Digital Operational Resilience Act
On 24th Sepember, 2020, the European Commission, as a part of its “Digital Finance Strategy Package” adopted a number of proposals:
- The Pilot DLT Market Infrastructure Regulation (PMDIR), part of the Digital Finance package which seeks to “make Europe fit for the digital age and to build a future-ready economy that works for the people.” This leds in areas such as markets in crypto-assets as they affect the EU and its citizens.
- The Amending Directive for current financial services legislation (known as the MiCA Regime), a regulatory regime for crypto-assets.
- The MiCA proposal itself, along with annexes and an initial impact assessment on distributed ledger technologies market infrastructure, potentially involving infrastructures such as Ethereum and IBM’s Hyperledger and their licensing as Crypto-Asset Service Providers (CASP) within the EU.
- The Digital Operations Resilience Regulation (DORA) proposal.
So far, so what?
DORA, driven forward as an EU regulation, seeks to build an over-arching digital resilience framework for the 27 member states of the EU.
The Amending Directive builds the obligations for DORA into existing financial services legislation. MiCA puts the requirement on CASPs to adopt the requirements of DORA as a part of their operations.
This is a significant leap forward in the creation of policy as it serves to address perceived inadequacies in the current legislative environment and could be seen as a more focussed approach to support the EU financial environment in a manner similar to how GDPR sought – and was largely successful in – removing confusion, asymmetry and sub-optimal operational implementation of the 1995 EU Data Protection Directive.
DORA makes use of a more prescriptive set of requirements on a wider cross-section of organisations within financial markets.
In order to set the bar at a level which doesn’t compromise new entrants to the financial markets, a ‘sliding scale’ of thresholds of application effectively ensures that the larger the risk from the operation (or the more critical the service to the financial markets), the more stringent the application of the law.
By pulling together and supplementing current rules around financial resilience, DORA and the Amending Directive looks to:
- Increase co-operation and data sharing between organisations around threats to operations
- Help to develop testing frameworks which are directly proportionate to the size and impact of the organisation within the financial markets (‘sliding scale’)
- Improve cohesion, remove fragmentation and redundancy to improve organisations’ knowledge of the threat environment and associated threat horizon, supported by those organisations pooling threat intelligence and curating a better, more informed knowledge environment from more industry-focussed data (why track SCADA exploits affecting water-pumps when working in the finance industries, for example)
- Focus organisations on their ‘supply chain’ risks from third-party IT providers.
- Drive organisations to better enforce the alignment of business operations, strategy and risk management, which includes “ICT concentration risks”. Fairly obviously, the aim is to de-risk – as far as is possible – operations in the financial markets by ensuring that the appreciation and management of risks is a regulatory responsibility incumbent upon financial services operations.
Is my company under any obligation?
At the moment, DORA is still in draft and is going through the legislative process within the EU. Chances are, if you work for a financial entity within the EU you are already aware of DORA and what it may mean to your organisation.
Until the regulation is formalised and brought into force the requirements and obligations may change at the micro level, but DORA is a part of a macro-level, pan-EU regulation which seeks to achieve what has been outlined above. There may be some ‘window-dressing’ over the next eighteen months, but the store is effectively already built.
Types of companies which will be tracking the development in order to achieve compliance when the law is finally ratified will include banks, investment companies, pensions firms, credit rating agencies, insurers/reinsurers and their intermediaries and providers of IT services to the Finance industry across the EU. It is, perhaps, worth noting that the definition of IT service providers makes no distinction between Cloud and non-Cloud service providers…
Quis custodiet ipsos custodes?
Providers of IT services will operate within an EU oversight framework. This framework provides for the relevant European Supervisory Authority (ESA) to audit and assess the criticality of each provider and their policies, procedures, tools and contracts as they apply to management of risk. The ESAs will be “Lead Overssers” with a watching and reporting brief, whilst the national competent authorities (NCAs) will apply enforcement of the law. This is broadly analogous to the European Data Protection Board and the EU member state Supervisory Authorities in terms of operation and application. The inclination to move assessment and enforcement to the member state ensures that flexibility within member states is maintained, but a commonality of application across the EU can be maintained at the ESA level.
Organisations such as the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) or the European Central Bank Single Supervisory Mechanism (not an exhaustive list) are considered to be competent ESAs for the supervision of DORA.
A target-rich environment
The oversight framework is expected to build on the current management of such risk within the Joint Committee of the ESAs. This is not a matter of ‘reinventing the wheel’ – DORA and the Amending Directive is seeking to fine-tune and standardise the approach to risk within the Finance industry within the EU.
To achieve this oversight, the Joint Committee has powers to create the Oversight Forum in order to support the Joint Committee on practical matters relating to IT risk.
IT providers will be scored, quantitatively and qualitatively, for their impact on the Finance industry and will be included within oversight if their criticality within the supply chain is such that oversight protects the operation of financial institutions within the EU by allowing the ESA to “tread softly and carry a big stick”. No one wins within a highly-restrictive operational framework, so some IT providers may not be included within the oversight of the JC due to their size or the margin of impact they may have on the operations of financial institutions.
Similarly, any organisation which is scanning the threat horizon and sees a change in DORA which may lead to their future inclusion within the oversight framework can voluntarily agree to the inspection mechanism in order to “get up to speed” prior to any enforced inclusion from the JC. This option allows the JC to work with interested parties in order to shape the oversight framework as new developments occur within financial markets. This isn’t an invitation from the JC for lobbyists to shape the application of the law, it is an invitation for IT providers to understand how the law is developing within their market and to ensure that protection for financial operators is built into the framework from the outset.
The impression of protection is not the same as… protection.
The ESA or NCA will have powers:
- on-site inspection of IT providers who supply services into the financial institutions of the EU
- access to any format of data which will support the duties of the inspector, including taking copies.
- Any data traffic records, within the laws of the Member State, held by a telecommunications operator where there is a potential breach of DORA in evidence and those records are believed to evidence the breach
- Stipulate measures to correct or remediate DORA breaches
- Cease and desist orders for operatives/operations which invite risk or which are potentially in breach of DORA
- Constrain activities of IT providers
- Raise fines against organisations which are seen to be in breach of the regulation
It should be noted that the new framework allows Member States to impose criminal penalties, presumably including custodial sentences.
How Can We Comply?
Right now? Nothing.
At Define:Athene, we are tracking the development of the law in order to advise our clients of anything on the horizon which may need to be adopted, however, the situation is in a state of flux as the legislation progresses through the EU legislative process.
It is considered that financial organisations will, largely, be in compliance with the proposed legislation. DORA seeks to align the application across the EU and build a cohesive environment for the appreciation of operational risks, improvement in resilience where risks manifest themselves as incidents and the sharing of knowledge between parties within the supply chain and across the industry.
The emphasis now is to ensure that financial entities seek to mature and enshrine their risk management frameworks within the DNA of the business and not as an adjunct or “thing which needs to be done when we feel it necessary”.
DORA expects that financial institutions will:
- be faster to react to potential cyber incidents quickly and efficaciously – and then document and apply “lessons learned”.
- have structural and operational capacity to deal with adverse conditions within the market without failing or creating an additional knock-on problem within the industry and markets
- invite penetration testing for ‘cyber mature’ financial entities with a significant role within the EU Finance industry
- maintain a range of testing methodologies, tools and frameworks to investigate the operations and resilience of all critical IT systems within their remit
- continually assess and identify cyber threats and vulnerabilities relevant to their organisation
- lead an active and developing Business Continuity function within the organisation
- manage, proactively, cybersecurity breach detection, reporting and the toolkit used to protect the organisation
- maintain a backup/restore infrastructure and supporting policies for any data upon which the function of the financial entity relies and for the continuance of service to service-users – elements around personal data will still be beholden to GDPR
- learn lessons and implement substantive changes to minimise the potential for reoccurrence
- implement/maintain systems to report IT-related operational and security incidents to the relevant competent authority within (to be) prescribed timescales
- implement/maintain systems and procedures for informing other entities within the supply chain and across the industry, as well as the public, of incidents and issues relating to the operation or security of the organisation in the eventuality of a loss of service.
Apart from, possibly, the final two bullet points, there is no “reinventing the wheel” involved, however, IT service providers will need to understand their place within DORA as there may be a requirement to appoint new teams to handle the additional elements of compliance required within the proposed legislation.
It will no longer be enough to assert that security, backup operations, policies and operations are “fine” – there will be a growing requirement for IT providers to allow their services to be more deeply audited along with the potential for punitive fines and – possibly – criminal repercussions.
Anecdotally, I have heard mention of fines equating to one per cent of daily global turnover for such breaches.
For a High Street newsagent? Not a huge fine.
For a financial institution trading and transacting €billions per day?