On 24 September 2020, the European Commission published a proposal for the Digital Operational Resilience Act ("DORA"), which, along with an accompanying directive, is aimed at harmonizing the requirements for digital operational resilience for financial organizations within the EU.
Digital operational resilience
Digital operational resilience is defined as the ability to build, assure and review the technological operational integrity of an organization by ensuring that it can support the continued provision of services and their quality in the face of operational disruptions affecting its information and communication technology ("ICT") systems.
Examples of disruptions affecting ICT capabilities include, e.g., cyber-attacks, technical failures, as well as other malicious and non-malicious events.
Aim of the proposals
The DORA proposal forms part of the wider European Commission's initiative related to digital finance, seeking to support its potential in terms of innovation and competition while mitigating the risks arising from it. Other parts of the package include, for example, legislative framework proposals for crypto-currencies, and a pilot regime for markets based on distributed ledger technology.
According to the proposal, the DORA obligations would apply to a broad range of financial entities regulated at the EU level including:
- Credit Institutions
- Payment institutions
- Investment firms
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Trading venues
With the aim of ensuring full-scope resilience of relevant systems, it will also cover ICT third-party service providers, including providers of cloud computing platforms, as well as suppliers of software, data analytics, and data centers.
Requirements for digital resilience
Financial entities will be required, amongst others, to put in place an ICT risk management framework to ensure effective and prudent management of all ICT risks, including detection, response, and recovery. Such frameworks should be defined, approved, and overseen by senior management who will bear the final responsibility for managing the financial entity's ICT risk.
Firms will have to ensure they use and maintain updated ICT systems that are reliable and appropriate to the conduct of their activities and have sufficient capacity to accurately process data, and are technologically resilient.
The act will also include a requirement to design and implement relevant ICT security strategies and policies, including an information security policy, business continuity policy, and backup policy, to ensure the resilience, continuity, and availability of ICT systems.
In order to ensure an appropriate response to incidents, financial entities will be required to establish and implement ICT-related incident management processes. These will have to cover the detection of relevant incidents, management of the response, as well as reporting of major ICT-related incidents to the relevant competent authorities within prescribed timeframes to allow financial supervisors to better assess the frequency, nature, significance, and impact of all major ICT-related disruptions.
Additionally, firms will be required to perform regular testing of their digital operational resilience by internal or external independent parties.
As a consequence of the DORA, ICT third-party risk will have to be managed as an integral component of the firms' ICT risk management frameworks. Firms will have to ensure that any contracts with ICT third-party service providers cover, at the minimum, the requirements set out in the DORA proposal. The contracts will be required to include, among others, a clear and complete description of all functions and services to be provided, the location of the provision of services, full-service level descriptions, and requirements for the ICT third-party service providers to implement and test their business contingency plans, the firms' audit rights, and relevant exit strategies.
The European Commission was seeking public feedback on the proposals until 12 April 2021. The proposals are likely to undergo further changes before their final adoption. However, it is very likely that the new rules will come into force in some form and that the financial services industry and ICT third-party providers will be required to comply with new rules on operational resilience.