Exploring the Impacts of DORA

The Digital Operational Resilience Act (DORA) is an EU regulation that creates an Information and Communication Technology (ICT) risk management framework for the financial sector. However, its impact will be felt globally due to the wide net of those captured either as DORA- regulated entities or their service providers located outside of Europe.

Owing to the complexity of DORA, the European Supervisory Authorities (ESAs) are releasing more details on DORA implementation in two distinct batches:

• Batch 1 was published on January 17, 2024, made up of three regulatory technical standards (RTS) and one implementing technical standard (ITS).
• Batch 2 is expected in July 2024 and is made up of four distinct regulatory technical standards, one implementation standard, and accompanying guidelines.
  

Here we deconstruct some of the complexities of the regulation as the January 17, 2025, deadline looms.

DORA By the Numbers

Two types of firms are affected by DORA - (1) those directly in scope including banks, asset managers, central securities depositories (CSDs) and (2) those deemed critical ICT providers to in scope entities. It also applies to in-scope entities' service providers materially supporting their ICT stacks. Such organizations could include software providers, data centers and cloud providers, as well as internet and email hosts.

In scope regulated entity "types" that fall within the full scope of DORA for incident reporting template purposes are detailed below:

Credit institutions	Central securities depositories	Data reporting service providers	Crowdfunding service providers
Payment institutions	Central counterparties	Insurance and reinsurance undertakings	Securitzation repositories
Account information service providers	Trading venues	Insurance intermediaries	Other financial entity
Electric money institutions	Trade repositories	Instutions for occupational retirement provision	Non-financial entity: ICT intra-group service provider
Investment firms	Managers of alternative investment funds	Credit rating agencies	Non-financial entity: Other
Crypto-asset service providers as authorized under MICA	Management companies	Administrators of critical benchmarks

Three regulatory principles underpin this gargantuan regulation:

1. Convergence - common language, standards around cyber and ICT risk across the E.U.
2. Proportionality - DORA implementation may consider the size and overall risk profile of an entity as well as the nature, scale, and complexity of services.
3. Security by Design - firms should consider elements such as the design of products, services, and distribution channels. Security and proper governance to mitigate risks should be present throughout the entire life cycle of the product.

Five primary areas of activity are contained within DORA:

1. ICT Risk Management
2. Reporting of ICT related incidents
3. Digital Operational Resilience Testing
4. Thid Party Risk Management
5. Information and intelligence sharing

Six stages are outlined in the DORA implementing technical standards (ITS) as best practice when it comes to assesssing ICT risk management:

1. Identify
2. Protect and Prevent
3. Detect
4. Respond and Recover
5. Learning and Evolve
6. Communicate

DORA's Implications

• A firm could face a penalty of 1% of their average daily worldwide turnover for non-compliance. This period of non-compliance accrues daily for up to six months.
• There are three "layers" that determine what constitutes a "major ICT incident":
  • Layer 1: Determine if the incident affects critical services.
  • Layer 2: Determine if the incident is a result of a malicious intrusion.
  • Layer 3: Determine whether the incident impacts at least two of the following six criteria:
    • Number of clients affected
    • Amount of data loss affected
    • Reputational impact
    • Duration and service downtime
    • Geographic spread
    • Economic impact
• A major ICT related incident should be reported at first instance within one business day, an intermediate report within a week of first notification, and a final report with root-cause analysis submitted no later than one month.
• There are 15 mandated reporting templates within the DORA regulatory technical standards. Firms will be required to use these to compile a register of information as well as the relationships between the entity maintaining the DORA register, its branches, and each of the ICT and other critical third-party service providers. The templates contain relational keys which outline the end-to-end structure of ICT supporting the DORA entity's business model regardless of their own location or regulatory status. Once again, this shows that DORA is a highly comprehensive set of rules.
• The Central Bank of Ireland's Consultation Paper CP140 already provides industry guidance on operational resilience. While DORA is more prescriptive, many banks and asset managers in Europe already largely adhere to many of the operational resilience requirements. The regulatory theme of operational resilience, outsourcing and delegation risk management, business continuity processes, and cyber security have been large focus areas and continue to be top priorities.
• In Luxembourg, the CSSF recently introduced a new ICT-related incident reporting framework by way of Circular CSSF 24 /847 which broadly aligns to both DORA and the EU NISD2 cybersecurity directive requirements.

Many questions remain as industry processes the outstanding RTS and ITS while also comparing it with the plethora of global operational resilience regulations already in place.

To discuss DORA, please contact Adrian Whelan or your BBH representative.

Public link

Please use the above public link if you want to share this noodl on another website.