Not long to go now: DORA is expected to enter into force around the turn of the year 2022/2023 and to be fully applicable after two additional years. In introducing this law, European legislators are addressing the financial sector’s increasing dependency on information and communication technology (ICT). These efforts have culminated in a comprehensive statutory framework that focuses on the risks of digitalisation for the financial industry at the European level. Its aim is to help establish a modern, secure and resilient digital European financial market.

Silke Brüggemann, senior advisor in BaFin’s IT Supervision Directorate, worked together with colleagues from BaFin to support the Federal Ministry of Finance (Bundesministerium der Finanzen – BMF) in the negotiations for DORA. Speaking at the BaFin conference for insurers and pension funds, she informed the expert audience of significant aspects of the regulation. Her presentation was based on the European Council’s then-current mandate for the DORA negotiations (Council mandate)¹, which addresses these aspects:

• ICT governance and ICT risk management,
• testing of digital operational resilience,
• reporting obligations for major ICT incidents,
• ICT third-party risk management and
• the European oversight framework for critical ICT third-party service providers.

DORA generally applies to all financial entities, with only a few exceptions. These exceptions apply for example to insurance undertakings within the meaning of Article 4 of the Solvency II Directive, to institutions for occupational retirement provision that operate pension schemes which, together, do not have more than 15 members in total, and to insurance and reinsurance intermediaries that are microenterprises and small enterprises. Microenterprises in this context are financial entities that have fewer than ten employees and an annual turnover or annual balance sheet total that does not exceed EUR 2 million; small enterprises have fewer than 50 employees and an annual turnover or annual balance sheet total that does not exceed EUR 10 million.

ICT governance and ICT risk management

DORA defines harmonised and uniform principles for ICT governance and ICT risk management that are to apply across financial sectors. “These principles are recurrent themes that run throughout DORA”, Brüggemann explained.

The requirements are largely based on publications and regulations on information security in the financial sector that are already known. For example, as Brüggemann emphasised in her presentation, the European regulation makes clear with regard to ICT governance that overall responsibility for compliance with the requirements and management of the ICT risk lies with an entity’s management board.

The requirements for ICT risk management are aimed at helping to maintain the stability of the financial entities particularly with regard to cyber risks and, if necessary, to restore their stability. Compliance with these requirements will enable financial entities to achieve a level of digital operational resilience that matches their individual profile: they will be resilient and adaptable enough to maintain the integrity of their digital operational processes – even during and after a disruption.

The requirements for ICT risk management are based on international, national and industry-specific best practices and standards. They are built on the following specific elements:

• identification,
• protection and prevention,
• detection,
• countermeasures and restoration,
• learning,
• further development and communication.

These requirements are designed to be standard-neutral, risk-oriented and proportionate in their implementation. Article 14a of DORA provides for certain financial entities to be subject to simplified requirements – such as small institutions for occupational retirement provision that operate pension schemes which, together, have between 16 and 100 members in total.

Testing of digital operational resilience

Under DORA, all financial entities must thoroughly review their information and communication technology by establishing a risk-based, proportionate testing programme. Exemptions with regard to the test programme, but not the testing obligation, are in place for microenterprises and for financial entities specified in Article 14a.

The programme is supposed to provide for the execution of a number of tests, including open source analyses, network security assessments, physical security reviews, gap analyses, scenario-based tests, compatibility tests or penetration tests. Its purpose is to make financial entities aware, for example, of the ways in which they are prepared for ICT incidents and the areas where there may be vulnerabilities in their digital operational resilience.

The concept of proportionality is reflected in another aspect of the new Regulation: the threat-led penetration tests (TLPT). Only critical financial entities are required to conduct these tests, which are based on actual threats. The details of the tests will be set out in regulatory technical standards. These standards will draw heavily on the European framework TIBER-EU, which has been implemented in Germany in the form of TIBER-DE; to date, it applies on a voluntary basis. “The national competent authorities and the ECB as the European supervisory authority for significant institutions mutually recognise the tests conducted in other European countries. This point is to be explicitly underscored by the EU Regulation. For companies doing business across Europe, this is a great advantage – these tests are expensive and require a great deal of time and human resources”, Brüggemann said, pointing out the practical benefit of uniform specifications across the EU.

Reporting system for major ICT incidents

The expert audience attending the BaFin conference also learned about the future design of the reporting system for major ICT incidents. To date, such incidents are reported only by insurers deemed critical infrastructures as defined by the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG). In future, all the financial entities subject to DORA – and thus all insurance undertakings and pension funds – will be expected to inform supervisors of major incidents.

DORA thus standardises this obligation and extends it to include the entire financial sector; it also stipulates that BaFin, where it is the competent authority, is to be the recipient of such reports. Then, without delay, BaFin will pass the reports on to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), the respective European supervisory authority (EIOPA, ESMA or EBA) and, if applicable, to the European Central Bank.

As for the entities’ current obligation to report to the BSI, the lex specialis rule is to apply. It will deal with cases in which both DORA and the EU Directive on Security of Network and Information Systems (NIS Directive) (transposed nationally, for example, in the BSIG) make requirements: where the requirements in DORA are more specific, these take precedence over the requirements of the NIS Directive. Consequently, the financial entities that fall under both the NIS Directive and DORA are only required to submit an incident report to BaFin – in accordance with DORA. As mentioned above, BaFin ensures that these reports are also passed on to the BSI without any major delay in order to prevent information gaps.

ICT third-party risk management

DORA also addresses the risks that can arise when financial entities work with enterprises that provide ICT services, known as ICT third-party service providers. DORA requires financial entities to ensure sound, risk-oriented monitoring of their ICT third-party risks – throughout the contract conclusion, performance, termination and post-contractual phases.

One key prerequisite for such monitoring is that a risk analysis must be conducted before the contract is concluded. In the risk analysis, financial entities must take into account, for instance, how dependent they are on the respective ICT third-party service provider and what (concentration) risks could arise in the contractual relationship. DORA also lays down requirements for the contractual arrangements that are to apply to critical or important functions: for example, the financial entity’s contract partner must undertake to provide assistance in case of an ICT-related incident related to the service provided. Furthermore, financial entities must be able to present an exit strategy.

DORA requires financial entities to enter the ICT contracts they have concluded in a Register of Information, making distinctions in terms of critical or important functions. This register serves several purposes: first of all, it is a practical tool that enables financial entities to manage their ICT third-party risks in a structured manner. Secondly, it constitutes a basis on which supervisors can identify critical ICT third-party service providers. In other words, the information from the register will supply significant input for the European oversight framework with regard to critical ICT third-party service providers – which Brüggemann presented as an additional element of DORA.

European oversight framework for critical ICT third-party service providers

The oversight framework is a completely new element of EU financial regulation. Its purpose is to increase the convergence and efficiency of the supervisory activities aimed at the risk which ICT third-party service providers pose for financial entities. But as Brüggemann emphasised at BaFin’s conference for insurers and pension funds, “The oversight framework does not replace the ICT third-party risk management to be implemented by financial entities”.

The oversight framework focuses on the critical ICT third-party service providers mentioned above. DORA and, in even more detail, a delegated act still to be drawn up by the European Commission will determine the specific enterprises to be addressed, on the basis of various criteria: Could the cooperation with an ICT third-party service provider impact the stability, continuity or quality of the services provided by the financial entity? Is the respective financial entity considered systemically important? How dependent is the financial entity on the ICT third-party service provider? And how easily could this service provider be replaced?

The key role in the oversight framework is that of the Lead Overseer, which is assigned to one of the three European Supervisory Authorities (EBA, ESMA or EIOPA) for each critical ICT third-party service provider, depending on the respective service provider‘s primary industry. The Lead Overseer is given rights of information, control and inspection. It monitors, for example, whether a service provider complies with the requirements for ICT risk management in the same manner that financial entities themselves are obliged to comply with these requirements. However, DORA does not provide for the Lead Overseer to have any direct powers to issue orders to the critical ICT third-party service providers.

Each Lead Overseer is supported by a Joint Examination Team. These teams are made up of experts from the national competent authorities and the European Supervisory Authorities. The oversight framework assigns the control and coordination function to the Oversight Forum – a subcommittee of the Joint Committee of the three European Supervisory Authorities (ESAs), whose members also include representatives of national competent authorities. The Oversight Forum supports and advises the work of the Joint Committee, e.g. in identifying critical ICT third-party service providers and appointing each Lead Overseer. The oversight framework is funded by supervision fees required of the critical ICT third-party service providers.

Harmonised and uniform rules

In standardising requirements across sectors, DORA will strengthen the cyber security of financial entities. Such an approach is, in fact, nothing new for the German financial sector or its supervisors. This can be seen in BaFin’s Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT - VAIT) and the related circulars for other sectors: the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT, in Asset Management Companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT and in Payment Services and Electronic Money Institutions (Zahlungsdiensteaufsichtliche Anforderungen an die IT – ZAIT. To ensure that there are no duplications in the regulations, the existing guidelines of the three European Supervisory Authorities on information security in the financial sector are being aligned with DORA.

Furthermore, in the past few years, BaFin has been able to take the initiative with regard to the drafting of contracts for relationships with cloud service providers: its Guidance on outsourcing to cloud service providers is addressed to all of the companies supervised by BaFin. The same is true of BaFin’s approach to the monitoring of multi-client IT service providers. Last year, BaFin received new cross-sector powers under the German Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität – FISG). BaFin is now able, for example, to issue orders to outsourcing providers in order to prevent or rectify irregularities in financial entities’ outsourcing activities.

“By harmonising the requirements at the European level”, Brüggemann explained, “DORA is creating uniform and harmonised rules. After all, ICT risks – and particularly ICT third-party risks – do not stop at national borders.”

Footnote: