On 11 May 2022, the European Council announced in a press release, that it had reached a provisional agreement with the European Parliament on DORA, a piece of legislation designed to strengthen the operational resilience of the financial sector in Europe against ICT-related disruptions and incidents. A vast range of entities such as banks, payment providers, investment firms, crypto-asset service providers, and ICT service providers will need to be prepared for these incoming rules. Whilst we await the publication of the final text of DORA, we look into what can be expected.
Background of DORA
DORA was initially proposed by the European Commission on 24 September 2020, as part of a larger digital finance package which aims to develop a harmonised European approach to foster technological development, and to ensure financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).
Key aspects of DORA
- DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector. Some of the requirements under DORA include maintaining a well-documented ICT risk management framework, reporting major ICT-related incidents, and performing digital operational resilience testing (including penetration tests).
- The scope of financial entities that will be subject to the new rules set out in DORA is extremely wide, and more crucially, critical third parties which provide ICT-related services to the financial entities (such as cloud platforms or data analytics) will be brought within the regulatory scope. We can expect the final text of DORA to confirm the approach to fines issued to non-complying ICT service providers (which has been expressed in the initial proposed text of DORA to be a daily penalty payment of 1% of the average daily worldwide turnover in the preceding business year).
- Whilst statutory auditors and audit firms were within scope under the initial DORA proposal published in 2020, the European Council has confirmed that auditors will not be subject to DORA. The inclusion of auditors in the scope of DORA will be revisited as part of a future review of the regulation.
- Additionally, critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU in order to enable proper regulatory oversight.
How will DORA interact with the Directive on Security Network and Information Systems ('the NIS Directive')?
- The NIS Directive is an EU-wide legislation on cybersecurity and came into force in 2016, helping to achieve a common high level of security of network and information systems across the EU.
- The Council has stated that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with, in particular those financial entities holding several authorisations and operating in different markets within the EU.
- More specifically, the Council noted that the NIS Directive continues to apply, with DORA building on the NIS Directive and addressing possible overlaps via a lex specialis exemption (i.e. where more specific rules apply over more general rules) .
- It is worth noting that on 13 May 2022, the European Parliament and Council reached a political agreement on a revised Nis Directive ('NIS 2 Directive'), which will replace and update the current NIS Directive.
Next steps
The revised text of DORA is yet to be released publicly as of the date of this article. The provisional agreement reached is now subject to approval by the Council and the European Parliament before going through the formal adoption procedure. Once DORA is adopted and passed into law by EU member states, the designated European Supervisory Authorities will develop technical standards for financial services institutions to comply with, whilst national competent authorities will oversee compliance and enforce the regulation as required. It is expected that the new rules will apply 24 months after they enter into force.
Authored by John Salmon.