Preparing for DORA: The countdown begins
12 November 2024
Industry representatives explore the impact of DORA as firms race to get ready with less than 100 days to go until its implementation. Carmella Haswell reports
Image: stock.adobe.com/selim
The clock is ticking, and the race to prepare for the Digital Operational Resilience Act (DORA) implementation is underway. With less than 100 days to go, firms will have to thoroughly evaluate and possibly revamp their technology stacks in preparation.
Initially introduced by the European Union Agency for Cybersecurity (ENISA), the regulation comes in respect of the industry’s reliance on technology. “As an industry, we are more exposed to the ever increasing sophistication of cyber threats,” says John de Freitas, director, Aponix Cybersecurity and Privacy, ACA Group.
The regulation aims to fill a critical gap by introducing an EU-level framework for digital operational resilience for the financial sector.
He highlights that US regulators are coming in line with European regulators: “When it comes to operational resilience, we are all moving in the same directions. We will probably see DORA become the gold standard of operational resilience legislation.”
While firms gear up for DORA’s implementation, concerns remain around its requirements.
Bringing harmonisation
DORA is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims to strengthen the information and communication technology (ICT) security of financial entities in the remit of the three European Supervisory Authorities (ESAs).
In addition, it seeks to ensure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. Applying to 21 different types of financial entities, the regulation consolidates and upgrades different rules on ICT risk.
It also introduces a pan-European oversight framework to oversee the ICT risks posed by the ICT third-providers. The oversight framework will be an additional layer, aimed at complementing the supervision of ICT risk of the financial entities under responsibilities of the supervisory authorities.
DORA is designed to bring together all requirements addressing digital risk in the financial sector into one single legislative act addressing inconsistencies, harmonising the requirements for all financial entities, in a risk-based and proportionate way.
According to the European Securities and Markets Authority (ESMA), ICT has become more pervasive in the financial sector, with the delivery of financial services increasingly dependent on the smooth operation of complex or less complex ICT systems.
Further, the increased digitalisation and interconnectedness of the financial sector increases the efficiency in service delivery, while at the same time it also introduces ICT and information security risks.
An ESMA spokesperson warns: “If not managed properly, these risks could lead to disruptions of financial services, often across borders with far-reaching effects. This is where the importance of solid ICT risk and information security risk frameworks for the financial industry has become increasingly important to safeguard the smooth and secure operation of the financial services.”
In line with this sentiment, Darren Crowther, general manager, Securities Finance and Collateral Management Solutions, at Broadridge, says the regulation is “set to play a critical role in bolstering the financial sector’s defence against cyber threats”.
He adds: “For many of Broadridge’s clients, the securities finance market is essential for their financial strategies, offering important liquidity and revenue opportunities for both their firms and their clients. The stability and security of these services is crucial for maintaining trust amid increasingly sophisticated cyber threats.”
Reviewing how the regulation has been received by the industry, Francesca Blythe, partner, data protection, privacy and cybersecurity, at Sidley Austin, reveals that there is confusion around the purported scope of DORA. For example, whether, and in what instances, it applies to financial entities outside of the EU, whether it applies in an intra-group scenario and what activities or services actually fall within scope of ICT services. This uncertainty can “create challenges for compliance and risk management”.
Crowther adds that stricter requirements imposed by DORA have raised concerns among some industry players about their feasibility, “especially regarding the timelines for reporting ICT-related incidents”. He pinpoints that many organisations find it difficult to balance the demands of meeting tight deadlines with the need for comprehensive compliance.
Making the initial report within four hours of determining an incident is "major" is a very short timeline for firms, says de Freitas, and there is real concern about being able to meet that deadline while firms are in the “hectic stage” of responding to an incident. In addition to meeting timelines, it would appear that firms are also worried about providing regulators with the “right level” of information to meet the rapid reporting requirements of the rule.
New contractual issues also pose challenges for those in-scope. From an ACA Group perspective, de Freitas says small firms often do not feel they have the power to make demands of vendors that are larger to include certain provisions in their contracts.
He adds: “Even when it is a contractual need that is supported by a regulation and the third party likely has multiple clients that would need contractual additions to meet DORA's requirements, there is still a common feeling of disempowerment there.”
Aligning with requirements
The impending regulation covers a host of key requirements for those in-scope to follow, these include risk management and governance, incident response management and reporting, as well as digital operational resilience testing.
There are two groups that are subject to DORA: EU financial entities and ICT third-party service providers (TPSPs). Financial entities include almost all regulated financial services firms and financial market infrastructure providers in the EU, ranging from banks to investment firms and credit rating agencies.
ICT third-party service providers can be based in any jurisdiction (EU or non-EU), they are defined as an entity that provides ICT services to an EU financial entity. However, the regulation provides a broad definition of ICT services. To summarise, it covers all digital data services provided through IT systems on an ongoing basis.
DORA specifically defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Blythe warns that, in practice, all data analytics, data processing, technical services etc could potentially fall in-scope of what constitutes ICT services, even if the provider does not categorise itself as a “traditional ICT service provider”. They could also fall within scope irrespective of whether or not the services are provided intra-group or externally.
Importantly, not all third-party providers are directly regulated under DORA, only those designated as “critical” and subject to the oversight of the supervisory authorities. Designation criteria for critical ICT TPSP include where ICT TPSP is systemically important to a large number of financial entities; support a financial entity’s critical or important functions; and difficult to substitute.
Blythe warns that those ICT service providers not designated as critical may still indirectly fall within scope via contract, because the in-scope EU regulated financial entities are themselves obligated to impose certain contractual obligations on their providers.
In terms of the key points in-scope entities and providers are required to follow: ICT risk management and governance rules will require firms to implement a comprehensive risk management framework for ICT systems. For example, this includes using standard operating procedures (SOPs) and IT security measures.
For incident response management and reporting rules, those in-scope will need to establish systems for monitoring, classifying and reporting ICT-related incidents. Major ICT-related incidents must be reported in phases to a competent authority and (in certain cases) to financial entities.
According to de Freitas, there has been an uplift in timeframes and notification requirements in this respect. Under DORA, firms have 24 hours to let the relevant competent authority know that a potential major breach has taken place. Firms then have 72 hours to report an intermediate report. The final report around this breach needs to be settled and completed within 30 days.
Furthermore, in-scope firms must establish, maintain and periodically review a comprehensive digital operational resilience testing programme. Here, de Freitas indicates that resilience testing “needs to be aligned with the profile of the organisation”. For example, testing for a firm actively trading on markets versus a private markets organisation may be different — as the former may require a higher availability of key systems.
Information sharing of events which have happened across the landscape and of any incidents which have happened in relation to cyber threats is a “key sentiment” which is echoed throughout multiple areas of the DORA legislation, de Freitas explains.
There are also requirements for critical third parties, this is important because “regulators appreciate just how much financial entities tend to outsource, with that outsourcing comes significant risk”, de Freitas comments. These third parties will need to undertake diligence and ensure appropriate contractual measures are in place.
As with all regulatory changes, it is imperative for in-scope firms to be aware of the penalties they face if they do not adhere to new requirements.
Penalties for breaches of DORA will be imposed by competent authorities at the national EU Member State level, eg criminal penalties, administrative fines, and mandatory implementation of remedial measures.
Members of financial entity management can be faced with fines and can even be individually named in public decisions by the competent authority.
Currently, critical ICT TPSPs can be fined up to one per cent of average daily worldwide turnover every day for up to six months. While non-critical ICT TPSP may lose clients if it does not comply with contractual requirements.
Prepare, prepare, prepare
With DORA first published back in January 2023, by the time the implementation date comes around two years would have passed. Due to this, Blythe believes “it is unlikely that regulators will have an abundance of sympathy for in-scope organisations which haven’t adequately prepared, or those that haven’t started to prepare”.
She adds: “We really would recommend that this be treated as a priority.”
An ESMA spokesperson emphasises that such requirements are not entirely new as “many financial entities have been subject to sectorial guidelines, regulations, or supervisory expectations in the areas of ICT risk management, incident reporting and outsourcing for years” — while for some firms in the financial sector, some of these may be new.
Financial entities are expected to identify and fill-in the gaps between their internal setups for management of ICT risks and the DORA requirements as soon as possible.
Speaking to Securities Finance Times, de Freitas reveals that the US, in particular, has experienced a lack of awareness about the regulation. He pinpoints that firms’ uncertainty around whether or not they are in-scope was the main reason for this — “there is still a good deal of uncertainty around the concept of extraterritoriality”.
“In the UK, in recent months, there has been more heightened activity in the run up to the deadline but firms are still assessing the degree to which their operations fall within the scope of the regulation,” de Freitas explained.
For those firms ‘late to the game’, he recommends that firms undertake a comprehensive gap analysis against their current programme versus the new requirements, allowing them to forge a prioritised and pragmatic roadmap to future compliance.
In addition, he believes a risk-based approach would be beneficial to firms that are still early on in their journey to complying with the requirements, understanding where their gaps lie — whether it be smaller changes to their in-scope policies or fundamental upgrades to their technical controls.
The potential scope of work involved in this type of project should not be underestimated, warns Blythe. She adds: “Helpfully though, DORA emphasises the importance of proportionality. As such, if a company is only just now turning their attention to this, they can likely adopt a more risk-based or strategic approach to compliance.”
For example, when it comes to the inevitable contractual re-papering exercise, companies may consider prioritising contracts where the ICT services are core, as opposed to ancillary to their operations.
“Where possible, companies should also take advantage of their compliance with existing similar legal obligations (ie not all DORA requirements are necessarily new or will demand a heavy lift) and leverage external support to ensure efficiencies,” Blythe explains.
From a technology perspective, firms preparing for this regulation “need to thoroughly evaluate and possibly revamp their technology stacks”, according to Crowther. This involves establishing a comprehensive ICT risk management framework and digital operational resilience strategy.
Key steps for Crowther include conducting health checks of existing systems, setting impact tolerances, mapping dependencies, and developing robust incident response and communication plans. He adds: “Ensuring regular testing and maintaining updated self-assessment documentation are also critical components of a robust compliance strategy.”
Looking forward
Summarising how the regulation will shape the future of the securities finance industry, Broadridge’s Crowther says DORA will redefine the landscape by promoting harmonised resilience practices across regions, therefore driving efficiencies and risk mitigation.
In line with this, ESMA interjects: “DORA is expected to bring in a change of culture in the implementation of ICT risk frameworks for the industry, but also for the supervision of such risk. We very much look forward to its benefits in elevating the quality and trust in the financial services provision.”
Broadridge is proactively preparing by partnering with clients to improve digital resilience through its expertise in ICT frameworks, mutualised platforms and processes, and robust operational strategies.
He adds: “We emphasise collaborative solutions to navigate regulatory challenges effectively, ensuring that our clients within the securities finance domain and the wider financial sector are well-equipped to meet DORA's demands.
“By helping organisations fortify their defences and streamline their operations, we contribute to a more stable and secure future for the financial sector as a whole.”
Initially introduced by the European Union Agency for Cybersecurity (ENISA), the regulation comes in respect of the industry’s reliance on technology. “As an industry, we are more exposed to the ever increasing sophistication of cyber threats,” says John de Freitas, director, Aponix Cybersecurity and Privacy, ACA Group.
The regulation aims to fill a critical gap by introducing an EU-level framework for digital operational resilience for the financial sector.
He highlights that US regulators are coming in line with European regulators: “When it comes to operational resilience, we are all moving in the same directions. We will probably see DORA become the gold standard of operational resilience legislation.”
While firms gear up for DORA’s implementation, concerns remain around its requirements.
Bringing harmonisation
DORA is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims to strengthen the information and communication technology (ICT) security of financial entities in the remit of the three European Supervisory Authorities (ESAs).
In addition, it seeks to ensure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. Applying to 21 different types of financial entities, the regulation consolidates and upgrades different rules on ICT risk.
It also introduces a pan-European oversight framework to oversee the ICT risks posed by the ICT third-providers. The oversight framework will be an additional layer, aimed at complementing the supervision of ICT risk of the financial entities under responsibilities of the supervisory authorities.
DORA is designed to bring together all requirements addressing digital risk in the financial sector into one single legislative act addressing inconsistencies, harmonising the requirements for all financial entities, in a risk-based and proportionate way.
According to the European Securities and Markets Authority (ESMA), ICT has become more pervasive in the financial sector, with the delivery of financial services increasingly dependent on the smooth operation of complex or less complex ICT systems.
Further, the increased digitalisation and interconnectedness of the financial sector increases the efficiency in service delivery, while at the same time it also introduces ICT and information security risks.
An ESMA spokesperson warns: “If not managed properly, these risks could lead to disruptions of financial services, often across borders with far-reaching effects. This is where the importance of solid ICT risk and information security risk frameworks for the financial industry has become increasingly important to safeguard the smooth and secure operation of the financial services.”
In line with this sentiment, Darren Crowther, general manager, Securities Finance and Collateral Management Solutions, at Broadridge, says the regulation is “set to play a critical role in bolstering the financial sector’s defence against cyber threats”.
He adds: “For many of Broadridge’s clients, the securities finance market is essential for their financial strategies, offering important liquidity and revenue opportunities for both their firms and their clients. The stability and security of these services is crucial for maintaining trust amid increasingly sophisticated cyber threats.”
Reviewing how the regulation has been received by the industry, Francesca Blythe, partner, data protection, privacy and cybersecurity, at Sidley Austin, reveals that there is confusion around the purported scope of DORA. For example, whether, and in what instances, it applies to financial entities outside of the EU, whether it applies in an intra-group scenario and what activities or services actually fall within scope of ICT services. This uncertainty can “create challenges for compliance and risk management”.
Crowther adds that stricter requirements imposed by DORA have raised concerns among some industry players about their feasibility, “especially regarding the timelines for reporting ICT-related incidents”. He pinpoints that many organisations find it difficult to balance the demands of meeting tight deadlines with the need for comprehensive compliance.
Making the initial report within four hours of determining an incident is "major" is a very short timeline for firms, says de Freitas, and there is real concern about being able to meet that deadline while firms are in the “hectic stage” of responding to an incident. In addition to meeting timelines, it would appear that firms are also worried about providing regulators with the “right level” of information to meet the rapid reporting requirements of the rule.
New contractual issues also pose challenges for those in-scope. From an ACA Group perspective, de Freitas says small firms often do not feel they have the power to make demands of vendors that are larger to include certain provisions in their contracts.
He adds: “Even when it is a contractual need that is supported by a regulation and the third party likely has multiple clients that would need contractual additions to meet DORA's requirements, there is still a common feeling of disempowerment there.”
Aligning with requirements
The impending regulation covers a host of key requirements for those in-scope to follow, these include risk management and governance, incident response management and reporting, as well as digital operational resilience testing.
There are two groups that are subject to DORA: EU financial entities and ICT third-party service providers (TPSPs). Financial entities include almost all regulated financial services firms and financial market infrastructure providers in the EU, ranging from banks to investment firms and credit rating agencies.
ICT third-party service providers can be based in any jurisdiction (EU or non-EU), they are defined as an entity that provides ICT services to an EU financial entity. However, the regulation provides a broad definition of ICT services. To summarise, it covers all digital data services provided through IT systems on an ongoing basis.
DORA specifically defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Blythe warns that, in practice, all data analytics, data processing, technical services etc could potentially fall in-scope of what constitutes ICT services, even if the provider does not categorise itself as a “traditional ICT service provider”. They could also fall within scope irrespective of whether or not the services are provided intra-group or externally.
Importantly, not all third-party providers are directly regulated under DORA, only those designated as “critical” and subject to the oversight of the supervisory authorities. Designation criteria for critical ICT TPSP include where ICT TPSP is systemically important to a large number of financial entities; support a financial entity’s critical or important functions; and difficult to substitute.
Blythe warns that those ICT service providers not designated as critical may still indirectly fall within scope via contract, because the in-scope EU regulated financial entities are themselves obligated to impose certain contractual obligations on their providers.
In terms of the key points in-scope entities and providers are required to follow: ICT risk management and governance rules will require firms to implement a comprehensive risk management framework for ICT systems. For example, this includes using standard operating procedures (SOPs) and IT security measures.
For incident response management and reporting rules, those in-scope will need to establish systems for monitoring, classifying and reporting ICT-related incidents. Major ICT-related incidents must be reported in phases to a competent authority and (in certain cases) to financial entities.
According to de Freitas, there has been an uplift in timeframes and notification requirements in this respect. Under DORA, firms have 24 hours to let the relevant competent authority know that a potential major breach has taken place. Firms then have 72 hours to report an intermediate report. The final report around this breach needs to be settled and completed within 30 days.
Furthermore, in-scope firms must establish, maintain and periodically review a comprehensive digital operational resilience testing programme. Here, de Freitas indicates that resilience testing “needs to be aligned with the profile of the organisation”. For example, testing for a firm actively trading on markets versus a private markets organisation may be different — as the former may require a higher availability of key systems.
Information sharing of events which have happened across the landscape and of any incidents which have happened in relation to cyber threats is a “key sentiment” which is echoed throughout multiple areas of the DORA legislation, de Freitas explains.
There are also requirements for critical third parties, this is important because “regulators appreciate just how much financial entities tend to outsource, with that outsourcing comes significant risk”, de Freitas comments. These third parties will need to undertake diligence and ensure appropriate contractual measures are in place.
As with all regulatory changes, it is imperative for in-scope firms to be aware of the penalties they face if they do not adhere to new requirements.
Penalties for breaches of DORA will be imposed by competent authorities at the national EU Member State level, eg criminal penalties, administrative fines, and mandatory implementation of remedial measures.
Members of financial entity management can be faced with fines and can even be individually named in public decisions by the competent authority.
Currently, critical ICT TPSPs can be fined up to one per cent of average daily worldwide turnover every day for up to six months. While non-critical ICT TPSP may lose clients if it does not comply with contractual requirements.
Prepare, prepare, prepare
With DORA first published back in January 2023, by the time the implementation date comes around two years would have passed. Due to this, Blythe believes “it is unlikely that regulators will have an abundance of sympathy for in-scope organisations which haven’t adequately prepared, or those that haven’t started to prepare”.
She adds: “We really would recommend that this be treated as a priority.”
An ESMA spokesperson emphasises that such requirements are not entirely new as “many financial entities have been subject to sectorial guidelines, regulations, or supervisory expectations in the areas of ICT risk management, incident reporting and outsourcing for years” — while for some firms in the financial sector, some of these may be new.
Financial entities are expected to identify and fill-in the gaps between their internal setups for management of ICT risks and the DORA requirements as soon as possible.
Speaking to Securities Finance Times, de Freitas reveals that the US, in particular, has experienced a lack of awareness about the regulation. He pinpoints that firms’ uncertainty around whether or not they are in-scope was the main reason for this — “there is still a good deal of uncertainty around the concept of extraterritoriality”.
“In the UK, in recent months, there has been more heightened activity in the run up to the deadline but firms are still assessing the degree to which their operations fall within the scope of the regulation,” de Freitas explained.
For those firms ‘late to the game’, he recommends that firms undertake a comprehensive gap analysis against their current programme versus the new requirements, allowing them to forge a prioritised and pragmatic roadmap to future compliance.
In addition, he believes a risk-based approach would be beneficial to firms that are still early on in their journey to complying with the requirements, understanding where their gaps lie — whether it be smaller changes to their in-scope policies or fundamental upgrades to their technical controls.
The potential scope of work involved in this type of project should not be underestimated, warns Blythe. She adds: “Helpfully though, DORA emphasises the importance of proportionality. As such, if a company is only just now turning their attention to this, they can likely adopt a more risk-based or strategic approach to compliance.”
For example, when it comes to the inevitable contractual re-papering exercise, companies may consider prioritising contracts where the ICT services are core, as opposed to ancillary to their operations.
“Where possible, companies should also take advantage of their compliance with existing similar legal obligations (ie not all DORA requirements are necessarily new or will demand a heavy lift) and leverage external support to ensure efficiencies,” Blythe explains.
From a technology perspective, firms preparing for this regulation “need to thoroughly evaluate and possibly revamp their technology stacks”, according to Crowther. This involves establishing a comprehensive ICT risk management framework and digital operational resilience strategy.
Key steps for Crowther include conducting health checks of existing systems, setting impact tolerances, mapping dependencies, and developing robust incident response and communication plans. He adds: “Ensuring regular testing and maintaining updated self-assessment documentation are also critical components of a robust compliance strategy.”
Looking forward
Summarising how the regulation will shape the future of the securities finance industry, Broadridge’s Crowther says DORA will redefine the landscape by promoting harmonised resilience practices across regions, therefore driving efficiencies and risk mitigation.
In line with this, ESMA interjects: “DORA is expected to bring in a change of culture in the implementation of ICT risk frameworks for the industry, but also for the supervision of such risk. We very much look forward to its benefits in elevating the quality and trust in the financial services provision.”
Broadridge is proactively preparing by partnering with clients to improve digital resilience through its expertise in ICT frameworks, mutualised platforms and processes, and robust operational strategies.
He adds: “We emphasise collaborative solutions to navigate regulatory challenges effectively, ensuring that our clients within the securities finance domain and the wider financial sector are well-equipped to meet DORA's demands.
“By helping organisations fortify their defences and streamline their operations, we contribute to a more stable and secure future for the financial sector as a whole.”
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times