewing their internal arrangements and third-party contracts with a view to getting ready to ensure timely compliance. This review should include, but not be limited to, making an inventory of third-party ICT services arrangements and considering them in the content of DORA’s requirements.

How can we help

Norton Rose Fulbright has a multi-disciplinary team of specialised lawyers, risk advisory and compliance experts with relevant expertise to provide comprehensive DORA support. Our relevant practices include:

• Financial Services Regulatory: Our global financial services and regulation practice helps our clients navigate the evolving and increasingly complex regulatory environment, working seamlessly across major business and financial hubs. We have broad expertise advising clients on all aspects of governance arrangements, outsourcing and third-party risk management.
• Information, Governance, Privacy and Cybersecurity: Our dedicated global practice of information governance, privacy and cybersecurity lawyers helps clients manage legal risks related to cybersecurity, privacy, data governance, information technology, and intellectual property.
• Technology Consulting: Effective implementation and adoption of any technology requires a deep understanding of what is technically possible and operationally feasible. Our technology consulting practice provides technical knowledge to help clients take full advantage of new and emerging technologies, together with legal and compliance experts we help to devise and implement technologically-savvy compliance arrangements.
• Sourcing and Technology: Our global team of sourcing and technology lawyers use their industry knowledge to provide commercial legal advice on all aspects of sourcing transactions in areas including emerging technologies and intellectual property to multi-jurisdictional data transfer and regulation. We regularly advise clients on the most complex outsourcing transactions and third-party contractual arrangements in the market.
• Risk Advisory and Risk Consulting: Our global risk advisory and risk consulting practice, comprising risk, compliance and industry specialists, works closely with our lawyers to deliver a combination of skills and experience that can meet the increasingly complex risk challenges facing your business. We regularly advise clients on issues relating to operational resilience, including operational resilience frameworks, crisis scenario planning and response and operational resilience enhancement and good practice.
• Government Relations and Public Policy: Our government relations and public policy practice helps clients promote policy change, shape draft legislation and manage regulatory risk, and to track all relevant legislative and regulatory developments. We have been closely following DORA legislative review, and we continue doing so with its secondary regulations.