Upcoming EU Rules on Digital Operational Resilience

DORA introduces significant new compliance obligations on financial entities, including:

• Creating a sound and well-documented ICT risk-management framework that allows ICT risks to be addressed quickly, efficiently and comprehensively. It is important for the framework to include methods to identify, classify and document all ICT supported business functions, roles, responsibilities and dependencies in relation to ICT risk and all processes that are dependent on third-party service providers (ICT Providers), and identify the ICT Providers whose services support “critical or important functions,” the disruption of which would materially impair the financial performance of a financial entity or its compliance with the conditions and obligations of its authorization or obligations under financial services law, or the soundness or continuity of its services and activities.
• Obligations relating to the management, classification and reporting of ICT-related incidents (based on the incident’s severity), where in particular, ICT-related incidents with “a potentially high adverse impact on the network and information systems that support critical functions of the financial entity” must be reported without undue delay. Financial entities must also ensure compliance with any reporting obligations triggered under other laws, such as the General Data Protection Regulation (EU) 2016/679 (GDPR) (see below).
• Conducting advanced threat-led penetration testing at least every three (3) years, to cover critical or important functions, including outsourced or contracted functions.
• Ensuring that contracts with ICT Providers include the mandatory terms (see below) and maintaining a register of contractual arrangements with ICT Providers. The information in the register must be made available to the competent authority (determined by the business industry of the financial entity) on request, alongside annual reports on the number of new arrangements for the use of ICT services and the provided functions.

DORA will also regulate ICT Providers that are “critical for financial entities.” These critical ICT Providers will be designated by European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), collectively known as the ESAs, based on criteria defined in DORA. It is expected that the critical ICT Providers will consist of a small number of well-known vendors (and there is likely to be significant overlap with service providers designated as “critical” under proposed new UK rules).

DORA also establishes a framework for information sharing arrangements, under which financial entities may exchange cyber threat information and intelligence provided the information sharing arrangements protect the potentially sensitive nature of the information.

Mandatory Contractual Terms for Outsourcing Arrangements
DORA sets out specific requirements for contracts with ICT Providers, but financial entities should also consider the principle of proportionality and take into account the nature, scale, complexity and importance of ICT-related dependencies, and the risks arising from contractual arrangements on the use of ICT services (e.g., criticality or importance of the service, process or function, and the potential impact on the continuity and availability of financial services and activities at individual and group level).

The minimum contractual requirements that must be implemented with ICT Providers are not unfamiliar and are closely aligned with the existing EBA guidelines on outsourcing arrangements. Standard contractual clauses developed by public authorities for specific services (e.g., the EU standard contractual clauses for cloud computing services) can be relied on rather than negotiating bespoke agreements. The contracts must include the following requirements:

• A clear and complete description of all functions and services to be provided, including service levels;
• The locations where the functions and services are to be provided and where associated data is to be processed;
• Provisions on ensuring access, recovery and return of personal and non-personal data to the financial entity if the ICT Provider becomes insolvent;
• Obligations on the ICT Provider to participate in the financial entity’s ICT security awareness and digital operational resilience training programs, assist the financial entity following an ICT incident relating to the services, and fully cooperate with competent authorities; and
• Termination rights on specified occurrences.

Where the ICT services are supporting critical or important functions, the contract must contain additional provisions, e.g. on service-level descriptions (full descriptions including updates and revisions), notice periods and reporting obligations, requirements for the ICT Provider to implement and test business contingency plans and cooperate in the financial entity’s threat-led penetration testing, the financial entity’s right to conduct ongoing monitoring on the ICT Provider’s performance, as well as exit strategies and mandatory transition periods during which the services will continue with a view to reduce the risk of disruption and/or to allow migration to another provider or an in-house solution.

Interrelation of DORA and Data Protection Legislation
It will be critical for financial entities to consider the impact of their new compliance obligations under DORA with respect to their obligations under data protection legislation, such as the GDPR. DORA is intended to complement the GDPR; it does not replace it, nor does it derogate from it. As such, the GDPR will remain fully applicable to the processing of personal data within the financial sector. DORA and the GDPR share common objectives of safeguarding the security, confidentiality and integrity of data (whether personal or not), however the practical alignment of financial entities’ compliance obligations under the two regulations must be considered. Some of the key areas of interrelation which financial entities need to consider are the following:

• ICT risk identification, classification and documentation: A part of this process should already be completed to an extent by financial entities in their compliance with the documentation obligations under Article 30 of the GDPR, which require organizations to maintain a record of their personal data processing activities (commonly referred to as a “ROPA”), including details of what data is being processed by whom (e.g. by third parties) and in which locations. However, DORA’s requirements are broader; they cover all information assets and not only personal data. Financial entities must consider any data privacy risks when creating and maintaining a risk-management framework, and ensure compliance with the GDPR’s data protection principles (e.g., lawfulness, fairness and transparency, purpose limitation, data minimization and accountability) and the principle of “data privacy by design and default”—this means that privacy and data protection issues must be considered at the design phase of any system, service, product or process and throughout its life cycle. Additionally, financial entities must implement and maintain policies in relation to their data security measures to comply with the accountability principle. Financial entities within DORA’s scope will already have these in place; however, it is likely that they will need to be revised following DORA’s entry into force.
• Data protection impact assessments (DPIAs): If during the identification and classification of ICT risks and assets the financial entity determines that an ICT Provider will be engaging in a type of processing of personal data which is likely to result in a high risk to the rights and freedoms of individuals, a DPIA pursuant to Article 35 of the GDPR must be carried out. Under DORA, financial entities must conduct a risk assessment upon each major change in the network and information system infrastructure or in the processes or procedures affecting their functions. Where a DPIA must be conducted, it is likely that the financial entity must also assess the general security levels of its ICT systems and ICT Providers.
• Contracts with ICT Providers: Where an ICT Provider processes any personal data as a processor for and on behalf of a financial entity as a controller, the requirements of Article 28 of the GDPR must be implemented in a data processing agreement in addition to the DORA mandatory contractual terms. DORA’s provisions are more detailed than the Article 28 GDPR provisions, so any existing data processing agreements may need to be repapered, particularly regarding any new obligations relating to the revision or implementation of security measures.
• Incident and breach reporting obligations: Financial entities must consider the extent to which their reporting obligations for ICT-related incidents under DORA may overlap with the obligations to report personal data breaches under the GDPR. Personal data breaches are defined in Article 4(12) of the GDPR as security breaches leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. An ICT-related incident may also be a personal data breach, so a financial entity must also comply with the GDPR obligations relating to notifying data protection supervisory authorities and/or affected individuals of the breach. Additionally, both DORA and the GDPR require organizations to provide training on ICT risks and data protection obligations; it would be prudent to ensure that any training covers the overlapping reporting obligations.

Consultation of DORA Policy Products by the ESAs
A public consultation was launched on June 19, 2023, by the ESAs on the first batch of policy products under DORA and will run until September 11, 2023. DORA mandates ESAs to jointly develop altogether 13 policy instruments in two batches. A public hearing (via a webinar) to obtain market participants’ initial views is to be held on July 13, 2023. More detail on the consultation process can be found on ESMA’s website.

The first batch of policy products includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). The RTS and ITS relate to the risk-management framework, the criteria for classifying ICT-related incidents, the establishment of templates for the register of information and specifying the policy on ICT services provided by ICT Providers. They are to be submitted to the European Commission by January 17, 2024.

Conclusion
DORA includes a two-year implementation period, with additional regulatory technical standards to be released during that time. Developing and implementing a framework that complies with the requirements of DORA is likely to take significant effort and will require appropriate resources. As an initial step, entities will need to map out their obligations and identify current gaps. A repapering exercise may also be required to ensure contractual arrangements meet all obligations. Financial entities should therefore ensure they begin preparations well in advance of the deadline.