The dora regulation, or the security of financial actors in the ICT area

27.3.2024

On 17 January 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council on Digital Operational Resilience in the Financial Sector ("DORA") will enter into force in full. The aim of this Regulation is to ensure the security of financial entities in the field of information and communication technologies ("ICT").

In particular, DORA responds to the increasing digitalisation and interconnectedness of the financial sector, which leads to higher ICT risks and increased vulnerability to cyber threats, underlines the importance of financial sector adaptation and preparedness for the digital age, provides better protection against cyber threats and aims to ensure a stable and secure financial environment in the European Union.

Together with the DORA Regulation, two directives, NIS 2 and CER, have been adopted, which also cover the area of ICT and cyberspace, the former, NIS 2, dealing with measures to ensure a high common level of cybersecurity across the Union for medium and large enterprises operating the services listed in the annexes of the Directive. The NIS 2 Directive and what to expect from it was summarised in an article by my colleague Mgr. Petr Hanzel here NIS 2. The second directive, the CER Directive, focuses on the cyber security of so-called critical entities, such as suppliers and distributors of strategic commodities or banks.

The purpose of DORA and who it applies to

First, to clarify who are the financial entities affected by the regulation? The financial entities that are subject to the regulation are banks, insurance companies, securities dealers, investment fund managers, credit rating agencies, or providers of services related to crypto assets. As well as "third parties", i.e. providers of ICT-related services such as cloud platforms, data analytics services, etc.

DORA aims to strengthen the digital operational resilience of the financial sector by establishing a framework for managing ICT-related risks. The regulation aims to ensure that financial institutions are better prepared to identify, protect themselves and respond effectively to cyber threats and other ICT incidents. It intends to do this by harmonising the regulatory framework across the EU, strengthening resilience to third-party risks and promoting information sharing on threats, which will improve the security and stability of the entire financial sector.

DORA's obligations

Financial entities are required to establish and maintain a comprehensive ICT risk management framework that includes procedures and controls to identify, assess, monitor and minimise risks. The framework should be integrated into the overall structure of the financial entity, with the lead authority being responsible for this risk management. However, the lead authority in the context of digital risk management may not only be the statutory body, but also all persons in a leadership position within the internal structure of the financial entity. This means, for example, the head of the risk management department or any other senior person designated for this purpose.

The regulation will require financial entities to conduct regular ICT resilience testing, at least once a year. They will also be obliged to collect the data generated by the testing in order to identify vulnerabilities in systems and processes. However, this does not impose an obligation on financial entities to regularly notify the audit authority; financial entities only communicate with the audit authority in the event of an impending or ongoing incident or upon an explicit request from the audit authority to provide certain data or information.

This control authority within the Czech Republic will be the CNB and the NCIB, which are joining forces on cybersecurity and resilience matters under a Memorandum of Cooperation of 31 May 2022.

An important passage of the regulation is also the establishment of minimum requirements for contracts concluded between a financial entity and an ICT service provider. DORA mainly aims at stipulating a precise and comprehensible description of all services to be provided, but also at the conditions for termination of the contract, as well as the obligation of the ICT service provider to provide assistance to the financial entity in the event of an ICT incident.

As ICT risks are becoming increasingly complex and sophisticated, proper risk detection and prevention measures depend to a large extent on the sharing of cyber threat and vulnerability information between financial entities. This strengthens the sector's collective ability to identify and prevent potential threats. DORA aims to do this by calling on financial actors to build or strengthen communication channels between themselves.

Summary of key impacts of DORA

  1. Establishing a comprehensive ICT risk management framework: financial entities are required to implement, in the overall structure of the entity, procedures and controls to identify, assess, monitor and minimise ICT risks.
  2. Mandatory regular resilience testing: financial entities must conduct ICT resilience testing at least annually, collect data from these tests and identify vulnerabilities in their systems and processes, as part of their security improvement efforts.
  3. Strengthening requirements for contracts with ICT service providers: the Regulation sets minimum requirements for contracts with ICT service providers. These include: a clear description of the services, precise conditions for termination of the contract and the obligation of the ICT service provider to assist the financial entity in the event of an incident.
  4. Encouraging threat information sharing: DORA emphasises the importance of sharing information on cyber threats and vulnerabilities among financial actors to strengthen the sector's collective ability to identify and prevent potential threats.

In the event of an incident

As part of the ICT risk management framework, financial entities are required to put in place crisis communication plans to enable responsible and effective communication to clients, business partners, the public and, of course, the regulator, at least in the event of a major ICT-related incident. Furthermore, the Regulation emphasises a policy of maintaining the operations of the financial entity while removing risk. Incidents that take place are then reported to the supervisory authority, which writes a report on them, which should be used by other financial entities to respond to the situation and improve their own strategy.

Sanctions

DORA also empowers the supervisory authority to impose a sanction on the ICT service provider. When. Provided that the provider:

  1. fails to provide information and documentation
  2. fails to allow investigation and inspection
  3. fails to submit a remediation report following a recommendation by the supervisory authority

The sanction that the supervisory authority may impose is imposed on a daily basis of 1% of the average daily worldwide turnover of the third party ICT service provider for the previous accounting period, but for a maximum period of 6 months. Thus, after 6 months, the sanction may rise to a maximum of 0.5% of the provider's annual worldwide turnover for the previous year.

Conclusion

The DORA Regulation brings significant changes for the EU financial sector to enhance digital operational resilience and protection against cyber threats. The implementation of these measures requires careful preparation and adaptation by financial entities to be able to meet the new requirements while ensuring the safety and stability of the financial environment.

If you are unsure about the implementation of the obligations arising from the regulation or anything else in this area, or if you need legal advice, please do not hesitate to contact us and we will be happy to help.

Responsible Attorney: JUDr. Jakub Dohnal, Ph.D., LL.M., Matěj Menšík contributed to this article.