Financial Crime World

DORA Regulation: What You Need to Know About Outsourcing, Governance, and Reporting

The European Union’s Digital Operational Resilience Act (DORA) regulation aims to strengthen the resilience of financial entities in the face of digital threats. As part of this effort, the regulation introduces new requirements for outsourcing arrangements with ICT Third Party Providers (TPPs), as well as enhanced governance and reporting mechanisms.

Outsourcing vs. ICT TPPs: What’s the Difference?

The DORA regulation does not intend to regulate the definition of outsourcing, but it does set key contractual provisions through Article 30. Financial entities should ensure that these provisions are included in their contract arrangements with ICT TPPs. In contrast, arrangements concluded with ICT TPPs under the DORA regulation go beyond traditional outsourcing arrangements.

Governance

The management body of a financial entity is defined as those who set the company’s strategy and objectives, oversee and monitor management decision-making, and effectively direct the business of the company. The definition is largely sectoral and can be found in relevant Union or national law.

Threat-Led Penetration Testing (TLPT) and TIBER-EU Framework

Financial entities within scope may be required to undergo TLPT as part of their digital operational resilience testing. The selection of entities will be done by competent authorities, taking into account factors such as impact, financial stability concerns, and ICT risk profile. The TIBER-EU Framework developed by the European Central Bank (ECB) will serve as a guide for TLPT.

Reporting Mechanisms Under DORA

The regulation introduces three different reporting mechanisms:

  • Major ICT-Related Incidents: Financial entities will be required to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming Regulatory Technical Standard.
  • Significant Cyber Threats: Financial entities will report significant cyber threats to the competent authority, which will assess the impact of the threat and take appropriate measures.
  • Major Operational or Security Payment-Related Incidents: Credit institutions, payment institutions, account information service providers, and electronic money institutions must report these incidents to the competent authority.

Impact on Incident Reporting Mechanism Under PSD2

The DORA regulation amends the Payment Services Directive 2 (PSD2) and introduces a new reporting mechanism for Major Operational or Security Payment-Related Incidents. Credit institutions, payment institutions, account information service providers, and electronic money institutions must report these incidents to the competent authority.

Staying Prepared with SIRC’s DORA Podcasts

In preparation for the DORA regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) has released a series of podcasts aimed at preparing authorized persons. Authorised Persons are encouraged to reach out to SIRC with any DORA-related queries or suggestions for future podcast episodes.

Stay informed about the latest developments in the DORA regulation by following our coverage of this important topic.