In October 2022, the European Parliament is expected to formally adopt the Digital Operational Resilience Act (DORA), a central pillar of the European Commission’s wider digital finance strategy.1 While the name reminds me of the animation of the intrepid young explorer, this version of DORA isn’t as fun filled and is more likely to throw up significant challenges to asset managers in the same way that Dora the Explorer's arch nemesis Swiper does.
Let’s explore DORA and map out the most important things as the industry begins its collective journey:
What is DORA?
DORA is the European Union’s legislative proposal which aims to bolster and ensure rule harmonization across all EU member states relating to Information and Communications Technology (ICT) risk management, reporting, security control testing and ICT third-party risks. It is deemed necessary as currently the oversight of technology usage is overseen at a national level. It is also recognition of the increased usage of unregulated technology providers by financial service firms who form a critical part of the regulated provider’s offerings to its client. DORA fits neatly into a broader trend of global regulators looking in depth at the issue of operational resilience and the ability to identify and manage disruption risks.
The regulation applies to a wide range of EU regulated entities including banks, asset managers and insurers. What is also interesting is that the European Commission have published a draft directive to align certain other important EU financial services legislation with DORA. This directive proposes inclusion of bolstered requirements for operational risk and risk management within Undertakings for the Collective Investment in Transferable Securities (UCITS), the Alternative Investment Fund Managers Directive (AIFMD) and the Markets in Financial Instruments Directive (MiFID) making it consequential to any asset manager operating within the EU.
DORA demands that in scope regulated entities identify “critical ICT providers” used to conduct their business, which then also get pulled into the scope of DORA. This includes non-EU technology firms including the giant U.S. internet social media and cloud providers who may come within the scope of European financial supervisors for the first time.
DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.
What are the Practical Requirements Under DORA?
- ICT-related incident reporting
One of the main requirements is the establishment of a monitoring and reporting process relating to ICT and cyber-related incidents, as well as an obligation to classify incidents against yet to be defined materiality thresholds, which will be outlined in the RTS when available. Major ICT-related incidents must be reported to regulators.
- Cyber operational resilience testing
DORA demands that a program of periodic testing for cyber security threats to simulate real life attacks should be used. There is reference to “threat-led penetration testing”, a method which uses threat intelligence to emulate the tactics, techniques, and procedures of an adversary against a real time mission critical operating system. In-scope firms must test their preparedness, identification of weaknesses, deficiencies, or gaps, as well as the prompt implementation of corrective measures. The granular details of the testing requirements will be flushed out when the Regulatory Technical Standards (RTS) are framed.
- Identification of Critical Third-Party Service Providers (CTPP)
DORA creates a new type of regulated entity which will be directly supervised by one of the European Supervisory Agencies (ESAs) due to their systemically important nature. The definition of “critical” is not prescribed yet, but is likely to include certain household technology names ranging from Google to Facebook, from Amazon Web Services (AWS) to Microsoft who form vital pillars to the EU financial services ecosystem.
- Mandatory contractual clauses
DORA in great similarity to GDPR lays out template contractual clauses in particular relating to access and audit rights. The regulation is designed to ensure a sound monitoring of ICT and cyber third-party risk. Financial entities shall be required to observe several key elements in their relationship with ICT and cyber third-party providers, remaining fully responsible for complying with and discharge of all obligations. To this end, contracts that govern this relationship will be required to include the following:
- complete description of services,
- indication of locations where data is to be processed,
- full-service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data,
- inspection and audit by the financial entity or an appointed third-party,
- clear termination rights and dedicated exit strategies.
- Cloud service providers
While several regulators have already opined of cloud service providers, including Luxembourg’s CSSF through its Circular 17/654 and ESMA’s published cloud guidelines, DORA enhances and harmonizes the rules governing these participants. Cloud increasingly plays a role for banks and asset managers and holds a lot of sensitive personal and business data. Also, there is a large focus in the EU on the fact that the EU has a very high reliance and concentration risk to a small number of primarily U.S. providers (including Amazon Web Services, Google and MS Azure). This concentration creates a systemic market risk to the entire bloc.
DORA uses quantitative and qualitative criteria to define the scope and intensity of rule compliance requirements for in scope entities based on size and complexity. Proportionality principles impact upon the reporting requirements in terms of major incidents and also look to identify critical and more systemically risky entities as well as third-party cyber security vendors who will draw more focus. In a nutshell, there is an increased DORA burden placed upon ICT providers who are larger and more complex.
What are the Penalties for Non-compliance with DORA?
In a very similar vein to General Data Protection Regulation (GDPR), DORA has sharp teeth in terms of penalties for non-compliance. A periodic penalty payment of 1% of the average daily worldwide turnover based on the prior year’s results can be applied by the DORA regulator, accruing on a daily basis until compliance is achieved for a period of up to six months. The penalties, like GDPR, also have significant extra territorial effect so non-EU technology providers to EU regulators based in the United States, United Kingdom and Asia could be penalized for not adhering.
What is the Probable Timeline for DORA Implementation?
At the time of writing this blog DORA remains a work in progress. On May 11, 2022, a provisional political agreement was reached on DORA but it must still pass through the formal parliamentary adoption procedure – with a European Parliament plenary session to be held in mid-October 2022. Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs) will then develop detailed Regulatory Technical Standards (RTS). DORA is expected to become operational in the second half of 2024 assuming the EU trialogue approval process runs smoothly.
Brown Brothers Harriman & Co. (“BBH”) may be used to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries. This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2022. All rights reserved. IS-08342-2022-08-19