What is the Digital Operational Resilience Act (DORA)?
DORA is an EU regulation that creates a harmonized framework on information and communications technology (ICT) risk management, incident management, resilience testing and ICT third party risk. It reflects the expansion of regulatory focus beyond financial resilience to operational resilience and applies to a broad range of EU financial sector entities. For the first time, DORA will also make certain ICT providers identified as critical subject to oversight for the ICT risks they pose to their clients. DORA entered into force in early 2023 but will become effective on January 17, 2025.
Why is DORA important to financial entities?
DORA codifies and builds on the existing ICT risk requirements which are currently dispersed across multiple EU and national guidelines. As a result, entities that are subject to DORA will need to review and adjust their internal policies and business practices, enhance ICT risk management and demonstrate a digital resilience maturity which allows them to withstand and respond to disruptions such as operational outages and cyber-attacks.
DORA technical standards
The European Supervisory Authorities (ESAs) have been tasked to develop the regulatory and implementing technical standards that supplement the DORA framework and make it operational. The technical standards are a key element of the EU regulatory ecosystem, as they enable new requirements to be practically implemented. DORA and the technical standards need to be read in tandem and are complementary to each other. For instance, while DORA requires financial entities (FEs) to maintain and update a register of information on ICT contracts and report major ICT incidents, the technical standards will specify the standard templates and reporting details that need to be considered.
The DORA technical standards are being developed in batches and published to enable the industry to become familiarized with the new requirements prior to DORA effective date of 17 January 2025 as well as provide feedback to the policymakers. The comments are then reviewed and considered when finalizing the standards prior to their submission to the European Commission.
In June 2023, the ESAs published a consultation on the first batch of draft technical standards in the following areas:
- ICT risk management framework (and simplified ICT risk management framework)
- Criteria for the classification of ICT-related incidents
- Templates for the register of information
- Policy on ICT services performed by ICT third-party providers
While the vast majority of DORA requirements applies directly to FEs in scope of DORA and not ICT service providers (unless the ICT service provider is designated as critical), we understand the importance of regulatory compliance to our clients and are committed to continue supporting their regulatory change management efforts. Temenos submitted comments to the proposed draft technical standards in areas where we felt that greater clarity or clarification were needed, such as:
- ICT policies – in a SaaS context, a one-to-many standardized service is being provided to multiple clients and no single client may decide the ICT security policies that apply across the board; rather, these measures are decided centrally by the ICT provider and all necessary policies and documents are shared beforehand. It is the responsibility of the FE to review these as part of its due diligence process and ensure they are aligned with its own internal policies and procedures. The third party’s security policies are designed to be appropriate to the sector and its users, service offerings and security risks while the policies of the FE are designed from its own perspective and in consideration of it risk profile and business activities which, by definition, differ from the third party’s. No two FEs will have fully identical security policies; in fact, such policies may be deviating materially from one another as a result of which it will be impossible to implement and comply with conflicting/deviating requirements.
- Source code review & testing – it is important to remove any uncertainty around the scope of source code testing and review, and the party that should perform it. For instance, where a FE has licensed proprietary software from an ICT vendor or some of its bespoke system or in-house system is made up of licensed proprietary software, the FE would not have access to the source code for such software and the testing of the source code by the FE in this case would not be feasible.
What comes next?
The ESAs are expected to finalize and submit the first batch of technical standards to the European Commission by 17 January 2024. The second batch is expected to be published in late November or December 2023 and will cover key areas such as:
- Reporting of major ICT-related incidents
- Subcontracting of critical or important functions
- Threat-led penetration testing
Temenos is actively monitoring the shaping of the regulatory framework and will continue to provide technical expertise and insights in next ESAs’ consultations. We will publish further updates as the new requirements are announced.