As part the European Commission’s Digital Finance Strategy initiative to build a ‘digital ready’ Europe, the Commission recently published proposed legislation on digital operational resilience for the EU financial services sector, known as DORA. The objective is to implement a cohesive regulatory framework in the EU financial services sector to manage digital risks and build resilience against IT related disruptions, threats and cyberattacks. DORA applies to a wide variety of financial firms and also to businesses providing IT services to those financial firms. Significant financial firms will be subject to the most onerous obligations.

Current rules

The financial services sector has integrated complex technology systems and processes into all areas of its business. It is also heavily reliant on third party IT providers to manage data and deliver services to clients. This means that the financial services sector is a prime target for cyberattacks such as hacking, ransomware and identity theft. Cyberattacks that access computer systems and harm data are a particular problem for financial firms that hold large amounts of personal data related to bank accounts or insurance arrangements. Such attacks can result in reputational and financial damage to both customers and to the firms themselves.

Due to the rapid evolution of technology, the current EU rules on cyber-security are showing their age and are fragmented. EU legislation like the GDPR and the Directive on Security of Networks and Information Systems (NIS Directive) plug the gaps in certain cases. However, the disjointed approach creates exposure for firms and clients and is a roadblock to the EU’s vision of achieving a true digital single market.

Main elements of DORA

DORA will supplement and align the cybersecurity requirements across the EU financial sector to ensure technology, networks and data are protected.

Common standards

DORA will introduce common standards to help mitigate the risk of cyberattack. Firms will have to apply the same robust set of protections. It will also reduce regulatory complexity across member states by providing a uniform set of definitions for IT risks, third party service providers and digital operational resilience.

Risk framework

The legislation will require financial services firms to design and maintain an IT risk management framework and put in place comprehensive internal governance to support this framework. This includes:

• Building disaster recovery procedures and business continuity plans in proportion to the firm’s size

• Creating communication policies

• Carrying out adequate reviews to ensure improvements are made following significant issues

• Periodically testing IT risk frameworks and addressing any deficiencies

Incident management and reporting

Financial services firms will have to establish a robust incident management policy that includes adopting early warning mechanisms and ensuring the suitable classification of issues. To ensure that reporting to the European point of contact is standardised across member states, firms will have to report major incidents to their national regulator using harmonised reporting templates.

Information exchange

To improve security awareness, DORA will encourage financial services firms to share information among themselves on cyber-security threats, response tactics and general intelligence on improving digital resilience. Despite this, the financial sector will continue to share information through the NIS ecosystem.

Outsourcing contract contents

The proposed legislation will require outsourcing contracts between financial services firms and third party IT providers to contain certain provisions and content with the aim of standardising terms and conditions where this is practicable.

Oversight of third party providers

In terms of third party providers of software, data and cloud services, DORA permits the European supervisory authorities (ESA) to specify any third party provider as ‘critical’.

An ESA will be designated as a lead overseer for each critical third party service provider. Critical third party providers will be subject to far reaching obligations, including to keep suitable risk management procedures, to permit general investigations of its contracts and polices, and to facilitate on-site inspections by the lead overseer. There may even be a requirement on the third party provider to refrain from entering into further subcontracting arrangements in certain circumstances.

Critical third party service providers are expected to co-operate in good faith with the lead overseer. DORA provides administrative penalties on third party providers for non-compliance of 1% of average daily worldwide turnover. Member states can choose to impose harsher sanctions under national law.

Despite the appointment of a lead overseer, compliance with financial services regulations will remain with the existing competent authority.

What’s next?

The draft DORA legislation needs to progress through the European Parliament and European Council. Both bodies can propose amendments and so the final version of the legislation may differ from the current draft.

We expect various financial services and technology stakeholders to be involved in consultation and feedback as the draft legislation progresses. However, it can take over 18 months to pass complex legislation like DORA. Once the final version has been agreed there will also be an implementation period for member states to transpose it into their national law.

In a recent letter to the Commission, a joint group of EU regulators have suggested that the current draft presents governance and operational challenges due to the complexity of the oversight framework and the practicalities of enforcement. The regulators also call for a more comprehensive inclusion of the principle of proportionality in the proposed legislation.

Firms operating across borders should welcome DORA’s harmonisation of the overlapping and inconsistent cybersecurity regimes across Europe. Adopting the principles set out in DORA in relation to a firm’s own infrastructure and software and that of its third party providers will help firms safeguard reputation and business confidence. While implementation will not happen immediately, considering the issues the proposed legislation raises should remind financial service firms and their third party providers of the importance of IT security, the severe risks posed by cyber-security threats, and best practice in addressing them in today’s connected digital environment for financial services.

For more information, contact a member of our Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.