Financial Crime World

DORA Regulation: Key Provisions and Requirements for Financial Entities

The Digital Operational Resilience Act (DORA) Regulation has introduced new requirements for financial entities to ensure their digital operational resilience. While the regulation does not intend to regulate outsourcing, it sets key contractual provisions through Article 30, which financial entities should include in their contract arrangements with ICT third-party providers.

What’s the Difference between Outsourcing and ICT Third-Party Providers?

The DORA Regulation covers a broader array of arrangements concluded with ICT third-party providers, whether these qualify as outsourcing arrangements or not. The regulation defines an ICT third-party service provider as an undertaking providing ICT services, which includes digital and data services provided through ICT systems.

Governance and Organisation: Who is the Management Body?

Article 5 of the DORA Regulation places direct requirements onto the management body of a financial entity. The management body is defined as the one that sets the company’s strategy, objectives, and overall direction, and which oversees and monitors management decision-making. Financial entities should refer to their relevant sectoral legislation for further guidance.

Threat-Led Penetration Testing (TLTP) and TIBER-EU Framework

The DORA Regulation distinguishes between digital operational resilience testing and advanced testing based on TLPT. Financial entities within scope may be required to undergo TLPT, which will be selected by competent authorities based on impact-factors, financial stability concerns, and ICT risk profile. The TIBER-EU Framework developed by the European Central Bank (ECB) will serve as a prominent framework for TLPT.

Reporting Mechanisms under DORA

The regulation has three different reporting mechanisms:

  • Major ICT-Related Incidents
  • Significant Cyber Threats
  • Major Operational or Security Payment-Related Incidents

Financial entities will be required to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming Regulatory Technical Standard. The European Supervisory Authorities (ESAs) will develop reporting templates for both Major ICT-Related Incidents and Significant Cyber Threats.

Relationship with PSD2

The DORA Regulation amends the Payment Services Directive 2 (PSD2), which introduced a new report mechanism for credit institutions, payment institutions, account information service providers, and electronic money institutions. Financial entities should be aware that the requirement for incident reporting under PSD2 will cease to apply to certain entities once the DORA Regulation takes effect.

SIRC’s DORA Podcasts

In preparation for the implementation of the DORA Regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) has launched a series of DORA podcasts aimed at preparing authorized persons. Financial entities are encouraged to reach out to SIRC with any DORA-related queries or suggestions to be addressed on future podcasts.

As financial entities prepare for the implementation of the DORA Regulation, it is essential to understand the key provisions and requirements outlined above. By doing so, they can ensure their digital operational resilience and comply with the new regulations.