DORA – further rules on ICT risk management for financial entities
As of 17 January 2025 financial entities must comply with the new EU Regulation on digital operational resilience (2022/2554), commonly know as DORA. This new regulation, and the associated Directive, will result in further requirements for ICT risk management by financial entities.
Background: enhanced operational resilience
Against the background of ongoing digitalisation of financial activities and services and increasing importance of ICT support for financial entities, it has been considered that the existing regulatory requirements on ICT risk management are no longer sufficient to deal with issues such as increasing cyber risks, interdependencies of IT systems and continued operations of financial entities. Consequenty, as a part of the EU FinTech action plan it has been decided to increase resiliency of the financial sector. For that purpose DORA and a corresponding Directive have been adopted, also in view of further harmonisation of rules throughout the EU.
Scope: financial entities
DORA will apply to ‘financial entities’. As with other EU regulation, one must look closer to understand its scope. Financial entities include a wide array of financial undertakings including banks, payment institutions, electronic money institutions, investment firms, trading venues, fund managers and management companies, insurance undertakings, insurance intermediaries and IORPs. Exceptions include fund managers (AIFMs) subject to the AIFMD registration regime and small and medium sized insurance intermediaries.
DORA is of a cross-sectoral nature as it relates to basically all financial undertakings. This is a deviation from the existing rules on ICT risk management for financial institutions that are based on sectoral rules.
DORA includes requirements on (i) ICT risk management, (ii) ICT-related incident management, (iii) resilience testing, (iv) managing of ICT third party risk and (v) information sharing. On their turn, these topics include specific requirements. ICT risk management for example includes rules on identifying ICT related risks, maintaining an internal governance and control framework, a separate control function, internal audit, monitoring, detection of anomalies, business continuity, back-up requirements and disclosure of incidents to clients, counterparts and the wider public. While specific for ICT related aspects, this resembles the overall risk management requirements for financial undertakings further to the respective applicable regimes. In this respect DORA simply specifies and elaborates on ICT risk management as part of overall risk management by financial undertakings. Similarly, the rules on managing of ICT third party risk resemble the existing rules on outsourcing of (critical) functions. For example, also here rules relate to prior assessment of third party providers, agreeing on specific contractual rights such as on inspection and audit rights, and ongoing monitoring. As such, one may say that ICT third party risk management is not new and should basically already be covered by existing arrangements, especially if outsourcing of IT services is considered to be critical.
Important to note is that also with DORA, the full scope of the requirements will only show once further regulatory technical standards are final. Consequently, while the overall picture is clear from DORA itself, financial entities will have to await these further rules to have a full view of the requirements to be met.
The new DORA requirements will mean that existing requirements will not apply to the extent that these are covered by DORA. Examples include the EBA Guidelines on ICT and security risk management and the EIOPA Guidelines on information and communication technology security and governance. These guidelines may however remain relevant for the purpose of explanation of the DORA requirements to the extent necessary.
Apart from DORA, the corresponding Directive changes the applicable UCITS, Solvency, AIFMD, CRD, BRRD, MiFID, PSD and IORP Directives, basically by laying down that the financial undertakings subject to the rules under these Directives, will implement the necessary ICT risk management policies and procedures as part of their overall operational requirements. Being Directives, these new requirements will still have to be implemented into local EU law, also no later than 17 January 2025.
Exemptions: ‘DORA light-touch’
DORA provides for a light-touch regime for ICT risk management for small and non-interconnected (category 3) investment firms, exempted credit institutions, payment institutions, electronic money institutions and small IORPs. This light-touch regime still requires those financial entities to apply the necessary policies and prodedures in respect of ICT risk management in general, but the full DORA regime on ICT risk management does not apply to these financial entities. By doing so, DORA specifically applies the proportionality principle that is also laid down as a general rule for the DORA requirements in full. Also in respect of this light-touch regime further regulatory technical standards will be adopted. Consequently, the financial entities that may benefit from this light-touch regime must await the final regulatory technical standards in order to be able to fully understand the requirements.
Apart from this, several DORA requirements do not apply to microenterprises, being financial entities (other than trading venues, central counterparties, trade repositories and central securities depositories) with fewer than 10 employees and a turnover and balance sheet total not exceeding €2 million. As a result, one may say that also in respect of microenterprises a light-touch regime applies. However, this light-touch regime is of another nature as the full DORA requirements on ICT risk management will in part still apply to these microenterprises rather than not applying at all.
Action is certainly required to comply with the requirements set forth by DORA. However, due to the date of application only being 17 January 2025 as well as because further regulatory technical standards will still have to be adopted, financial entities may await further developments as it will be difficult to already anticipate on the full DORA regime.