Digital Operational Resilience Act (DORA)

Resilient Cyber Security for the European Financial Sector through DORA

In mid-December 2022, the EU adopted Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA). This is an important step towards achieving a high level of digital operational resilience in the financial sector within the European Economic Area. In view of the increasing dependence on information and communication technology (ICT) and the growing threat of cyberattacks, DORA is intended to strengthen the financial sector through a uniform set of rules in the areas of cybersecurity, ICT risks and digital operational resilience. The regulation is intended to ensure that financial companies make their digital systems and networks resilient and arm themselves against cyber threats in order to ensure the stability and integrity of the entire EU financial market. DORA will apply from January 17, 2025 and directly and immediately obligates all companies covered by its scope. Almost all supervised institutions and companies in the financial sector in the European Union are affected, in particular credit institutions, payment institutions and account information service providers, e-money token institutions, investment firms, crypto service providers, issuers of value-referenced tokens, central securities depositories, central counterparties, trading venues and crowd funding service providers, as well as trade repositories, data provision services and third-party ICT service providers.

Risks in the Focus of Financial Companies under DORA

The DORA contains various regulatory sections that together form the foundation for ensuring the digital resilience of the European financial sector. These include ICT risk management, the handling of ICT incidents including reporting obligations, tests relating to digital operational resilience, the management of third-party ICT risk and the monitoring of critical third-party ICT service providers. Accordingly, it is important to re-examine your own organization and internal processes and ensure compliance with the DORA’s compliance obligations. The principle enshrined in DORA is that the management of financial companies is expressly responsible for implementing the ICT risk management framework. The management of a financial company must therefore have sufficient knowledge and skills for the management of ICT risks under DORA and must always keep up to date in order to understand and assess the ICT risks and their impact on the business activities of the financial company. This also includes regularly completing appropriate training courses. Once DORA comes into force, it will no longer be possible for managers in any member state of the European Union to completely shift responsibility internally to the IT department or a Chief Information Officer (CIO) downstream from the management. Digital operational stability will become the original compliance duty of management. Another pillar of the DORA Regulation is the obligation of financial companies to qualify ICT incidents at the time they occur and to report serious ICT-related incidents to the competent authority. Under certain circumstances, a reporting obligation may also apply to affected customers and therefore also coincide with the reporting obligation under Art. 34 of the General Data Protection Regulation (GDPR).

Need for Adjustments of Contracts with ICT Service Providers

In addition, DORA also sets out specific requirements for contracts concluded between financial companies and ICT service providers. ICT service providers are companies that offer digital services. These include software as a service (SAAS) and cloud computing service providers, data centers, data services and software providers. DORA provides for certain regulations that must be agreed by the contracting parties. DORA therefore has a direct impact on all contracts already concluded or yet to be concluded with third-party ICT service providers. There are increased requirements for outsourcing contracts in particular. In this respect, DORA largely coincides with the BAIT, VAIT, KAIT and ZAIT circulars already issued by BaFin and AT 9 of MaRisk. BaFin has already announced that it will repeal redundant parts of the aforementioned circulars in order to avoid double regulation. Financial companies should therefore have existing contracts with ICT service providers reviewed for compliance with the provisions of DORA and, if necessary, adapt them by means of renegotiations. In this context, in addition to the provisions of DORA and the delegated acts issued in connection with it, financial companies must also keep an eye on the development of the supervisory practice of the competent supervisory authorities – in Germany, BaFin.

The competent lawyer for advice regarding regulatory compliance related to DORA and the handling of ICT risks as well as IT outsourcing in our law firm is Attorney Anton Schröder.