One of the most talked about topics currently in legal, financial services and cyber security circles is on the implementation of DORA, or to give it its formal name the Regulation on digital operational resilience for the financial sector.
As a regulatory framework, DORA includes two legislative initiatives:
DORA entered into force on 16 January 2023 and applies from 17 January 2025. DORA has at its heart a recognition that financial systems across the EU are part of each country’s critical national infrastructure. There’s a recognition that many financial services organisations are reliant on a few key services providers and that an incident compromising one of those providers could have a significant effect on financial services across the EU.
DORA has caused a lot of concern in the financial services, technology and cyber security communities, but is it as worrying as it first seems?
Operational resilience is the ability of firms and the financial sector to prevent, adapt, respond to, recover from, and learn from operational disruptions. It goes beyond business continuity and disaster recovery and is a strategic priority for regulators across the globe.
Whilst DORA is an EU measure, operational resilience is on the agenda for UK financial firms too. Operational resilience requirements in the UK were introduced on 31 March 2022 – there’s a bit more on the UK regime below too.
On 24 September 2020 the European Commission published proposals for DORA. These proposals were part of the Commission’s digital finance package.
DORA is designed to consolidate and upgrade Information Communication Technologies (ICT) risk requirements throughout the EU financial services sector to ensure that a very wide range of participants in the sector are subject to a common set of standards to mitigate ICT risks.
This includes cyber security risks. Given its concentration on supply chain resilience however, it will have an impact much wider than financial services.
Specifically, DORA establishes requirements for:
In addition, as we have said DORA extends its reach beyond the financial services sector and introduces an EU oversight framework for critical ICT providers such as cloud service providers.
It is important to remember that the main DORA Regulation is binding legislation that is directly applicable in Member States after its entry into force. The DORA Directive will need to be transposed into each Members States’ national law.
In DORA, ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.
DORA applies to ‘financial entities’. There is a wide definition of financial entitles in DORA but that will include:
There are some financial providers who are excluded from the scope of DORA including some managers of alternative investment funds and some insurers and reinsurers. EU Member States can also exclude other entities from the scope of DORA.
ICT service providers may be designated as ‘critical’ for the purposes of DORA on the basis of a set of quantitative and qualitative criteria – there’s more details below.
Financial entities are required to have in place, under the ultimate responsibility of their management bodies, a comprehensive internal governance and control framework that ensures an effective and prudent management of ICT risk and achieves a high level of digital operational resilience.
Members of the management body are required to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations of the financial entity, commensurate to the ICT risk being managed.
This is likely to require increased involvement of people with ICT risk knowledge on the board and in senior management. DORA and equivalent legislation elsewhere has already seen a significant recruitment drive as a result. For example, according to an EY survey in August 2023 61% of US public companies are looking for cyber security skills for their board.
There must be a sound, comprehensive and well-documented ICT risk management framework which enables financial entities to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience and minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.
There may need to be structural change too – there should be appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
DORA is also not a ‘one and done’ process – the ICT risk management framework must be documented and reviewed at least once a year (with limited exceptions).
In addition the framework should be reviewed following every major ICT-related incident, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. The framework must be continuously improved on the basis of lessons learned from implementation and monitoring.
Among other things the framework must include the risk tolerance level for ICT risk and the impact tolerance for ICT-related events, and outline a communications strategy for ICT-related incidents.
ICT systems, protocols and tools must be appropriate to the level of operations being carried on, reliable, equipped with sufficient data processing capacity, and technologically resilient so as to adequately deal with additional information processing needs under stressed market conditions or other adverse situations.
Financial entities are required to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. They must, on a continuous basis, identify all sources of ICT risk and, at least yearly, review the risk scenarios impacting them.
Financial entities must identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and map those considered critical. In addition, they must identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers.
Whilst this is not the same process as compiling a record of processing activity (RoPA) under GDPR, financial entities who have already done a RoPA might find that a useful place to start.
Financial entities are required to continuously monitor and control the security and functioning of ICT systems and tools and deploy appropriate ICT security tools, policies and procedures with the aim of ensuring the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and maintaining high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
This includes implementing policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establishing to that end a set of policies, procedures and controls that address access rights and ensure sound administration of those rights.
Again, those organisations that have made efforts to ensure GDPR compliance will be in good shape. They should be able to adapt the policies and procedures they already have in place to deal with data breaches under GDPR.
Financial entities are required to have mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. This is likely to be a series of technical and organisational measures. Detection software will be part of this but software alone won’t solve the problem. Organisations will need to provide the resources to act on alerts, triage the appropriate response and deal with any issues quickly.
Financial entities must put in place and implement a comprehensive ICT business continuity policy, and associated ICT response and recovery plans and ICT business continuity plans.
As part of the overall business continuity policy, financial entities must conduct a detailed business impact analysis (BIA) of their exposures to severe business disruptions, taking into account the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies.
ICT assets and ICT services must be designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
Financial entities are required to test their ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly. Rehearsing an incident, for example by conducting a Punter Southall Law Data Breach Academy might help meet these DORA obligations. Our team has experience of guiding organisations through realistic simulated events which will help meet these new DORA obligations.
Financial entities (again with some exceptions) must have a crisis management plan and there will need to be clear procedures to manage crisis communications. Again, those organisations who have a data breach plan in place to meet their GDPR requirements, are likely to be able to adapt that plan to meet their DORA obligations.
Financial entities are required to develop and document backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data, and restoration and recovery procedures and methods.
Financial entities, other than microenterprises, must maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs.
We have seen that many ransomware attacks target back up systems too so organisations will need to check that their back up systems are robust and properly defended. Organisations will need to make sure that they can quickly restore from back up too.
A growing trend has been the obligation on financial services providers to do horizon scanning to look at the threats that they face. A particularly good example has been the Bank of England’s CBEST program which has been in place since 2014.
Under DORA, financial entities must gather information on vulnerabilities and cyber threats and analyse the impact they might have on their digital operational resilience. If there is an incident, financial entities will have to have a post-mortem to see the lessons learned. They will also have to develop security awareness programs and digital operational resilience training.
Once again having a good GDPR program in place is likely to help here.
Financial entities must establish crisis communication plans enabling a responsible disclosure of major ICT-related incidents or vulnerabilities to clients and counterparts and the public, and communication policies for internal staff and for external stakeholders.
Again, this will require careful thought. Often a knee-jerk reaction with communications people unfamiliar with this space is to blame any incident on a nation state. This might be untrue (or at least hard to prove) and could invalidate an organisation’s insurance coverage.
DORA provides for:
The reporting and notification requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
DORA specifies the assessments, tests, methodologies, practices and tools to be applied in digital operational resilience testing, including advanced testing of ICT tools, systems and processes based on TLPT (threat-led penetration testing which mimic the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat).
Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations remain fully responsible for compliance with, and the discharge of, all obligations under DORA and applicable financial services law. DORA specifies the minimum provisions that must be included.
Financial entities must adopt and regularly review a strategy on ICT third-party risk which includes a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
They must also maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
A finance entity’s pre-contractual risk assessment must include an assessment of ICT concentration risk.
Exit strategies must be put in place for ICT services supporting critical or important functions, taking into account risks that may emerge at the level of ICT third-party service providers.
It must be possible to exit contractual arrangements without disruption to business activities, limiting compliance with regulatory requirements or detriment to the continuity and quality of services provided to clients.
Again, this is a difficult area. We have had a number of recent incidents where ICT third party service providers have experienced difficulties which have had effects across the system.
For example, in the UK in 2023, Capita suffered an incident which was likely caused by a ransomware gang and included the exfiltration of data from its servers. Complaints were made by some customers that they were struggling to get information from Capita and regulators became concerned.
On 12 May 2023, the UK Pensions Regulator issued a statement on the Capita incident reminding pension trustees of their responsibilities to secure members’ data.
Trustees were told to continue communications with Capita and to be prepared to answer questions from pension fund members. They were also reminded of the need to possibly notify the Pensions Regulator and the Information Commissioner’s Office. The Pensions Regulator also did not rule out the possibility of further investigations saying “We may engage with you further to understand the steps you have taken and what progress you have made”.
There is a formula in DORA for working out which supervisory authority will be the Lead Overseer in each case. The Lead Overseer for each critical ICT service provider shall be the European Supervisory Authority (ESA) that is responsible for the financial entities having together the largest share of total assets out of the value of total assets of all financial entities using the services of the critical ICT service provider.
The Lead Overseer is required to assess whether the critical ICT service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities, focusing mainly on ICT services supporting the critical or important functions of financial entities, and then to adopt an oversight plan.
The Lead Overseer has power to:
National competent authorities (NCAs) are required to inform the relevant financial entities of the risks identified in the Lead Overseer’s recommendations, and financial entities are required to take these risks into account when managing ICT third-party risk.
Possibly. On 12 March 2024 the European Parliament approved the Cyber Resilience Act (the CRA). This Act aims at ensuring a high level of cybersecurity of hardware and software that is placed on the EU market, as well as setting cybersecurity conditions for users when using the products.
The primary targets of the CRA are manufacturers (including developers) that are placing on the market products with digital elements (PDEs) whose intended or reasonably foreseeable use includes a connection to a device or network. These products are defined rather broadly and include both hardware and software products. In principle, products with digital elements placed on the market by financial services firms would be included.
Yes. Members States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons. Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals. Member States may also choose to establish criminal penalties for breaches of DORA.
It is important to remember that whilst DORA does not apply to the UK financial services sector (save for those UK entities that are also subject to the EU regime), operational resilience is a key priority for UK regulators too.
In many respects the UK regime is similar with the following key elements:
Yes. For example, there was an FCA and PRA fine for TSB in December 2022 of £48.65m.
This related to operational risk management and governance failures including management of outsourcing risks relating to the bank’s IT upgrade program. Technical failures in TSB’s IT systems resulted in customers being unable to access banking services. TSB also paid £32.7m in redress to customers. It received a 30% discount for agreeing a resolution otherwise this would have been a £69.6m penalty. TSB’s CIO Carlos Abarca was also fined personally.
Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.
Clearly, any organisation that is in the DORA regime, or provides services to those that are, will need to consider what it can do to meet its responsibilities under DORA. Whilst existing risk management and GDPR systems and processes can help this is likely to be a significant project for most and will include:
For more information, please contact our specialists at Punter Southall Law.
Partner
Jonathan is an experienced lawyer based in London with a concentration on compliance & technology. He is also a Professor at Fordham Law School teaching a new post-graduate course on international compliance.
Jonathan’s professional practice includes advising multinational companies on risk and compliance across Europe. Jonathan gives legal and compliance advice to household name corporations on:
Jonathan has handled legal matters in more than 60 countries covering a wide range of compliance issues. He made one of the first GDPR data breach reports on behalf of a lawyer who had compromised sensitive personal data and he has been particularly active in advising clients on their response to GDPR. He has conducted a wide range of investigations of various shapes and sizes (some as a result of whistleblowers), worked on data breaches (including major ransomware attacks), a request to appear before a UK Parliamentary enquiry, UK Bribery Act 2010, slavery, ESG & supply chain issues, helped businesses move sales online or enter new markets and managed ethics & compliance code implementation. Clients include Fortune 250 organisations & household names in manufacturing, technology, healthcare, luxury goods, automotive, construction & financial services. Jonathan is also regarded as an acknowledged expert in AI and he currently serves on the New York State Bar Association’s AI Task Force looking at the impact of AI on law and regulation. Jonathan also sits on the Law Society AI Group.
Jonathan is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and appeared on BBC News 24 as the studio guest on the Walport Review. He is also a regular contributor to the Everything Compliance & Life with GDPR podcasts. In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the US, Japan, Canada, China, Brazil, Singapore, Vietnam, Mexico, the Middle East & across Europe.
Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology and risk and governance matters for more than 25 years. He is regarded as a leading expert in compliance matters. Jonathan has been selected as one of the Thomson Reuters stand-out lawyers for 2024 – an honour bestowed on him every year since the survey began. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. In 2016 Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica. In 2019 Jonathan was the recipient of a Security Serious Unsung Heroes Award for his work in Information Security. Jonathan is listed as a Super Lawyer and has been listed in Legal Experts from 2002 to date.
Jonathan is the former trustee of a children’s music charity and the longstanding Co-Chair of the New York State Bar Association’s Rapid Response Taskforce which has led the response to world events in a number of countries including Afghanistan, France, Pakistan, Poland & Ukraine.
Some of Jonathan’s recent projects (including projects he worked on prior to joining Punter Southall) are:
Partner
Lilian specialises in advising clients in financial services on a wide range of issues including assisting with internal and FCA enforcement investigations, the implementation of regulatory change projects such as the Consumer Duty, managing remediation programmes, advising on compliance with the Conduct Rules and SM&CR requirements, FCA notification obligations and responding to supervisory enquires. Lilian acts for a broad range of clients from individuals and whistleblowers to financial institutions including retail banks, asset managers, brokers, commodity trading houses and alternative investment managers.
Lilian has previously held senior roles at the FCA, in-house at a global investment bank where she was responsible for managing a number of high-profile regulatory enforcement and internal investigations across the EMEA region and was Of Counsel at Simmons & Simmons.
Lilian is a member of the Executive Committee of the Financial Services Lawyers Association and Chair of the Equality, Diversity and Inclusion Committee.
Lilian advises on a range of regulatory compliance issues including AML and financial crime systems and controls, competition, corporate governance, conduct risk issues, remuneration rules and supervisory processes including skilled person reviews, remediation programmes, regulatory notifications and perimeter advice (whether activities fall within the FCA’s regulatory perimeter). Lilian also advises firms and individuals on how to navigate data protection issues including bringing and/or responding to a Data Subject Access request and how to mitigate the risks of data breaches.
Lilian advises on a range of contentious regulatory issues including how to manage contentious regulatory enquires and early intervention mechanisms (including section 165 FSMA information requirements, skilled person reviews, solvency issues and VREQs), conducting and advising on internal investigations, whistleblowing issues and defending regulatory enforcement investigations. Lilian advises on fitness and propriety issues and the assessment of conduct rule breaches, regulatory notification obligations and regulatory references. Lilian also assists clients with other professional discipline matters including investigations by the SRA, ICAEW and the Insolvency Service.
“Ever since our first conversation Lillian has always been very clear, calm and above all practical. Were it not for Lillian I would not have been able to continue working as the legal issues would have overwhelmed me. I am extremely grateful for all her help and recommend her unreservedly”. – Portfolio Manager, Investment Manager
“I’ve worked with Lilian for almost 10 years and am consistently impressed with her. Lilian is super responsive, friendly, professional and highly knowledgeable within the FS sector. Lilian can take extremely complex legal matters and break it down into lay terms, which can then be easily understood and digested within the business. I’ve dealt with numerous alternative attorneys in the past and they do not compare to the service level provided by Lilian.” – Head of Human Resources, Alternative Asset Manager
“Lilian is a highly skilled regulatory lawyer who has excellent client relationship skills and has a pragmatic and commercial approach to issues. Having been instructed on short notice to assist on an ongoing project she impressed the whole team with her approach and input. Her support was invaluable”. – Head of Regulatory Legal, Retail Bank
“I am incredibly grateful for the outstanding and always fast service provided by Lilian. Her unparalleled knowledge, practical approach and unwavering dedication have been instrumental in navigating complex regulatory matters with ease. I wholeheartedly recommend her to anyone seeking top-tier legal counsel in the UK financial services industry”. – Founder, Alternative Investment Fund
“I have had the opportunity to work with Lilian for a number of years. Her insights and guidance are always well balanced, she is extremely responsive, highly knowledgeable and most importantly a pleasure to partner and work with.” – Head of Human Resources EMEA, Global Asset Manager
Consultant
John Grayston is an experienced lawyer specialising in European law with a specific reputation and practice in the areas of European trade and customs law including export control and sanctions.
John represents and advises clients on trade and customs compliance across Europe as well as representing clients in court proceedings before national courts and the European Courts of Justice.
Based in Brussels, John qualified as a solicitor but also practices as a Belgian avocat.
John serves as Honorary European Legal Counsel to the International Compliance Professionals Association (ICPA).
Everything Compliance: Jonathan Armstrong on HP and their decision to continue proceedings against the Estate of Mike Lynch
In this episode of the Everything Compliance Podcast, the panel, including Jonathan Armstrong of Punter Southall Law, dives into HP and their decision to continue proceedings against the Estate of...
2 Min Read
Read More Everything Compliance: Jonathan Armstrong on HP and their decision to continue proceedings against the Estate of Mike LynchThe EU’s NIS2 Directive
What’s this all about? NIS2 is about cybersecurity. The NIS2 Directive entered into force on 16 January 2023. The deadline for Member States to transpose this into national law is...
9 Min Read
Read More The EU’s NIS2 DirectiveMastering NIS2 Live Webinar: Jonathan Armstrong speaking on cybersecurity
LIVE WEBINAR – WEDNESDAY, 18th SEPTEMBER 2024 @ 11 AM BST / 12 PM CEST Winning Cybersecurity Strategies for Today’s Threats Organisations today face unprecedented challenges, from a surge in...
2 Min Read
Read More Mastering NIS2 Live Webinar: Jonathan Armstrong speaking on cybersecurity
