What is DORA?

DORA will establish uniform requirements concerning the security of network and information systems supporting the business processes of financial entities needed to achieve a high common level of digital operational resilience. At the same time, the financial sector will remain within the scope of the horizontal framework on cybersecurity, such as the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'). Meanwhile, further and sector-specific cybersecurity rules will introduced with DORA.

However, although DORA does not introduce sector-specific rules on personal data protection, indirectly substantial part of its requirements, being targeted at the security of network and information systems and ensuring digital operational resilience, will reflect the ways in which financial entities equally comply with GDPR requirements. In this respect, it is important to look at the interplay between the GDPR and DORA, specifically in the key areas where their requirements intertwine, and what would be necessary to effectively comply with them. At this point, it is noteworthy that the GDPR remains fully applicable to the financial sector, and none of the DORA requirements will derogate the general rules of GDPR.

Scope of DORA

The main addressees to the requirements of DORA will be so-called financial entities. These are credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, issuers of asset-referenced tokens and of significant asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, crowdfunding service providers, as well as securitisation repositories.

DORA will also introduce requirements which concern any undertaking providing digital or data services, including providers of cloud computing services, software, data analytics services, data centres, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services, which provide their services to the financial entities. These are so-called ICT third-party service providers.

Financial entities inevitably process huge amounts of personal data in the context of their services. All this data is processed, stored, and transmitted through their networks and information systems, and in cases where they use ICT third-party service providers, usually personal data is also exchanged between them and the respective providers, regardless of whether there are active data processing operations, or the ICT third-party service providers have a more of passive and indirect role with regard to the processed personal data. Thus, the GDPR applies not only to the activities of the financial entities, but also to the ICT third-party services provided to such entities as far as any personal data is processed in the context of their provision. This also indicates that it is important to look at the interplay between the GDPR and DORA.

ICT risk management

Financial entities will be required to have in place internal well-documented ICT risk management frameworks, which enables them to address ICT risks quickly, efficiently, and comprehensively, and to ensure a high level of digital operational resilience that matches their business needs, size, and complexity. As part of this ICT risk management framework, financial entities will have to identify, classify, and adequately document all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. In addition, financial entities will be obliged to review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.

The above-mentioned identification, classification, and documentation of the information assets has been performed to a certain extent, but from a different perspective, by the financial entities to comply with the GDPR. The scope under DORA will be significantly broader since this requirement concerns not only information assets, which include personal data, but any kind of information assets. However, compliance with the GDPR and the existence of properly maintained data inventories, including registers under Article 30 of the GDPR, could facilitate the financial entities in their efforts to comply with DORA.

Another requirement that is introduced in the proposal by the Commission is the financial entities other than microenterprises, to perform a risk assessment upon each major change in the network and information system infrastructure, in the processes, or procedures, affecting their functions, supporting processes, or information assets. This requirement most probably will intertwine in certain cases with the requirements to carry out Data Protection Impact Assessments ('DPIAs') under Article 35 of the GDPR. Although not every major change in the network and information system infrastructure, the processes, or procedures, affecting their functions, supporting processes, or information assets would result in the necessity to carry out a DPIA, the risk assessment under DORA could serve as an initial assessment on whether a DPIA under the GDPR is necessary, since such a risk assessment includes an assessment of the risks related to the protection and security of personal data as far as the latter is processed in the respective networks, systems, processes, or information assets. However, these assessments will have a different scope and content.

Security measures

While the GDPR adopts a risk-based approach without specifying the required technical and organisational measures as minimal standards to ensure a level of security of the processed personal data, DORA introduces specific requirements regarding the security measures that financial entities should implement. In this respect, in the future, the requirements under DORA could be considered not only mandatory for the financial entities in the context of ensuring network security and digital operational resilience, but also as an indication what should be considered as adequate technical and organisational measures to ensure the security of the personal data in the financial sector.

A specific challenge for the financial entities will be the interplay between the requirements of the GDPR and DORA for establishing and documenting respective policies and procedures, which, under DORA, should ensure the resilience, continuity, and availability of ICT systems, and maintaining high standards of security, confidentiality, and integrity of data, whether at rest, in use, or in transit. Considering the accountability principle, the provision of Article 24(2) of the GDPR and the practical aspects of implementing security measures most financial entities as data controllers already have in place certain documented security policies. With DORA's adoption, these policies will most probably need to be supplemented and updated. A specific practical challenge would be also to determine whether to develop and maintain joint policies that comply with both with GDPR and DORA requirements, or to maintain separate policies for compliance with the respective regulation.

Management, classification, and reporting of ICT-related incidents

The proposal introduces the term 'ICT-related incident', which means an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store, or transmit, or has adverse effects on the availability, confidentiality, continuity, or authenticity of financial services provided by the financial entity. In certain cases, such an incident may also constitute a personal data breach within the meaning of the GDPR if it leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. This means that in certain cases a financial entity will have to comply with both the requirements related to an ICT-related incident and to a personal data breach, which, though having certain similarities, are different.

The main requirements regarding ICT-related incidents include:

• detection mechanisms, which require having in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and identifying all potential material single points of failure, whilst also enabling multiple layers of control, defining alert thresholds and criteria to trigger ICT-related incident detection and response processes, and putting in place automatic alert mechanisms for relevant staff in charge of ICT-related incident response;
• documenting and classifying the ICT-related incidents; and
• reporting of major ICT-related incidents where a major ICT-related incident means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity.

The requirements of establishing detection mechanisms, though directed toward ICT-related incidents, will facilitate the financial entities in detecting personal data protection breaches and, thus, their compliance with the GDPR. However, in cases where an ICT-related incident also constitutes a personal data breach, this may lead to the necessity of double documentation since the requirements of the two regulations are directed toward different aspects of such an incident.

The regime of reporting is also different and involves immediate initial notification and intermediary reporting. Thus, in case of a major ICT-related incident, which also constitutes a personal data breach, the financial entity will be obliged to report to the competent authority under DORA, as well as to notify the competent data protection authority. An additional key aspect is that the deadlines for submitting the notifications under DORA are planned to be extremely short, and actually shorter that those under the GDPR for the initial notification.

Relations with ICT third-party service providers

The proposal introduces numerous requirements for cases when financial entities use ICT services provided by ICT third-party service providers. These involve, among others, requirements related to assessments of the ICT third-party service providers before entering into contractual agreements with them (due diligence), ensuring written contractual arrangements with such service providers which should contain some key minimal provisions, keeping a 'Register of Information' in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing between those that cover critical or important functions, and those that do not, and reporting at least yearly to the competent authorities information on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements, and the services and functions which are being provided.

The above requirements have certain similarities with GDPR requirements regarding the relations between data controllers and data processors. However, DORA will establish far more detailed and specific rules. All these rules will apply along with GDPR requirements, including those of Article 28.

These requirements will have significant impact to the tech companies that act as ICT third-party service providers for financial entities, since such companies will be subjected to preliminary assessments and audits, and will need to agree to contractual agreements containing the key minimal provisions under DORA which introduce specific requirements to their services. Among the mandatory contractual arrangements on the use of ICT services are the provisions on accessibility, availability, integrity, security, and protection of personal data, and on ensuring access, recover, and return in an easily accessible format of personal and non-personal data processed by the financial entity in the case of insolvency, resolution, or discontinuation of the business operations of the ICT third-party service provider. Since, as already mentioned, the GDPR remains fully applicable, these contractual arrangements should also comply with the GDPR. For example, it could be expected that in most cases such service providers will act as data processors within the meaning of the GDPR. Therefore, the contractual arrangements with such providers should also contain data processing agreements compliant with Article 28 of the GDPR. In addition, due to the interplay with DORA, such companies may need to supplement and update the security measures they implement and apply.

Conclusion

DORA is planned to introduce specific rules on security measures, ICT-related incidents, and relations with ICT third-parties service providers in the financial sector, which directly intertwine with those of the GDPR. None of these requirements overrides the applicability of the rules of the GDPR, but only builds on and complements them.

Desislava Krusteva Partner
[email protected]
Dimitrov, Petrov & Co., Sofia