Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ireland: DORA's impact on the EU and Irish financial sector and ICT service providers

As part of their continued focus on raising cybersecurity standards within the EU, the European Parliament and the European Council signed into law, on 14 December 2022, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/10111 ('DORA').

Joseph Kennedy, Barrister at Law at the Bar of Ireland, summarises DORA's scope and key provisions and contrasts it to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), highlighting the Central Bank of Ireland's approach and guidance on operational resilience.

BlackJack3D / Signature collection / istockphoto.com

Background

DORA has the ambitious objective of addressing the potential systemic cyber risk associated with the use of ICT infrastructures that enable the operation of payment systems and the provision of payment processing activities through harmonised digital resilience rules. DORA brings together for the first time all the provisions related to digital risk in the financial sector in one single legislative act; if your organisation operates in the EU's financial sector, it is likely you will soon have to deal with the provisions contained in DORA.

The digital transformation experienced in financial services has brought about an unprecedented level of use of, and reliance upon, ICT services. It is now inconceivable to provide financial services without the use of cloud computing services, software solutions, and data-related services. The EU's financial ecosystem has become intrinsically co-dependent on certain ICT services provided by ICT service suppliers. The widespread reliance on services supplied by critical service providers, combined with the interdependence of the information systems of various market operators, is considered to pose a direct, and potentially severe, risks to the EU's financial services system and to the continuity of delivery of financial services if critical ICT service providers were to be affected by operational disruptions or major cyber incidents.

In this context and inspired by relevant international, national, and industry best practices, guidelines, recommendations, and approaches to the management of cyber risk, the EU's lawmakers have, with the introduction of DORA, sought to promote a set of principles that facilitate the overall structure of ICT risk management. DORA fills in the gaps or inconsistencies in some of the prior legal acts and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing, and ICT third-party risk monitoring. Under DORA, financial entities will need to have comprehensive capabilities to enable strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents.

Scope

DORA entered into force on 16 January 2023 and has a very broad scope. It will apply from 17 January 2025. Subject to some specific exceptions, it will apply to most entities operating in the EU's financial sector, including credit institutions, payment institutions, investment firms, crypto-asset service providers, trading venues, management companies, credit rating agencies, crowdfunding service providers, and ICT third-party service providers, collectively referred to as 'financial entities'.

Operational resilience is not a new concept and similar efforts have been made in the past to address systemic operational ICT risks within the financial sector at a European level with regulatory guidelines from the European Banking Authority2 ('EBA'), the European Securities and Markets Authority3 ('ESMA'), and the European Insurance and Occupational Pensions Authority4 ('EIOPA'), as well as at a national level with the Central Bank of Ireland's guidance. 'Digital operational resilience' is defined in DORA as 'the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions'.

While, by and large. the existing regulatory guidelines, DORA and other EU laws, such as the recent Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/11485 ('NIS 2 Directive'), are viewed as complimentary to each other, it is expected that the general lack of homogeneity and convergence regarding ICT risk monitoring, and in particular ICT third-party risk monitoring in the financial sector, will be much improved by the implementation of DORA. As an EU regulation, DORA will be directly effective in all Member States without any national transposing legislation from 17 January 2025.

DORA versus GDPR

The GDPR has had centre stage on the regulatory front in recent years and has had a major impact on organisations in every sector, including the financial sector. However, the GDPR is only concerned with 'personal data' and despite the inclusion of the words 'data protection' in its name, the GDPR does not in fact address data security requirements and responsibilities in much detail beyond specifying that processors 'implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk'.

DORA, on the other hand, applies to the entire ICT system or service and all the operational data required to keep critical systems running; DORA sets out a considerable amount of data security or risk-related requirements to be met. It seems reasonable to imagine that compliance with DORA will be at least as burdensome on an organisation, if not more so, than compliance with GDPR.

The GDPR attracted a lot of attention due to the huge administrative fines which could be imposed for non-compliance. DORA differs from the GDPR in this respect by including some language on the possibility of administrative fines and even criminal sanctions for non-compliance, but leaving it to individual Member States to introduce national legislation to cover the levels and administration of such sanctions. It remains to be seen if and how Member States will legislate in this regard.

Responsibility of management bodies

DORA makes it clear that for entities in the financial sector (including ICT service providers to the financial sector) ICT risk is a board level responsibility and it mandates that the management body of the financial entity shall define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework. Members of the management body of the financial entity will also be required to actively keep up-to-date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity.

ICT risk management framework

Under DORA, all relevant financial entities will need to put in place a sound, comprehensive, and well-documented ICT risk management framework as part of their overall risk management system, which should enable them to address ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience. They will also need minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols, and tools, and shall be required to provide complete and up-to-date information on their ICT risk management framework to the competent authorities upon request.

DORA sets out detailed requirements related to ICT risk management and for example, requires that the ICT risk management framework includes a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy must include methods to address ICT risk and attain specific ICT objectives, by:

  • explaining how the ICT risk management framework supports the financial entity's business strategy and objectives;
  • establishing the risk tolerance level for the ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
  • setting out clear information security objectives, including key performance indicators and key risk metrics;
  • explaining the ICT reference architecture and any changes needed to reach specific business objectives;
  • outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact, and provide protection from it;
  • evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
  • implementing digital operational resilience testing; and
  • outlining a communication strategy in the event of ICT-related incidents.

Vendor risk

DORA also requires that financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.

As part of their ICT risk management framework, financial entities are required to maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT service providers.

Under DORA, financial entities may only enter into contractual arrangements with ICT service providers that comply with appropriate information security standards and financial entities must establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation. The rights and obligations of the financial entity and the ICT service provider must be clearly allocated and set out in writing.

DORA even sets out some required elements to be included in the contractual arrangements for the use of ICT services in the financial sector, for example:

  • a clear and complete description of all functions and ICT services to be provided by the third-party service provider and the locations, namely the regions where the ICT services are to be provided and where data is to be processed;
  • provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including personal data;
  • provisions on ensuring access, recovery, and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution, or discontinuation of the business operations of the third-party service provider, or in the event of the termination of the contractual arrangements;
  • the obligation of the ICT service provider to provide assistance to the financial entity when an ICT incident that is related to the ICT service provided to the financial entity occurs;
  • the obligation of the ICT service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity;
  • termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
  • full service level descriptions with precise quantitative and qualitative performance targets;
  • notice periods and reporting obligations of the ICT service provider to the financial entity;
  • requirements for the ICT service provider to implement and test business contingency plans and to have in place ICT security measures, tools, and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
  • unrestricted rights of access, inspection, and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT service provider; and
  • exit strategies, in particular the establishment of a mandatory adequate transition period during which the ICT service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring or allowing the financial entity to migrate to another ICT service provider or change to in-house solutions consistent with the complexity of the service provided.

Guidance from the Central Bank of Ireland

For some time now, the Central Bank of Ireland have been proactive with emphasising the importance of ICT risk management and operational resilience. In December 2021, they issued their Cross Industry Guidance on Outsourcing6 and Cross Industry Guidance on Operational Resilience7 and as recently as the 20 January 2023, they issued a 'Dear CEO' letter8 to the payment and e-Money sectors in which they reminded these sectors of the Central Bank's focus on operational resilience and 'the need for firms to demonstrate readiness for, and resilience to, operational disruptions'.

As a consequence, many Irish financial entities should be familiar with the risk-related measures required under DORA and have similar measures in place already. However, it is strongly recommended that all relevant financial entities take the opportunity between now and the DORA implementation deadline of 17 January 2025 to revisit their ICT risk management program with a view to identifying any gaps by referencing the requirements under DORA and to use the time available to remediate them.

Conclusion

While in the long run, it is believed that DORA will help create much needed consistency across the financial sector with respect to ICT risk management, it seems reasonable to expect that for the near future, DORA will generate significant administrative overhead for financial entities and cause procurement cycle delays as stakeholders adjust and come to grips with its provisions.

Joseph Kennedy Barrister at Law
[email protected]
Bar of Ireland, Dublin


1. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&qid=1677461841054
2. See at: https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements; https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management
3. See at: https://www.esma.europa.eu/document/guidelines-outsourcing-cloud-service-providers
4. See at: https://www.eiopa.europa.eu/publications/guidelines-information-and-communication-technology-security-and-governance_en
5. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&qid=1677465951822
6. Available at: https://www.centralbank.ie/publication/consultation-papers/consultation-paper-detail/cp138---consultation-on-cross-industry-guidance-on-outsourcing
7. Available at: https://www.centralbank.ie/financial-system/operational-resilience-and-cyber/operational-resilience
8. Available at: https://www.centralbank.ie/docs/default-source/regulation/industry-market-sectors/payment-institutions/dear-ceo-letter-supervisory-findings-and-expectations-for-payment-and-electronic-money-firms.pdf?sfvrsn=408d981d_3

Feedback