Let's Explore DORA

August 23, 2022
  • Investor Services
Banks, asset managers and insurers operating in the EU will be subject to new rules intended to boost the security and resiliency of the financial sector. Adrian Whelan maps out what asset managers need to know.

In October 2022, the European Parliament is expected to formally adopt the Digital Operational Resilience Act (DORA), a central pillar of the European Commission’s wider digital finance strategy.1 While the name reminds me of the animation of the intrepid young explorer, this version of DORA isn’t as fun filled and is more likely to throw up significant challenges to asset managers in the same way that Dora the Explorer's arch nemesis Swiper does.

Let’s explore DORA and map out the most important things as the industry begins its collective journey:

What is DORA?

DORA is the European Union’s legislative proposal which aims to bolster and ensure rule harmonization across all EU member states relating to Information and Communications Technology (ICT) risk management, reporting, security control testing and ICT third-party risks. It is deemed necessary as currently the oversight of technology usage is overseen at a national level. It is also recognition of the increased usage of unregulated technology providers by financial service firms who form a critical part of the regulated provider’s offerings to its client. DORA fits neatly into a broader trend of global regulators looking in depth at the issue of operational resilience and the ability to identify and manage disruption risks.

The regulation applies to a wide range of EU regulated entities including banks, asset managers and insurers. What is also interesting is that the European Commission have published a draft directive to align certain other important EU financial services legislation with DORA. This directive proposes inclusion of bolstered requirements for operational risk and risk management within Undertakings for the Collective Investment in Transferable Securities (UCITS), the Alternative Investment Fund Managers Directive (AIFMD) and the Markets in Financial Instruments Directive (MiFID) making it consequential to any asset manager operating within the EU.

DORA demands that in scope regulated entities identify “critical ICT providers” used to conduct their business, which then also get pulled into the scope of DORA. This includes non-EU technology firms including the giant U.S. internet social media and cloud providers who may come within the scope of European financial supervisors for the first time.

DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.

What are the Practical Requirements Under DORA?

  • ICT-related incident reporting
    One of the main requirements is the establishment of a monitoring and reporting process relating to ICT and cyber-related incidents, as well as an obligation to classify incidents against yet to be defined materiality thresholds, which will be outlined in the RTS when available. Major ICT-related incidents must be reported to regulators.

  • Cyber operational resilience testing
    DORA demands that a program of periodic testing for cyber security threats to simulate real life attacks should be used. There is reference to “threat-led penetration testing”, a method which uses threat intelligence to emulate the tactics, techniques, and procedures of an adversary against a real time mission critical operating system. In-scope firms must test their preparedness, identification of weaknesses, deficiencies, or gaps, as well as the prompt implementation of corrective measures. The granular details of the testing requirements will be flushed out when the Regulatory Technical Standards (RTS) are framed.

  •  Identification of Critical Third-Party Service Providers (CTPP)
    DORA creates a new type of regulated entity which will be directly supervised by one of the European Supervisory Agencies (ESAs) due to their systemically important nature. The definition of “critical” is not prescribed yet, but is likely to include certain household technology names ranging from Google to Facebook, from Amazon Web Services (AWS) to Microsoft who form vital pillars to the EU financial services ecosystem.

  • Mandatory contractual clauses
    DORA in great similarity to GDPR lays out template contractual clauses in particular relating to access and audit rights. The regulation is designed to ensure a sound monitoring of ICT and cyber third-party risk. Financial entities shall be required to observe several key elements in their relationship with ICT and cyber third-party providers, remaining fully responsible for complying with and discharge of all obligations. To this end, contracts that govern this relationship will be required to include the following:
    • complete description of services,
    • indication of locations where data is to be processed,
    • full-service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data,
    • inspection and audit by the financial entity or an appointed third-party,
    • clear termination rights and dedicated exit strategies.

  • Cloud service providers
    While several regulators have already opined of cloud service providers, including Luxembourg’s CSSF through its Circular 17/654 and ESMA’s published cloud guidelines, DORA enhances and harmonizes the rules governing these participants. Cloud increasingly plays a role for banks and asset managers and holds a lot of sensitive personal and business data. Also, there is a large focus in the EU on the fact that the EU has a very high reliance and concentration risk to a small number of primarily U.S. providers (including Amazon Web Services, Google and MS Azure). This concentration creates a systemic market risk to the entire bloc.

  • Proportionality
    DORA uses quantitative and qualitative criteria to define the scope and intensity of rule compliance requirements for in scope entities based on size and complexity. Proportionality principles impact upon the reporting requirements in terms of major incidents and also look to identify critical and more systemically risky entities as well as third-party cyber security vendors who will draw more focus. In a nutshell, there is an increased DORA burden placed upon ICT providers who are larger and more complex.  

What are the Penalties for Non-compliance with DORA?

In a very similar vein to General Data Protection Regulation (GDPR), DORA has sharp teeth in terms of penalties for non-compliance. A periodic penalty payment of 1% of the average daily worldwide turnover based on the prior year’s results can be applied by the DORA regulator, accruing on a daily basis until compliance is achieved for a period of up to six months. The penalties, like GDPR, also have significant extra territorial effect so non-EU technology providers to EU regulators based in the United States, United Kingdom and Asia could be penalized for not adhering. 

What is the Probable Timeline for DORA Implementation?

At the time of writing this blog DORA remains a work in progress. On May 11, 2022, a provisional political agreement was reached on DORA but it must still pass through the formal parliamentary adoption procedure – with a European Parliament plenary session to be held in mid-October 2022. Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs) will then develop detailed Regulatory Technical Standards (RTS). DORA is expected to become operational in the second half of 2024 assuming the EU trialogue approval process runs smoothly.

Futuristic portal or tunnel
Up Next
Up Next

U.S. SEC Moves to Tighten Security on the Industry's "Digital Doors"

BBH’s Adrian Whelan looks at three significant points from the SEC’s recent proposals for new cybersecurity related rules.

1 https://ec.europa.eu/info/publications/200924-digital-finance-proposals_en

Brown Brothers Harriman & Co. (“BBH”) may be used to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries. This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2022. All rights reserved. IS-08342-2022-08-19

As of June 15, 2022 Internet Explorer 11 is not supported by BBH.com.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see bbhluxembourgfunds.com

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction