Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: The interplay between DORA and the GDPR
The Regulation on digital operational resilience for the financial sector (DORA) entered into force on January 16, 2023, and forms an integral part of the European Commission's digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition, while mitigating the risks arising from it. DORA will become directly applicable in each Member State from January 17, 2025.
In this article, Desislava Krusteva, Partner at Dimitrov, Petrov & Co., gives an overview of the interplay between DORA and the General Data Protection Regulation (GDPR).
What is DORA?
DORA aims to achieve a high common level of digital operational resilience in the financial sector, therefore it establishes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. For the financial entities identified as essential or important entities pursuant to national rules transposing the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), DORA will apply as a sector-specific Union legal act as per Article 4 of the NIS2 Directive. This means that the requirements of DORA on cybersecurity risk-management measures and incident notifications will apply as long as those requirements are at least equivalent in effect to the obligations laid down in the NIS2 Directive instead of the provisions of the NIS2 Directive. Otherwise, the relevant provisions of the NIS2 Directive will continue to apply to the entities not covered by DORA.
At the same time, although DORA does not introduce sector-specific rules on personal data protection, an indirect substantial part of its requirements, being targeted at the security of network and information systems and ensuring digital operational resilience, will reflect the ways in which financial entities equally comply with the GDPR requirements. In this respect, it is important to look at the interplay between the GDPR and DORA, specifically in the key areas where their requirements intertwine and what would be necessary to effectively comply with them. At this point, it is noteworthy that the GDPR remains fully applicable to the financial sector, and none of the DORA requirements will derogate from the general rules of the GDPR.
Scope of DORA
The main addressees to the requirements of DORA will be so-called financial entities and other service providers in the financial sector. These are credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitization repositories.
DORA also introduces requirements that concern the information and communication technology (ICT) third-party service providers providing digital and data services through ICT systems on an ongoing basis to the above-listed types of entities, including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analog telephone services.
Financial entities inevitably process huge amounts of personal data in the context of their services. All this data is processed, stored, and transmitted through their networks and information systems, and in cases where they use ICT third-party service providers, usually personal data is also exchanged between them and the respective providers, regardless of whether there are active data processing operations, or the ICT third-party service providers have a more of passive and indirect role with regard to the processed personal data. Thus, the GDPR applies not only to the activities of financial entities but also to the ICT third-party services provided to such entities as far as any personal data is processed in the context of their provision. This also indicates that it is important to look at the interplay between the GDPR and DORA.
ICT risk management
Financial entities will be required to have in place a well-documented internal governance and control framework that ensures effective and prudent management of ICT risk efficiently and comprehensively, as well as ensures a high level of digital operational resilience that matches their business needs, size, and complexity. As part of this ICT risk management framework, financial entities will have to identify, classify, and adequately document all ICT-supported business functions, roles, and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. In addition, financial entities will be obliged to review as needed, and at least yearly, the adequacy of this classification of the information assets and of any relevant documentation.
The above-mentioned identification, classification, and documentation of the information assets have been performed to a certain extent, but from a different perspective, by the financial entities to comply with the GDPR. The scope under DORA will be significantly broader since this requirement concerns not only information assets, which include personal data, but any kind of information assets. However, compliance with the GDPR and the existence of properly maintained data inventories, including records under Article 30 of the GDPR, could facilitate the financial entities in their efforts to comply with DORA.
Another requirement introduced in DORA is that financial entities, other than microenterprises, perform a risk assessment upon each major change in the network and information system infrastructure, processes, or procedures affecting their ICT-supported business functions, information assets, or ICT assets. This requirement will most probably intertwine in certain cases with the requirements to carry out Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR. Although not every such major change would result in the necessity to carry out a DPIA, the risk assessment under DORA could serve as an initial assessment of whether a DPIA under the GDPR is necessary since such a risk assessment includes an assessment of the risks related to the protection and security of personal data as far as the latter is processed in the respective networks, systems, processes, or information assets. However, these assessments will have a different scope and content.
Security measures
While the GDPR adopts a risk-based approach without specifying the required technical and organizational measures as minimal standards to ensure a level of security of the processed personal data, DORA introduces specific requirements regarding the security measures that financial entities should implement. In this respect, in the future, the requirements under DORA could be considered not only mandatory for financial entities in the context of ensuring network security and digital operational resilience but also the lack of these security measures may be interpreted as a lack of adequate technical and organizational measures to ensure the security of the personal data.
A specific challenge for the financial entities will be the interplay between the requirements of the GDPR and DORA for establishing and documenting respective policies and procedures, which, under DORA, should ensure the resilience, continuity, and availability of ICT systems, and maintain high standards of security, confidentiality, and integrity of data, whether at rest, in use, or in transit. Considering the accountability principle, the provision of Article 24(2) of the GDPR, and the practical aspects of implementing security measures, most financial entities, as data controllers, already have certain documented security policies in place. With DORA's adoption, these policies need to be supplemented and updated or at least be reassessed in terms of their comprehensiveness. A specific practical challenge would also be to determine whether to develop and maintain joint policies that comply with both the GDPR and DORA requirements or to maintain separate policies for compliance with the respective regulations.
Management, classification, and reporting of ICT-related incidents
DORA introduces the term 'ICT-related incident,' which means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the financial entity. In a substantial number of cases, such an incident may also constitute a personal data breach within the meaning of the GDPR as far as it results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. This means that in certain cases, a financial entity will have to comply with both the requirements related to an ICT-related incident under DORA and to a personal data breach, which, though having certain similarities, are different.
The main requirements regarding ICT-related incidents include:
- detection mechanisms, which require having in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and identify potential material single points of failure, whilst also enabling multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, incl. automatic alert mechanisms for relevant staff in charge of ICT-related incident response;
- documenting and classifying the ICT-related incidents; and
- reporting of major ICT-related incidents where a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.
The requirements of establishing detection mechanisms, though directed toward ICT-related incidents, will facilitate the financial entities in detecting personal data protection breaches and, thus, their compliance with the GDPR. However, in cases where an ICT-related incident also constitutes a personal data breach, this may lead to the necessity of double documentation since the requirements of the two regulations are directed toward different aspects of such an incident.
The regime of reporting is also different and involves immediate initial notification and intermediary reporting. Thus, in case of a major ICT-related incident, which also constitutes a personal data breach, the financial entity will be obliged to report to the competent authority under DORA, as well as to notify the competent data protection authority.
Relations with ICT third-party service providers
DORA introduces numerous requirements for cases when financial entities use ICT services provided by ICT third-party service providers. These involve, among others, requirements related to assessments of the ICT third-party service providers before entering into contractual agreements with them (due diligence), ensuring written contractual arrangements with such service providers which should contain some key minimal provisions, keeping a 'Register of Information' in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing between those that cover critical or important functions, and those that do not, and reporting at least yearly to the competent authorities information on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements, and the services and functions which are being provided.
The above requirements have similarities with the GDPR requirements regarding the relations between data controllers and data processors. However, DORA establishes far more detailed and specific rules, including reporting obligations that are not present in the GDPR. All these rules apply along with the GDPR requirements, including those of Article 28 of the GDPR.
These requirements will have a significant impact on the tech companies that act as ICT third-party service providers for financial entities, since such companies will be subjected to preliminary assessments and audits, and will need to agree to contractual agreements containing the key minimal provisions under DORA which introduce specific requirements to their services. Among the mandatory contractual arrangements on the use of ICT services are the provisions on accessibility, availability, integrity, security, and protection of personal data, and on ensuring access, recovery, and return in an easily accessible format of personal and non-personal data processed by the financial entity in the case of insolvency, resolution, or discontinuation of the business operations of the ICT third-party service provider. Since, as already mentioned, the GDPR remains fully applicable, these contractual arrangements should also comply with the GDPR. For example, it could be expected that, in most cases, such service providers will act as data processors within the meaning of the GDPR. Therefore, the contractual arrangements with such providers should also contain data processing agreements compliant with Article 28 of the GDPR. In addition, due to the interplay with DORA, such companies may need to supplement and update the security measures they implement and apply.
Conclusion
DORA introduces specific rules on security measures, ICT-related incidents, and relations with ICT third-party service providers in the financial sector, which directly intertwine with those of the GDPR. None of these requirements overrides the applicability of the rules of the GDPR but only builds on and complements them.
DORA will apply from January 17, 2025.
Desislava Krusteva Partner
[email protected]
Dimitrov, Petrov & Co., Sofia