EU Regulation no. 2022/2554, on digital operational resilience for the financial sector (DORA), which will apply to a large part of the financial sector, will enter into force on 17 January 2025. However, a number of regulatory and implementing technical standards are to be expected before DORA enters into force.
The DORA Regulation aims to improve the digital operational resilience of the financial sector and alleviate ICT-related risks. Although not all of the DORA requirements are entirely new, it should be noted that the objective of DORA is to harmonise existing requirements related to ICT risks and update them as part of the operational risk requirements that have so far been addressed in a variety of EU legislation or non-binding ICT standards and guidelines. Previous requirements focused on operational risk (including ICT risks) primarily from the quantitative perspective, instead of specific qualitative standards that concern protection, detection, containment, recovery and repair capabilities against ICT-related incidents or reporting and digital testing possibilities. Thus, DORA aims to eliminate current deficiencies and harmonise qualitative requirements for the management of ICT risks at EU level.
Who is subject to the Regulation?
The Regulation will not only apply to credit institutions, but also a wide range of other market participants in the financial sector (with certain exceptions) – e.g. payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance undertakings and intermediaries, as well as management companies, managers of alternative investment funds and also (critical) ICT third-party service providers. It is important to note that critical ICT third-party service providers will partially be subject to supervision.
What are the main obligations arising from DORA?
According to DORA, financial institutions in the EU must comply with a number of requirements concerning ICT risk management, the classification and reporting of ICT incidents, digital operational resilience testing, risk management of ICT third-party service providers and information sharing between financial institutions. Here are some more specific examples of obligations that DORA imposes:Under the Regulation, microenterprises and certain financial sector entities may apply a simplified ICT risk management framework.
As always, if financial institutions fail to comply with the requirements of DORA, they may be fined. In addition, it should be borne in mind that the supervisory authorities have the right to request information, carry out on-site inspections, demand the temporary or permanent cessation of any activity deemed to be in breach of the Regulation by a competent authority, and impose fines on critical ICT third-party service providers if they fail to comply with DORA.
Will DORA have an impact on your legal and IT department?
It is very likely that DORA will have an impact on both departments, since it aims to ensure the digital resilience, continuity and availability of ICT systems – in particular in the case of systems that support critical or important functions. Particular attention must also be paid to awareness and information sharing as well as cooperation within the company. It should be borne in mind that according to DORA financial institutions, with the exception of microenterprises and entities subject to a simplified ICT risk management framework, must appoint a person who oversees the performance of agreements entered into with ICT third-party service providers or designate a member of senior management to be responsible for overseeing the related risk and relevant documentation.
IT departments should review the requirements related to DORA in order to update the ICT risk management framework and conduct an ICT risk assessment that includes all business-critical information systems, including those of critical ICT third-party service providers (or ask third-party service providers to submit their ICT risk assessment results), to obtain an updated overview of ICT-related risks. ICT risk assessments should also take into consideration cyber threats and risks. This can be done by using ‘red teaming’ testing, which tests the security of an organisation’s systems by imitating a malicious actor trying to hack security systems or data. When using red teaming, it is recommended to follow the TIBER-EU framework – an EU framework that provides a controlled, customised and knowledge-based red team test for critical systems used by financial sector companies. TIBER-EU aims to improve the protection, detection and response capabilities of companies, increase the digital resilience of the financial sector and provide certainty for public authorities with respect to the cyber resilience of organisations under their responsibility.
How can we help?
KPMG’s cross-disciplinary and cross-border teams help you to navigate the maze of implementing new requirements. We can carry out a detailed analysis based on DORA (gap analysis), highlighting the requirements arising from DORA and the current deficiencies in your business, and help to eliminate the deficiencies with ongoing regulatory advice and project management. We also help to develop advanced scenario-based testing capabilities with respect to digital operational resilience, assist with the review of third-party service provider registers and subcontracting contracts, or ICT risk assessments (including red team testing). We can also assist you in developing and conducting ICT security awareness programmes and training for staff and management required under DORA.
Katri Remmelgas
Attorney / Banking and financial law
Advokaadibüroo KPMG Law OÜ
Ivar Anton
Cyber Security Expert / IT Auditor
KPMG Baltics OÜ
Raija Tuokko
Legal Adviser / Financial services
KPMG Law Nordic-Baltic Region
Identification based on a person's face is one of the oldest methods of identifying individuals. I..
The draft law, which was recently adopted by the Riigikogu for first reading, significantly reduce..
The inclusion of environmental, social and governance (ESG) due diligence into the process of buyi..
In the new 2023 edition of the prestigious international legal directory The Legal 500, KPMG Law a..
In January 2023, the Riigikogu adopted the Foreign Investment Reliability Assessment Act (FIRAA), ..