Katri Remmelgas
Attorney/ Banking and Finance
Advokaadibüroo KPMG Law OÜ
Ivar Anton
Cyber security expert / IT auditor
KPMG Baltics OÜ
Raija Tuokko
Legal Counsel/ Financial Services
KPMG Law Nordic-Baltic Region
The increased digitalisation of the financial sector also shines more light on the risks related to it. Recent cases in Estonia (SEB, Luminor), Sweden and Finland have shown that information and communication technology (ICT) related incidents are occurring more frequently, and as market participants may have already noticed, financial supervision in Estonia and in Finland is now focusing more on ICT risk management. Therefore, the qualitative requirements for ICT risk mitigation are becoming more and more important.
On 17 January 2025, the Digital Operational Resilience Act (DORA), EU regulation 2022/2554, will come into effect and will apply to a broad scope of the financial sector. There are also a number of Regulatory Technical Standards (RTS) as well as Implementing Technical Standards (ITS) related to the provisions in DORA that will be published before 2025.
DORA aims to improve the operational resilience of the financial sector and mitigate the risks associated with ICT. Although not all the requirements in DORA are completely new, it is worth noting that DORA aims to consolidate and update the requirements related to ICT risk as part of operational risk requirements, which to date have been dealt with separately in various EU legislation or in non-binding ICT standards and specific authority guidelines. Previous requirements have primarily focused on operational risk (including ICT) from a quantitative perspective, rather than targeted qualitative standards that address the ability to protect, detect, mitigate, recover and remediate ICT incidents or reporting and digital testing capabilities. Therefore, DORA strives to eliminate the existing gaps and harmonise the qualitative requirements on ICT risk management at an EU level.
To whom does it apply?
The regulation applies both to credit institutions and to a wide range of market participants in the financial sector (with certain exceptions), including payment institutions, e-money institutions, investment companies, crypto asset service providers, insurance providers and intermediaries, fund managers, AIFMs and (critical) third-party ICT service providers. It is important to note that critical third-party ICT service providers will become supervised entities.
What are the main obligations under DORA?
Under DORA, financial institutions in the EU will have to meet a list of requirements regarding governance, ICT risk management, classification and reporting of ICT incidents, digital operational resilience testing, ICT third party risk management, and the sharing of information and intelligence between financial entities. Here are some examples of what it includes:
- Allocating and periodically reviewing the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training as well as ICT skills for all staff;
- Identifying (critical) and registering third-party ICT service providers;
- Reviewing the contractual agreements with third party ICT service providers – DORA sets specific requirements for agreements between financial institutions and ICT service providers;
- Assessing the operational resilience of third-party ICT service providers (the subcontracting chain must also be taken into account) and implementing measures to mitigate risks, as needed;
- Critical third-party ICT service providers are required to ensure the security and resilience of their ICT systems and services, and to cooperate with the financial institutions they serve to manage operational resilience risks;
- Updating documentation in relation to the ICT risk management framework to ensure their compliance with DORA (e.g., information security policy and procedures, outsourcing policy, business continuity plan and related processes, disaster recovery plan and regular testing, etc.);
- Developing ICT security awareness programs and conducting training for employees and senior management to increase ICT security awareness.
According to the regulation, microenterprises and certain companies in the financial sector may apply the simplified ICT risk management framework.
If financial institutions fail to comply with DORA, they may face sanctions. It is worth noting that the supervisory authorities will have the power to request information, conduct on-site inspections, require the temporary or permanent cessation of any practice or conduct that the competent authority considers to be contrary to the regulation and impose sanctions on critical third-party ICT service providers that fail to comply with the requirements of DORA.
Will DORA affect your Legal or IT Department?
DORA will most probably have implications for both. As DORA aims to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, necessary focus must be put on out of silos internal cooperation. However, DORA also requires that financial entities, other than microenterprises and entities subject to the simplified ICT risk management framework, establish a role to monitor the ICT third party arrangements, or assign responsibility to a member of senior management for overseeing the related risk exposure and relevant documentation.
IT departments should review DORA-related requirements to update their ICT risk management frameworks and carry out an ICT risk assessment covering all business-critical information systems including critical third-party systems (or ask third parties to provide their ICT risk assessment results) to ensure an up-to-date overview of the latest ICT related risks. ICT risk assessments should also consider cyber-related threats and risks. This can be done by performing a red teaming exercise. Red teaming is the practice of testing the security of an organisation’s systems by emulating a malicious actor with the goal of hacking into secure systems or data. For red teaming it is recommended following the TIBER-EU framework. TIBER-EU is a European framework that delivers a controlled, bespoke, intelligence-led red team test of the critical live production systems of financial institutions. The aims of TIBER-EU are to improve the protection, detection and response capabilities of entities, to enhance the resilience of the financial sector and to provide assurance to authorities about the cyber resilience capabilities of the entities under their responsibility.
How can we help?
KPMG cross-professional and cross-border teams can help clients navigate implementation of the new requirements. We can conduct a detailed DORA analysis that highlights requirements and deficiencies, the elimination of deficiencies together with ongoing regulatory consultation and project management and develop advanced digital operational resilience scenario testing. We can also help you in reviewing your third-party register and outsourcing agreements or developing and conducting ICT risk assessments (incl. red teaming), ICT security awareness programs and trainings for employees and senior management as required by DORA.
