The financial sector on the path to the DORA age

In this article you will read,

• what is behind DORA,
• who is affected, and
• how you as a financial company should react.

December 14, 2022 was DORA Day. On this day, the European Parliament and Council adopted Regulation (EU) 2022/2554 on “Digital Operational Resilience in the Financial Sector” (DORA). As usual, the EU bodies gave the companies concerned a transitional period for implementation: although DORA has formally been in force since January 17, 2023, it will not be applied until January 17, 2025. In other words, financial companies must be DORA-compliant by the beginning of 2025. And not just them: DORA also has significance for the ICT service providers of financial companies, i.e., also cloud providers that deliver services to financial companies.

DORA is part of a larger package, namely the Digital Finance Package. With this initiative, the EU Commission aims to support the competitiveness of the European financial sector. Among other things, it aims to promote innovation, but also security and resilience.

1. Strengthening resilience and IT security
More and more financial companies are in the midst of a digital transformation – but digital services must remain available even if technical problems occur and they must increasingly withstand cyber attacks. Financial service providers must therefore take appropriate precautions depending on the criticality of the services they offer. In business language: they must operate appropriate IT risk management. Article 5 of the DORA Regulation puts it this way: “Financial undertakings shall have an internal governance and control framework that ensures effective and prudent management of ICT risks in accordance with Article 6(4) in order to achieve a high level of digital operational resilience”.

2. Transparency about third-party ICT service providers
Because these digital solutions are often provided in collaboration with ICT providers, DORA also specifically addresses these service partners and the business relationships of financial companies with these partners. Of course, this also includes cloud providers. The financial company must be able to demand certain framework conditions from the cloud service provider; however, the specific design of these requirements is in the hands of the financial company.

In general, the management of ICT services or so-called outsourcing is regulated by, inter alia, Article 28 of DORA: “Financial undertakings shall manage ICT third party risk as an integral part of ICT risk within their ICT risk management framework referred to in Article 6(1) ... Financial undertakings that have entered into contractual arrangements for the use of ICT services for the conduct of their business shall at all times remain fully responsible for compliance with and fulfillment of all obligations under this regulation and under applicable financial services law.” Article 28 also clearly states, for example, that financial undertakings may only conclude contractual agreements with third-party ICT service providers that comply with appropriate information security standards. For ICT services that support critical or important services, the ICT third-party service providers must even “apply the most up-to-date and highest quality standards for information security”. 

3. EU-wide standardization of financial sector regulation
In addition to the requirements for IT security and the risk management of ICT partners, DORA also addresses a third point in passing. You need to know this: Until now, the regulations for assessing cyber risks in the financial sector in Europe, as well as for IT risk management as a whole, have been very different. Each country has individual national regulations, e.g. for banks alone: In Germany, these have so far been in particular the IT Security Act and the BAIT (Bankaufsichtliche Anforderungen an die IT), in France the requirements of the ANSSI and the RGS (Référentiel Général de Sécurité), among others, and in Spain, Italy and the Netherlands, Banca d'Italia, Comisión Nacional del Mercado de Valores and De Nederlandsche Bank provide specific rules. With the introduction of DORA, this is now to be standardized: Specifically, BaFin in Germany intends to repeal BAIT, among other things, when DORA comes into force in January 2025.

The harmonization also has a second aspect: DORA now covers all sectors of financial services. In addition to banks and insurance companies, there are a number of other companies in this environment. For example, DORA also integrates providers of crypto services, e-money institutions and rating agencies into the regulatory system. In this respect, DORA also creates uniform standards across Europe. 

In Germany, BaFin, as the supervisory authority, not only monitors financial companies, but also reserves the right to audit ICT service providers. This was already permitted by the Financial Market Integrity Strengthening Act (FISG) of 2021. DORA now continues this practice. Article 39 explicitly permits inspections at the premises of “ICT third-party service providers”.

Many financial service providers are already well positioned for DORA – after all, the requirements of the regulation are not completely new, but reflect many existing regulations. Ultimately, the regulations serve the companies and ensure that their business activities are not impaired by weaknesses in IT security management.

A DORA certificate or a DORA audit for ICT service providers does not yet exist. The reason for this is that the specific aspects of such an audit have not yet been defined. It is also foreseeable that the BaFin will use a blacklist procedure. This means that ICT service providers will not be certified (whitelisted) for their ability to support DORA, but will be disqualified if they do not meet certain requirements. “We are in continuous contact with BaFin and follow developments so that we can set the course accordingly in advance of an official regulation,” explains Edgar Bernhard from the T-Systems compliance team.

Because DORA is basically an application of the compliance regulations applicable in the German financial sector, it can be stated as a rule of thumb: IT service providers that already provide compliant support to German financial companies today should also meet the European requirements of DORA. It will therefore also be up to the ICT service providers to prove that they are DORA-compliant. One of the sticking points will be Article 39. DORA compliance requires that the BaFin can inspect the premises of a cloud provider (including the data centers) and its sub-service providers.

The Open Telekom Cloud has already mapped this requirement in its Financial Addendum. The Financial Addendum gives users of the Open Telekom Cloud complete transparency about all service providers involved in the provision of cloud services. This significantly reduces the workload for the financial company, which has to monitor and control the outsourcing.

The Open Telekom Cloud has also established many other topics that are addressed by DORA, e.g., ICT risk management, management of ICT third-party risk, handling, classification and reporting of ICT-related incidents, testing of digital operational resilience including threat-led penetration testing (TLPT), monitoring frameworks for critical ICT third-party service providers and agreements on the exchange of information as well as cyber crisis and emergency exercises. The Open Telekom Cloud can support financial companies accordingly.

Further information on DORA can be found on the BaFin website.  
The original source text of the regulation is available on the EU website.