From 17 January 2025, companies in the financial sector will be subject to stricter compliance obligations for information and communication technology (“ICT”) risk, cybersecurity, and digital operational resilience. The new requirements are largely derived from the Digital Operational Resilience Act (“DORA”, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector, see I.).
The requirements of the DORA regulation – particularly those relating to managing ICT risk – are essentially the same as the requirements set out by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) in its relevant circulars such as its Supervisory Requirements for IT in Financial Institutions (“BAIT”). DORA, however, employs a different methodological approach that can be challenging to implement. Financial-sector companies (see II.) are therefore well-advised to implement the requirements soon to avoid hefty fines (see VIII.).
DORA’s key elements are ICT risk management (see III.), digital operational resilience testing (see IV.), ICT incident reporting (see V.), ICT business continuity management (see. VI.), and third-party ICT risk management (see VII.).
Background
DORA is a cornerstone of the European Commission’s “֧Digital Finance Strategy”, which aims to establish consistent regulatory standards for managing cyber threats and ICT risk for financial-sector companies. It is EU lawmakers’ response to increasing digitalisation and connectivity, which is making the financial system and society as a whole more vulnerable to the cyber threats and ICT disruptions that DORA aims to address.
To strengthen their digital resilience, DORA obliges (almost) all supervised financial entities and institutions in the European financial sector to expand their existing compliance measures and to implement new ones. That will mean additional investment for the companies impacted, which will have to modify structures and amend contracts.
Legal framework and scope
DORA is supplemented by a large number of regulatory and implementing technical standards (“RTSs” and “ITSs”), for example those set out in Delegated Regulation (EU) 2024/1774 on regulatory technical standards specifying ICT risk management tools, methods, processes and policies and Delegated Regulation (EU) 2024/1773 on third-party ICT risk management. Further RTSs have been drafted by European supervisory authorities (for example, the Joint Guidelines of the European Supervisory Authorities on Subcontracting ICT Services of 26 July 2024) and have been submitted to the European Commission for approval.
DORA applies to a wide range of financial-sector companies. According to Article 2(1) DORA, this includes credit institutions, payment institutions, providers of crypto services, trading venues, insurance and reinsurance undertakings and intermediaries, institutions for occupational retirement provision, data provision services and third-party ICT service providers – all of which are uniformly referred to as “financial entities” (with the exception of third-party ICT service providers).
In particular, managers of alternative investment funds and (re)insurance intermediaries are excluded from the scope of DORA where they qualify as microenterprises or as small or medium-sized enterprises. Microenterprises and small and medium-sized enterprises are also exempt from some of the obligations for reasons of proportionality (e.g. microenterprises are not required to develop a third-party ICT risk strategy as part of their ICT risk management framework (Article 28(2)). In addition, Article 16 provides for a simplified ICT risk management framework for small and non-interconnected investment firms).
ICT risk management
One of DORA’s key provisions is that financial entities must establish a new digital operational resilience strategy (Article 6(8) DORA), the minimum requirements of which go far beyond the previously required IT strategy (e.g. under BAIT). BaFin still considers it necessary and expedient to maintain the existing IT strategy as a link between the company’s business strategy and digital operational resilience strategy.
A key component of the digital operational resilience strategy is the obligation to implement ICT risk management. This ICT risk management framework must include the strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware and servers, as well as all relevant physical components and infrastructures (e.g. premises, data centres and designated sensitive areas) (Article 6(2)). Financial entities are required to clearly outline in their digital operational resilience strategy how they plan to implement this framework.
They are also obliged to continuously monitor their digital operational resilience strategy and ICT systems (Article 13(4), Article 9(1)). ICT systems, protocols and tools must always be kept up to date (Article 7) and ICT risk must be continuously identified, classified and documented (Article 8). To ensure comprehensive resilience, DORA requires businesses to employ modern IT infrastructure as well as develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes (Article 13(6)).
The introduction of ICT risk management will also have organisational impact. According to Article 6(4), the management and monitoring of ICT risk must be delegated to a control function with an appropriate level of independence. DORA prescribes the implementation of the three lines of defence model widely adopted by financial entities or an alternative internal risk management and control framework. Management bodies of financial entities are held (even) more accountable. Their members must actively maintain sufficient knowledge and skills in relation to the ICT risk to be managed (Article 5(4)) and bear overall responsibility for ICT risk management. In this respect, management bodies have numerous tasks to fulfil, in particular setting, approving and monitoring the safeguards of the ICT risk management framework (Article 5(2)).
Unless restricted by other sector-specific regulations, financial entities are free to outsource ICT risk management. However, they remain fully (and ultimately) responsible for compliance with ICT risk management requirements (Article 6(10)).
Digital operational resilience testing
DORA requires all financial entities to test their digital operational resilience on a recurring basis (Article 24). For this purpose, a proportionate, risk-based testing programme must be established which includes vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews as well as compatibility and performance testing (Article 25(1)).
In addition to this general testing requirement, certain financial entities, which are to be identified by the competent supervisory authorities on the basis of their overall risk and business profile, must carry out threat-led penetration testing (“TLPT”) at least every three years (Article 26). The competent authority will inform the financial entities affected about their obligation to carry out TLPT.
The testing methodology for TLPT under DORA is essentially based on the existing framework for threat-based penetration testing in Germany (Threat Intelligence-based Ethical Red Teaming, “TIBER-DE”. The application of this framework is voluntary. Therefore, when ordering TLPT from 2025 on, BaFin will favourably consider TIBER-DE tests carried out before then. According to BaFin, however, only few financial entities are likely to be affected by the obligation to carry out TLPT. If a financial entity has not yet carried out any TIBER-DE tests, it is highly unlikely that it will have to implement DORA-prescribed TLPT, according to BaFin.
At the end of the testing, after reports and remediation plans have been agreed, the financial entities affected must provide the respective competent authority with a summary demonstrating that TLPT has been conducted in accordance with the requirements (Article 26(6)).
ICT-related incident management, classification and reporting
Another important component of DORA is the establishment of a management process for handling, monitoring, logging and reporting ICT-related incidents (Article 17(1)). Article 18 requires financial entities to classify all ICT-related incidents and determine their impact based on certain criteria such as the duration of an incident or the criticality of the services affected.
The criteria for classification, including the materiality thresholds for determining major ICT-related incidents, are specified in RTSs. These are currently in the draft stage and are expected to be adopted by the European Commission in a Delegated Regulation.
If an ICT-related incident is classified as major, it must be reported to the competent authority (Article 19) by means of an initial notification, intermediate report and final report (Article 19(4)). An ICT-related incident is considered to be major if it has a high adverse impact on the network and information systems that support critical or important functions of the financial entity (Article 3, no. 10). The content of the reports and notifications for major ICT-related incidents – and the time limits for reporting these incidents – are also specified in RTSs, including the establishment of standard forms and reporting processes.
On the other hand, there is no obligation to report significant cyber threats; this can be done on a voluntary basis (Article 19(2)). However, major payment-related operational or security incidents must be reported (Article 23).
ICT business continuity management
DORA’s requirements for ICT business continuity management are much broader than those in BAIT or in the other previously applicable BaFin circulars on IT requirements. In particular, DORA requires the establishment of a comprehensive ICT business continuity policy (Article 11(1) and (2)), which must also take into account a business impact analysis (“BIA”) and a risk analysis for severe business disruptions (Article 11(5)). The components of the ICT business continuity policy are described in detail in Article 24 of Delegated Regulation (EU) 2024/1774.
DORA extends the scope of the scenarios to be considered to include the effects of climate change, insider threats, political and social instability and large-scale power outages. In addition, DORA provides for regular (at least yearly) testing of the business continuity policy, including the ICT business continuity plans and the ICT response and recovery plans (Article 11(4) and (6)(a)). DORA also significantly tightens the requirements for (crisis) communication by establishing a crisis management function (Article 11(2)(e) and (7), Article 14).
Third-party ICT risk management
DORA’s stipulations on third-party ICT risk management also place extensive compliance requirements on financial entities, raising future challenges. These were devised to address the tendency of financial entities to engage third parties to provide information and communication (ICT) services. Financial entities will remain fully responsible for ensuring that DORA obligations, in particular the requirements for their risk management framework, are met (Article 28(1)). To ensure that financial entities fulfil their responsibilities in this regard, certain key contractual provisions must be included in their agreements with third-party ICT service providers (Article 30).
The concept of outsourcing to third-party ICT service providers is much broader than the regulatory concept of outsourcing itself. Outsourcing as defined in BaFin’s Minimum Requirements for Risk Management (“MaRisk”) is when another undertaking is commissioned with activities in connection with banking business, financial services or any of an institution’s other usual services that would otherwise be provided by the institution itself (AT 9, number 1 MaRisk), whereas the concept of third-party ICT services for financial institutions under DORA includes all “ICT services to run their business operations” (Article 28(1)(a)). This will make it necessary for financial entities to record all ICT-related purchases from third parties.
A distinction must also be made between the use of ICT services for “critical or important functions” and for other functions. Pursuant to Article 3, point (22), a ““critical or important function”” means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation.
DORA includes in particular the following (new) requirements for third-party ICT risk management:
- Financial entities must now develop third-party risk strategy for working together with third-party ICT service providers (Article 28(2)). One key component of this strategy is to be a policy on the use of ICT services supporting critical or important functions.
- When selecting an ICT service provider, the financial entity must first carry out a risk analysis and assess the suitability of the service provider (Article 28(4)). The scope of this ex ante risk assessment increases significantly if the services of the third party are to be procured to support a critical or important function.
- DORA also introduces extensive minimum contractual arrangements for agreements with third-party ICT service providers (Article 30) going beyond the previous regulatory requirements for outsourcing agreements (see, in particular, AT 9, number 7 MaRisk and margin no. 75 of the Guidelines on outsourcing arrangements (EBA/GL/2019/02) of the European Banking Authority). These arrangements are yet more extensive where the third-party ICT services involve critical or important functions (Article 30(3)). BaFin has therefore provided a summary of the minimum contractual arrangements required by Article 30(2) and (3) DORA, Delegated Regulation (EU) 2024/1773 and the Joint Guidelines of the European Supervisory Authorities on Subcontracting ICT Services of 26 July 2024. Article 28(7) imposes particularly stringent requirements on the termination rights that financial entities must implement to their own benefit in contracts with third-party ICT service providers.
- When negotiating contractual arrangements, financial entities should use standard contractual clauses developed by competent authorities (Article 30(4)). However, no such standard contractual clauses are available yet or are likely to become available before DORA takes effect.
- All contractual arrangements with third-party ICT service providers must additionally be appropriately documented in a register of information (Article 28(3)) and reported to the competent authority on a yearly basis at least. Financial entities must also notify the competent authority in a timely manner of any planned contractual arrangement on the use of ICT services supporting critical or important functions, as well as when a function becomes critical or important.
- For the termination of such arrangements, financial entities must have an exit strategy in place that prevents disruption to their business activities while ensuring compliance with regulatory requirements and the continuity and quality of services provided to clients (Article 28(8)).
In all other respects, BaFin explicitly stated in its June 2024 guidance on the implementation of DORA in ICT risk management and third-party ICT risk management (Aufsichtsmitteilung – Hinweise zur Umsetzung von DORA im IKT-Risikomanagement und IKT-Drittparteienrisikomanagement) that sector-specific outsourcing requirements (such as the minimum requirements under MaRisk) still apply.
Enforcement and penalties
DORA’s obligations on financial entities are to be enforced by granting the competent supervisory authorities with the necessary powers, see the Federal Government bill on the Act on the Digitalisation of the Financial Market (Financial Market Digitalisation Act, “FinmadiG”). In addition, and so as to ensure forward-looking and effective supervision, the auditors of the annual financial statements of financial entities supervised by BaFin are to be required to audit and report on compliance with DORA provisions.
Pursuant to the bill, violations of certain DORA requirements constitute an administrative offence and can be punished with a fine of up to EUR 5 million. Supervisory authorities may also use their websites to publish measures taken and penalties imposed (“naming and shaming”).
Outlook
DORA sets new EU standards for digital resilience. To strengthen their digital resilience, DORA obliges (almost) all supervised financial entities and institutions in the EU financial sector to expand their existing compliance measures and to implement new ones. Financial entities affected by DORA should therefore review their (existing) compliance structures to ensure they meet the new requirements. The fact that the new provisions take effect from 17 January 2025 makes it imperative to engage immediately with the compliance obligations relating to ICT risk, cybersecurity and digital operational resilience introduced by DORA and to implement the necessary measures. Failure to meet the requirements of DORA (on time) can lead to severe penalties. This especially applies to agreements with third-party ICT service providers, which should be checked for compliance with minimum DORA requirements and documented in the register of information.
Forward