Digital operational resilience for the financial sector

SUMMARY OF:

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector

WHAT IS THE AIM OF THE REGULATION?

It lays down uniform rules on the security of network and information systems of financial entities, such as banks, insurance companies and investment firms.

It covers a wide range of European Union (EU) regulated financial entities, requiring them to withstand, respond to and recover from any disruption or threat involving information and communication technologies (ICT).

KEY POINTS

Scope

The regulation covers:

credit, payment, electronic money and occupational pension institutions;
service providers for account information, crypto assets, data reporting, crowdfunding and ICT third parties;
investment firms, alternative investment funds, management companies, credit rating agencies and administrators of critical benchmarks;
trade and securitisation repositories, central securities depositories, central counterparties and trading venues;
insurance, insurance intermediaries and reinsurance businesses.

ICT risk management

Financial entities, other than micro-enterprises, shall:

have in place internal governance and control measures that ensure effective and prudent management of ICT risk;
ensure that their management body defines, approves, oversees and is responsible for all the relevant arrangements;
have in place a sound, comprehensive and well-documented ICT risk management framework with the necessary strategies, policies, procedures, protocols and tools to respond quickly and efficiently;
use and maintain updated ICT systems, protocols and tools that are appropriate, reliable, technologically resilient and have sufficient capacity;
identify, classify and adequately document all ICT-supported business functions, roles and responsibilities and review risk scenarios;
continuously monitor the security and operation of ICT systems and tools to minimise the impact of any ICT risk;
promptly detect anomalies and identify potential failure points;
put in place a comprehensive ICT business continuity policy with appropriate plans, procedures and mechanisms;
develop and document backup policies and restoration and recovery procedures;
deploy resources and staff to assess vulnerabilities and cyber threats, ICT-related incidents, especially cyberattacks, and analyse their potential impact on the entity’s digital operational resilience;
devise crisis communication plans to disclose at least major ICT-related incidents or vulnerabilities to clients, counterparts and the public.

ICT-related management, classification and reporting

Financial entities shall:

define, establish and implement measures to detect, manage, record and notify ICT-related incidents;
classify incidents and determine their impact using criteria such as number of clients and counterparts affected, duration, geographical spread and data losses;
report major ICT-related incidents to their designated competent authority, which forwards it to a higher body such as the European Central Bank or the European Banking Authority.

Digital operational resilience testing

Financial entities, other than micro-enterprises, shall:

establish, maintain and review a sound and comprehensive digital operational testing programme equipped with the necessary assessments, tests, methodologies, practices and tools;
carry out, at least every 3 years, threat level penetration testing based on their risk profile and taking account of operational circumstances – and only use testers that are certified, possess the necessary expertise and suitability and have professional indemnity insurance.

Managing ICT third-party risk

Financial entities shall:

manage third-party risk as an integral component of their overall ICT risk;
have in place contractual arrangements for ICT services to run their business operations in full compliance with the relevant legislation;
take account of the nature, scale, complexity and importance of ICT-related dependencies and any potential risks;
weigh the benefits and costs of alternative solutions when identifying and assessing any risks involved;
include in the contract each party’s rights and obligations and the service agreement.

Oversight framework of critical ICT third-party service providers

The framework:

entrusts the European Supervisory Authorities (ESAs) to:
- designate, on the basis of clear criteria, the ICT third-party service providers considered to be critical for financial entities,
- appoint, as lead overseer for each critical third-party service provider, the ESA responsible for the financial entity concerned;
establishes an Oversight Forum to:
- discuss relevant developments on ICT risk and vulnerabilities and promote a consistent EU monitoring approach,
- assess oversight activities annually, promote moves to increase digital operational resilience and foster best practice,
- submit comprehensive benchmarks for critical ICT third-party service providers;
mandates the lead overseer to:
- be the primary contact point for critical ICT third-party service providers,
- assess whether each critical provider has comprehensive, sound and effective rules, procedures, mechanisms and arrangements in place,
- request all relevant information and documentation, conduct investigations and inspections (including in non-EU countries), specify remedial action and issue recommendations;
enables the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority to work with non-EU regulatory and supervisory authorities on ICT third-party risk;
requires ESAs to submit a confidential report every 5 years to the European Parliament, the Council of the European Union and the European Commission on their dealings with non-EU authorities.

Information-sharing arrangements

Financial entities may exchange among themselves cyber threat information and intelligence, provided that this:

aims to strengthen their digital operational resilience;
occurs within their trusted communities;
protects business confidentiality and personal data, and respects competition policy rules.

Penalties and remedial measures

Competent authorities:

have all the supervisory, investigatory and sanctioning powers needed to carry out their duties;
impose, and publish on their websites, the administrative penalties and remedial measures determined by national law.

ESAs draft regulatory technical standards for ICT risk management tools, classification and reporting of ICT-related incidents and conduct of oversight activities.

The Commission:

has the power to adopt delegated acts;
submits, by 17 January 2028, a review of the regulation, after consulting the ESAs and the European Systemic Risk Board, to the Parliament and the Council.

The regulation amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 909/2014, (EU) No 600/2014 and (EU) 2016/1011.

FROM WHEN DOES THE REGULATION APPLY?

It applies from 17 January 2025.

BACKGROUND

The reforms that followed the 2008 financial crisis primarily strengthened the sector’s financial stability. ICT risks were only addressed indirectly in some areas and continued to pose a challenge to the operational resilience, performance and stability of the EU financial system.

The regulation, known as DORA, is part of a larger digital finance package aiming to foster technological development and ensure financial stability and consumer protection. Its other elements cover a digital finance strategy, markets in crypto assets and distributed ledger technology.

For further information, see:

Digital finance package (European Commission).

MAIN DOCUMENT

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).