Cybersecurity in the EU: DORA is on its way to digital finance

Published on 22/09/2022
Partager sur :

The objectives of the European Union and the return of DORA

After nearly a year of negotiations, the Council Presidency and the European Parliament reached a provisional agreement this summer to implement a digital operational resilience strategy, namely the Digital Operations Resilience Act (DORA), targeting cybersecurity in the financial sector.

Indeed, it is not surprising that European entities have set out to produce such a framework, given that information systems now occupy an important and strategic place in the financial world, and that cybersecurity is one of the 4 pillars of the European strategy for data. The resulting risks, which are increased by the use of external service providers, could have a significant impact on European market players.

It is on this observation that the DORA proposal was born and that it has taken place in the European package of measures on digital finance and more broadly on innovation.

This digital finance strategy is in line with Europe’s intention to leverage on innovation to strengthen its industry and its economy within an ethical and secure framework.

The proposal for DORA was developed along 5 main axes, including rules, guidelines and best practices with the objective to strengthen the digital and operational resilience of the financial sector.

On the map: Resilience and risk management but what else?

The objectives of DORA are clearly defined. The regulation governs the development of IT operational resilience of financial entities. Digital operational resilience is part of a set of requirements applicable to IT risk management. Indeed, these requirements revolve around specific IT risk management functions:

That covered entities will need to be able to withstand, respond to and recover from the consequences of incidents, as well as protect customer data and ensure that their continuity plan is compliant.

The regulation lists the criteria that financial entities will be required to use to classify computer-related incidents and determine their impact. These incidents must be notified to the competent authority. The latter will be able to assess the possible transboundary impact. If a major incident were to affect service users or customers, they should be informed.

To achieve these objectives, financial entities use state-of-the-art IT technologies and processes to ensure the security of data transfers, prevent data loss or unauthorised access. They have to ensure a permanent follow-up and control of the functioning of the systems and IT tools.

Preparing to avoid and manage these incidents requires the acquisition of effective tools, but also other mechanisms such as the development of IT security awareness programs and digital operational resilience training for company personnel, in the form of mandatory modules.

Certain formalities must also be observed. Indeed, financial entities shall use up-to-date IT systems, protocols and tools that meet certain requirements. These elements will must be documented.

To ensure effective and realistic management of risks and threats in the digital finance sector, the regulation imposes a series of requirements proportionate to the actors and activities concerned. For example, Entities will need to dedicate sufficient resources, commensurate with their size, activity and risk profile, to manage access, manage the occurrence of IT anomalies and IT-related incidents such as cyberattacks

Finally, to help them interpret the various points of the regulation, the targeted financial entities will be able to rely on the clarifications that the European Supervisory Authorities (ESA) will provide and on the results of the intrusion tests.

Who would be part of the journey?

Like other European regulations, DORA applies to all member states of the European Union. More precisely, to a list of financial entities regulated at EU level.
The second article of the regulation defines “financial entities” in a broad manner. This would include credit institutions, insurance companies, management companies, investment firms as well as third party IT service providers or crypto asset service providers, to name a few. …

Who’s concerned ?

  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Providers of services on crypto-assets
  • Central securities depositories
  • Central counterparties
  • Trading platforms
  • Trade repositories
  • Alternative investment fund managers and management companies
  • Data communication service providers
  • Insurance and reinsurance companies
  • Insurance intermediaries
  • Reinsurance intermediaries and insurance intermediaries on an ancillary basis
  • Institutions for occupational retirement provision (IORPs)
  • Credit rating agencies
  • Statutory auditors and audit firms
  • Administrators of critical benchmarks and providers of participatory finance services

The regulation takes into account various parameters regarding these entities, including the fact that they may be of different sizes and have different areas of activity, sometimes involving different scopes of risk exposure. As a result, certain requirements will only be imposed on entities that are not considered microenterprises.

The regulation also reveals the identity of entities that would not be affected. This is the case of system operators and system participants, unless that participant is itself a financial entity regulated at the European Union level.

Supervisors on the way?

The regulation provides the supervisory authorities with the appropriate tools to carry out their mission and meet their obligations.

Two specific topics are noteworthy: criteria on incidents and controls on ICT service providers.

Incidents are classified by severity and only IT-related incidents that are deemed to be major must be notified to the competent authorities.

As to the providers, specific controls are to be implemented for ICT service providers known as “critical”. In case of non-compliance, penalties associated with the turnover or the contractual relationship between the financial entity and its provider could be imposed. The contract with these third parties must contain specific information, including the following :

Content of the contracts with third-parties

  • A complete description of the services
  • An indication of where the data is to be processed
  • A complete description of service levels with quantitative and qualitative performance targets
  • Relevant provisions on accessibility, availability, integrity
  • Security and protection of personal data
  • Guarantees of access, recovery and restitution in the event of failure of third-party IT service providers
  • Notice periods and information requirements for third-party IT service providers, access rights
  • Inspection and audit rights by the financial entity or a designated third party
  • Clear termination rights and specific exit strategies.

Why a regulation and what consequences for existing legislative texts?

The European intervention through a regulation is explained by the scope of application of this vector and the impact of digital technology. Indeed, the current disparities from one member state to another constitute an obstacle to the European market of financial services, because the targeted entities are confronted with contradictory or redundant requirements which sometimes hinder their activities and endanger their full compliance to regulations. This lack of homogeneity also raises questions from the point of view of competition in and of the European market.

The regulation will take full account of existing European legislation and some of it will be adapted to meet the requirements of DORA.

For instance, DORA takes full account of the existence of the Network and Information Security (NIS) Directive and is foreseen to coexist in harmony with it, avoiding contradictions and overlaps. The text as it currently exists does not seem to leave any room for doubt for financial entities, regardless of their material and territorial scope of application.

When does the legislative train leave?

The regulation is expected to come into force by the end of 2022. Thereafter, a review is planned every three years.

Still having doubts? Here is everything you need to know on DORA in a nutshell:

The proposal made by Europe accompanies the companies in the current and future technological and economic upheavals. It has given us the tools to apprehend this new world with serenity and Headmind Partners proposes to accompany you in this movement towards the future.

Written by Sanae BENSALAH & Hosna IRANMANESH


Veuillez saisir votre adresse email pour vous abonner. Envoyer