DORA Regulation – impact and requirements
SCOPE AND SUBJECT MATTER
The object of DORA is to establish uniform requirements for network and information technology (ICT) system security, among other things, for credit institutions (banks), payment institutions, and insurance and reinsurance companies.
Responsibility of the management body
DORA introduces the principle of full accountability of the governing body for the ICT risk management of the financial entity, which is manifested, among other things, in the assignment of clear roles and responsibilities for all ICT-related functions and the full involvement of the governing body in controlling the monitoring of ICT risk management.
ICT risk management requirements
DORA relies on the European and internationally recognized technical standards and industry best practices without specific standardization. Key requirements include:
– establishment and maintenance of resilient ICT systems and tools to minimize the impact of ICT risks, based on the three-line defense model, i.e., separation of risk management, compliance and internal audit functions
– implementation of the so-called digital resilience strategy, which includes, among other things, security objectives, description of how the risk management framework supports business strategy and objectives, and overall strategy for using multiple vendors
– obligation to identify all sources of ICT risk, to identify, classify and document business functions related to the ICT area and to document processes based on services provided by external service providers as well as all relations between such service providers
– identification of all IT resources by banks, risk assessment and update of such resources
– guarantee of reliability of all systems, protocols and tools and performance of audits of the technical solutions used
– creation of measures for protection, prevention and rapid detection of unusual activities
– introduction of specific and comprehensive business continuity strategies and disaster recovery plans
– establishment and implementation of a management process to monitor and record ICT incidents and obligation to classify incidents based on criteria detailed in DORA and further developed by the ESAs to determine the materiality thresholds (the reporting obligation applies only to serious incidents)*
– obligation to conduct operational digital resilience tests based on the size, business and risk profile of financial entities and to conduct tests of applications and information systems at least once a year
– in terms of outsourcing: monitoring the risks related to outsourcing; including in contracts, among other things, the information about the locations where data are to be processed, describing the level of service together with quantitative and qualitative performance targets, including the provisions on access, availability, integrity, security and protection of personal data; including key external ICT service providers in the EU supervision framework; requirement to take into account the length of the subcontracting chain when analyzing the outsourcing risks
– services provided by third-party providers will have to comply with the requirements set forth in DORA; in this regard, such providers may be called upon, among others, by competent supervisory authorities to review the adequacy of their contractual arrangements with financial entities
* Currently, the work on the link between the DORA provisions on incident reporting with other regulations, including PSD2, is in progress. The European Parliament proposed an amendment so that the rules set out in the new regulation override incident reporting under PSD2 with respect to entities covered by DORA.