On 14 December 2022, the European legislator adopted a legislative package on digital operational resilience in the financial sector. Financial companies operating in the European Single Market are now subject to specific obligations to secure their digital systems. However, service providers of such digital systems are also affected. The requirements must be complied with from 17 January 2025.
Content and relevance
Digital operational resilience in the financial sector has been a topic of debate for some time now. This primarily refers to the security of information and communication technology(ICT) systems that financial organisations use to provide their financial services. Such ICT systems ensure that key sectors of the economy, such as the financial sector, are kept running and improve the functioning of the internal market. At the same time, increasing digitalisation and connectivity leads to ICT cluster risk, which makes the financial sector more vulnerable to cyber threats and ICT disruptions.
The EU has recognised the inherent dangers associated with a disruption or even a collapse of such services and has responded with a legislative package consisting of a regulation and a directive. Together, these are known as the Digital Operational Resilience Act or “DORA”. DORA therefore primarily deals with IT security issues in all their forms.
Background and objective
The legal provisions of DORA do not come from a vacuum, rather they are embedded in a broader digital legislation agenda (in addition to, for example, the NIS2 Directive (EU) 2022/2555), in an existing legal basis and in an international context (e.g. G7 Fundamental Elements of Cybersecurity for the Financial Sector), as well as being promoted by increasingly loud official voices in favour of sector-specific regulation (e.g. ).
The Group of 7 largest democratic economies (G7) already presented guidelines for an effective digital and cyber strategy for financial companies in 2016 in the aforementioned Fundamental Elements. For example, a financial institution must define a cybersecurity strategy and governance (clear internal allocation of roles and responsibilities with separate areas of responsibility), carry out risk assessments, ensure monitoring, response and system recovery, enable information sharing and ensure that cybersecurity measures are up to date.
In recital 2, the regulation explicitly recognises the ever-increasing relevance of ICT systems in the financial sector and refers to the 2020 ESRB report, which sees the ever-closer networking and dependency in the financial sector as a source of cyber risks. This can lead to a kind of wildfire, particularly in the monetary sector. In order to mitigate potential risks to competitiveness and ensure the functioning of the internal market at all times, the DORA is intended to ensure the stability of ICT systems in the financial sector. The proposed legislation is closely aligned with the requirements already developed in advance by the G7.
Scope of application
The DORA will apply to “financial undertakings” and “third-party ICT service providers” in the EU. Financial undertakings are to include all companies as defined in Art. 2 (1) of the Regulation that are not third-party ICT service providers. This includes, among others, credit institutions, payment institutions, investment firms, rating agencies, but also occupational pension schemes or insurance companies. It is therefore an extensive list that is intended to cover the financial sector as comprehensively as possible.
What is special about the regulation, however, is that ICT companies are now also covered by the regulation insofar as they provide services specifically for financial companies. This term is to be understood broadly and is intended to include virtually any service, whether software or hardware-based, with the exception of “traditional analogue telephone services” (Art. 3 No. 21 of the Regulation). The exception makes it clear that everything that goes beyond an analogue telephone system is already to be treated as an ICT service. This can therefore already include a pool laptop, server infrastructures, SaaS services, but also email providers or cloud hosters.
The obligations of the DORA are also generally binding for all of the companies mentioned – regardless of their size. There are exceptions in some places, but mostly only for micro-enterprises. These are companies that do not even reach the threshold of a small business. They may not employ more than 9 people or generate more than EUR 2 million in annual turnover (Art. 3 No. 60 or 63 of the regulation).
Subject: Resilience
At a prominent point in Art. 1, the regulation clarifies what digital operational resilience is all about: information exchange, reporting obligations, risk management and risk identification as well as contractual aspects. These obligations of financial institutions are then specified in the following chapters of the regulation.
For example, Art. 5 and 6 of the regulation require the establishment of an “ICT risk management framework”. This should include a comprehensive governance strategy in order to monitor ICT risks effectively and prudently. Incident management is also the responsibility of the top management level and includes the obligation to establish a Chief Digital Resilience Officer. The independence of this officer is important in this context, which is comparable to that of a data protection consultant. Art. 7 of the regulation then requires the ICT systems used to be reliable, up-to-date and technologically resilient. Art. 8 of the regulation in turn requires risk identification. Internal risk factors must be documented, sources of risk identified and evaluated, critical systems recorded and connections to third-party service providers (particularly outside the financial sector) clearly identified.
Articles 9 to 14 of the ordinance then deal with the incident: prevention measures, the detection of an incident, the response to such an incident and system recovery are dealt with chronologically. But even after the incident has been concluded, the incident must be processed internally and possible lessons learnt must be compiled. The legally stipulated procedure only comes to an end with external communication and the provision of information to external, potentially affected stakeholders.
A separate Chapter III of the ordinance explains the handling of ICT-related incidents. For companies, the most important aspect here is probably the obligation to report serious ICT-related incidents in accordance with Art. 19 of the regulation, which is supplemented by voluntary reporting of significant cyber threats. Whether this reporting remains voluntary will be decided in the future and is subject to a review by the Commission in 2028. A template for the reports is to be developed by the supervisory authorities together with the European Cybersecurity Agency (ENISA) and the European Central Bank (ECB).
The Regulation’s obligations to provide internal guidelines, strategies and responsibilities are then supplemented by comprehensive testing requirements (Art. 24 et seq. of the Regulation). All critical and important functions of a financial organisation must be tested every three years. This includes, in particular, the testing of products from third-party ICT service providers. These tests must be carried out by independent and qualified auditors and are then certified by the competent authority.
Companies that offer information and communication technologies will also face a number of changes. Although the obligations of the Regulation do not essentially apply directly to ICT service providers, Chapter V of the Regulation provides for standards that are binding on financial companies. Financial companies must now already fulfil certain requirements in their ICT contractual relationships. For example, contractual agreements with ICT service providers must be documented in an information register, potential ICT service providers must be carefully scrutinised and exit strategies must be put in place (Art. 28 of the Regulation). Art. 30 of the Ordinance then sets out key contractual provisions that must be agreed with ICT service providers. However, the liability of financial service providers cannot be passed on by agreement. However, in order to continue to exist on the market, ICT companies must, among other things, fulfil appropriate information security standards, ensure the legal conformity of their services and system continuity after contract termination, as well as carry out ICT risk analyses and guarantee audit options.
Impact of DORA on Switzerland
DORA imposes the above-mentioned and other obligations on financial organisations in the EU. However, DORA is likely to have an impact on both ICT service providers and financial companies in Switzerland. Swiss ICT service providers (or subcontractors) are also indirectly affected by DORA if they intend to provide their services to financial companies in the EU. Swiss companies that are part of a financial group in the EU will also be affected. However, Swiss financial organisations may also have to comply with obligations under DORA if they have relationships with other financial organisations in the EU or their clients.
Sources
- Draft regulation of the European Commission
- Digital Operational Resilience Regulation
- Digital Operational Resilience Directive
- Report of the European Systemic Risk Board 2020
- Central Bank of Ireland
- Fundamental Elements for Third Party Cyber Risk Management in The Financial Sector (G7)
- Fundamental Elements of Cybersecurity for The Financial Sector (G7)
- Fundamental Elements for Threat-Led Penetration Testing Data (G7)
- Circular 2023/1 of FINMA