Irish Region

Two EU legislative acts relating to digital operational resilience in the financial industry were recently published in the Official Journal of the European Union. 

Regulation EU 2022/2554 (DORA) and Directive EU 2022/2556 (DORA Amending Directive) will enter into force on 16 January 2023. 

As a regulation, DORA will be directly effective from 17 January 2025 without transposing measures. EU member states must implement the DORA Amending Directive from the same date.

Background

The financial sector requires resilient information communication technology (ICT) to operate. There is a growing international political, regulatory and supervisory focus on mitigating risks to the financial industry stemming from ICT reliance. DORA is one aspect of the EU's Digital Finance Package, which includes legislative proposals on markets in crypto-assets (MiCA), distributed ledger technology such as blockchain and a digital finance strategy. 

Objective of DORA

DORA aims to consolidate and upgrade ICT risk requirements in the EU financial sector, to guard against cyber-attacks and ensure that in-scope financial entities such as banks, insurance companies and investment firms are subject to uniform rules mitigating ICT-related operational risk. 

Existing Central Bank Guidance

While DORA is newly adopted EU legislation, in December 2021, the Central Bank of Ireland published (i) cross-industry operational resilience guidelines (Operational Resilience Guidelines) and (ii) guidance for the governance, risk management and business continuity management of outsourcing activities (Outsourcing Guidance) for regulated financial service providers in Ireland. Prior to that in 2016, the Central Bank of Ireland published cross-industry guidance in respect of Information Technology and Cybersecurity Risks which should be read in conjunction with the Operational Resilience Guidelines and the Outsourcing Guidance.

NIS2 

DORA aligns with broader measures for common cybersecurity levels across the European Union to improve the public and private sectors' resilience and incident response capacities. The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity. Its expanded version, the recently adopted NIS2 Directive (NIS2D), relates to the resilience of a broad category of entities, including financial entities identified as operators of essential services. While NIS2 will enhance existing cybersecurity risk management measures and reporting obligations for multiple sectors and member state governments, DORA is financial sector-specific legislation.

DORA Amending Directive

The DORA Amending Directive will amend other Directives to align with DORA, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD.

In-scope entities

1.  Financial Entities

In-scope financial entities must effectively manage their ICT risks. Such entities must have the ability to withstand, respond to and recover from various ICT-related threats and disruptions. In-scope financial entities include those in the following sectors:

• Banking (e.g. credit institutions, payment institutions, electronic money institutions, investment firms and crypto-asset service providers).
• Financial markets infrastructure (e.g. central securities depositories, central counterparties (CCPs), trading venues, trade repositories and data reporting service providers).
• Funds (e.g. alternative investment fund managers (AIFMs) and UCITS management companies).
• Insurance (e.g. insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries).
• Other (e.g. credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories).

2.  ICT third-party service providers 

ICT third-party service providers designated as "critical" by any of the European Supervisory Authorities (ESA) will be subject to direct oversight by the ESAs when providing services to in-scope financial entities. ICT third parties not designated as "critical" may voluntarily opt-in to be subject to this oversight. The European Commission will adopt further regulation on the assessment criteria for designation by an ESA of a "critical" ICT third party.

Limited exceptions apply.

Key Elements of DORA

-         Governance and control

DORA sets out requirements for financial entities relating to governance structures, systems and controls. The management of an in-scope financial entity will have to define, approve, oversee and be accountable for the firm's ICT risk management framework.

-         ICT risk management framework

The ICT risk management framework must be sound, comprehensive and well-documented. It must be reviewed and should outline:

• how it fits within the firm's overall risk management framework;
• how it supports the firm's business strategy and objectives;
• clear roles and responsibilities for ICT-related functions;
• a communication strategy for ICT-related events;
• the firm's tolerance level for ICT risk;
• firm's information security objectives;
• the firm's information and ICT assets;
• a map of ICT asset configuration and interdependencies; and 
• critical ICT processes.

-         ICT security 

ICT security must be monitored and reviewed. Firms must identify ICT-related issues and employ mechanisms to detect potential ICT threats or problems.

-         ICT incident management, classification and reporting 

DORA promotes a consistent and integrated process to detect, manage and notify ICT-related incidents. Standardised reporting templates must be used, and relevant incidents must be reported to the competent authority within prescribed timeframes. Contact with service users or customers may be necessary, depending on the circumstances.

-         Testing

DORA requires comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices and processes. Independent parties must conduct testing of financial entity ICT. Critical ICT systems and applications should be tested by in-scope firms at least every 12 months. Some financial entities will be required to complete threat-led penetration testing no less than every three years.

-         Sharing information

DORA will oblige financial entities to share cyber-threat-related information and intelligence.

-         ICT third-party risk management

ICT third-party risk is a key part of the ICT risk management framework. Under DORA, ICT third-party service providers designated as "critical" will be subject to oversight by an ESA. Third-country critical ICT third-party providers must establish an EU subsidiary within 12 months of a "critical" designation to continue providing services within the EU. Contractual arrangements with ICT third parties will be important in this context.

Conclusion

Regulated firms in Ireland have followed the Irish Central Bank (and, where relevant, European Central Bank) guidance on outsourcing and/or operational resilience for some time. Many DORA requirements already feature in the risk-related frameworks of Irish-regulated firms. Nonetheless, for financial entities DORA will capture, we recommend conducting a scoping exercise and gap analysis against existing processes and practices (e.g. governance and control frameworks, risk policies, processes, procedures and ICT service provider contractual arrangements) to prepare for its implementation.

Published by William Fry LLP on 13 January 2023