The Digital Operational Resilience Act at a glance
In today’s world financial entities are highly interconnected and often rely on their ICT systems. This constitutes a systemic vulnerability allowing financial entities to turn into a channel of cyber incidents spreading across the whole financial sector of the EU.
To combat this, the Digital Operational Resilience Act (DORA) has been announced as a further measure to help protect EU-state organizations against potential disruptions by setting rules that must be followed.
The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) aims to ensure the European financial sector can withstand severe disruptions caused by cyber-attacks, maintain resilience during operational disruptions, successfully recover as well as enhance their digital performance.
This will be done by introducing standard security requirements for financial institutions’ network and information systems.
“ DORA addresses a key problem in EU financial regulation. Before DORA, financial institutions managed some operational risks with capital allocation but lacked comprehensive resilience. Now, they must follow the rules for protecting against ICT incidents, reporting, testing, and monitoring. DORA recognizes that ICT incidents and a lack of resilience can jeopardize the entire financial system, regardless of capital adequacy, “ Andrius Petkevičius CEO of BCCS Cluster.
In short, DORA creates a regulatory framework for operational resilience. All firms must confirm they can withstand, respond, and recover from a wide range of ICT disruptions and cyber threats. This approach seeks to promote the development and use of new technologies and products, while also guaranteeing financial stability and protecting consumers and investors.
THIRD-PARTY ICT PROVIDER MANAGEMENT
Financial institutions are not the only ones that will be directly impacted by the Digital Operational Resilience Act. Certain third-party ICT providers will be deemed critical and subject to regulatory oversight from a lead overseer. One of the European Supervisory Authorities (ESAs). DORA is intended to ensure reliable monitoring of ICT third-party risk, including an analysis of the concentration risks associated with multi-client service providers.
In their cybersecurity predictions for 2022, Gartner foresees that “by 2025, 60% of organizations will use cybersecurity as a primary determinant in conducting third-party transactions and business engagements.”
This means that DORA will have a key focus on critical ICT third-party service providers.
For this reason, in this article, we are casting light on ICT third-party risk management mentioned in DORA. If you want to read more about the other regulations mentioned in DORA, click here.
The Digital Operational Resilience Act (DORA) requires the assessment of third-party providers to be based on several factors:
- The impact on the stability of financial services if the ICT third-party service provider experiences a large-scale operational failure to provide its services.
- The significance of financial entities relying on the ICT provider, preeminent banks, and the potential contagion risks between them. DORA is trying to address any failure or interruption on the part of an ICT provider. Preventing a systemic effect on the European financial sector.
- The importance of the ICT prover’s services for critical functions.
- The ability to substitute the ICT provider with other providers and the ease of data migration.
DORA emphasizes the importance of trust and verification for financial institutions. Regarding assurance, organizations have the legal right to request evidence of the security posture from their service providers.
In short, the advice seems to be “trust your third-party service provider but verify”.
The providers should be applying testing requirements across the whole organization. Furthermore, financial organizations are advised to increase their oversight and monitoring of third parties.
Suppose your company is unsure of whether it’s compliant with the requirements introduced by DORA. BCCS Cluster has followed the development of DORA since the introduction of the regulation. Therefore, have studied it meticulously and can help you be compliant with it.
DORA REGULATIONS FOR THIRD-PARTY RISK MANAGEMENT
Let’s dive deeper into the regulations mentioned for third-party risk management mentioned in DORA.
Article 26 suggests that:
- When assessing ICT concentration risk, financial entities will have to consider whether entering into a contractual arrangement for ICT services would result in contracting with a difficult-to-replace ICT third-party service provider. Or consider having multiple arrangements with the same or closely connected providers.
They will have to evaluate the advantages and disadvantages of alternative solutions. Such as using different service providers, and considering how these options align with their digital resilience strategy and business needs.
According to Article 27 – Key contractual provisions preliminary assessment of ICT concentration risk and further sub-outsourcing arrangements :
- Financial entities and ICT third-party service providers should have clear written contracts that allocate rights and obligations and include Service-Level Agreements (SLAs). The contracts should cover various aspects, such as function descriptions, data processing locations, accessibility and security provisions, service level descriptions, monitoring rights, termination rights, and exit strategies. Standard contractual clauses may be considered during negotiations. The ESAs will develop draft regulatory technical standards specifying the elements for assessing sub-contracted critical functions. The Commission has the power to adopt these standards under relevant regulations.
Article 28 specifies that financial entities will need to manage their ICT third-party risk under the following principles:
- Financial entities need to have contractual arrangements for the use of ICT services that are fully compliant with applicable financial services law, including DORA.
- The management of ICT third-party risk must follow the principle of proportionality. It should consider the nature, scale, complexity, and importance of the relevant ICT dependencies and the associated risks arising from the contractual arrangements.
The article also provides for the creation and maintenance of certain risk management documentation. For example, under article 28(2):
- Financial entities must create and frequently review their ICT third-party risk strategies. The strategy must contain a policy on using ICT services that support critical or important arrangements (CIFAs) provided by ICT third-party service providers.
According to article 28(3):
- Financial entities must create a register of information that provides information on all contractual arrangements for the use of ICT services provided by ICT third-party service providers. This register must display arrangements that cover services that are CIFAs, and which are not.
A LITTLE HELP MIGHT HELP
Financial Services organizations have less than 24 months to implement and comply with the regulation. Until then they must meet operational resilience requirements, conduct due diligence on subcontractors, maintain records, and comply with ICT security measures. They are also expected to cooperate with overseers and pay oversight fees.
What’s left to say? Establishing and maintaining a well-functioning framework can be a challenge. For this reason, organizations that have an ISMS (Information Security Management System) might have an easier time complying with DORA’s new rules. Here’s where BCCS Cluster comes in. Having followed the development of the regulation, BCCS can provide your company with the needed compliance support and assistance in impending an ISMS.
By leveraging their knowledge and resources, BCCS can assist your company in establishing and maintaining a well-functioning framework that meets the standards set by DORA. With the guidance of BCCS, your organization can streamline the compliance process and mitigate the challenges associated with implementing the new rules.
Overall, the Digital Operational Resilience act aims to strengthen ICT risk management in the EU financial sector and ensure that financial services have control over their third-party risks. Compliance with DORA will require careful planning and the use of a third-party risk management platform can facilitate the process. Implementing DORA can be complex, therefore, using a third-party risk management platform or overseer is recommended. This could help manage vendors, suppliers, and third-party service providers, collect and analyze assurance and information, and map risks.
If you have more questions about implementing DORA, let’s talk!
Send a message: firstname.lastname@example.org