The 20 basic principles of the European Digital Operational Resilience of the Financial Sector Act (DORA)

We offer our readers a synthesis of the 20 basic principles of the regulation of the Digital Operational Resilience of the financial sector established by Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 (DORA) that financial entities must apply since January 17, 2025.

1st. Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA) is a quantitatively voluminous (with 106 recitals and 64 articles occupying 79 pages of the DOUE) and qualitatively complex Act, employing novel regulatory techniques such as digital operational resilience testing.

2nd. DORA establishes uniform requirements related to the security of networks and information systems that support the business processes of financial entities in two areas:

a) The internal scope referring to the internal or reflective requirements that are applicable to the financial entities themselves in relation to risk management in the field of information and communication technologies (ICT)

b) The external scope, referring to the external or transitive requirements that are applicable to financial entities in relation to ICT third-party service providers and competent authorities.

3rd. DORA -which by its very nature as an EU Regulation will be mandatory in all its elements and directly binding in each Member State- will be applicable from January 17, 2025.

4th. DORA is inserted in the European Digital Finance Package that includes a set of «measures to promote and support the potential of digital finance in terms of innovation and competition, while mitigating the risks derived from it» and that covers Proposal for a Regulation on the crypto-asset markets (MiCA), the Regulation (EU) 2022/858 on a pilot regime on the market infrastructure of distributed ledger technology (DLT), etc.

5th. DORA completes the financial entities’ risk management system -until now based exclusively on capital- adding rules for protection, detection, containment, recovery and repair capabilities against ICT-related incidents.

6th. DORA will operate as a supplementary standard in two ways:

a) In a generic way, because it will be applied without prejudice to the responsibility of the Member States with regard to the essential functions of the State that affect public security, defence and national security in accordance with Union Law

b) Specifically, because it will operate in a coordinated manner and as an additional system to the specific regulations of the financial entities to which it is applicable.

7th. DORA will be applied in accordance with the principle of proportionality, because financial entities will apply its rules taking into account their size and general risk profile, as well as the nature, scale and complexity of their services, activities and operations.

8th. The economic context in which DORA operates is the information and communication technologies (ICT), which is delimited by reference to objective (ICT assets), functional (ICT services) and subjective (ICT service providers) manifestations.

9th. DORA’s structure is integrated by its subjective and objective elements. As regards its subjective elements, as its name indicates, the scope of Regulation (EU) 2022/2554 (DORA) is the financial sector, which means that the subjects subject to its provisions are financial entities, differentiating between those included and those excluded.

10th. Based on the criteria of the financial market sector in which they preferentially operate, we can distinguish four classes of financial entities to which the DORA will be applied:

a) Banking market entities (eg credit institutions).

b) Securities market entities (eg investment firms).

c) Insurance market entities (eg insurance and reinsurance undertakings).

d) Entities that operate across the three sectors of the financial market (eg credit rating agencies).

11th. The objective elements that make up DORA’s structure are:

a) Risk. DORA offers a set of definitions of relevant risks in the digital finance sector, such as endogenous or exogenous ICT-related risk (derived from third parties), IT concentration risk and the cyberthreat.

b) Incident. DORA offers a set of definitions of relevant incidents in the digital finance sector which, depending on their severity and their relationship with payments, can be classified into the following categories: Common ICT-related incidents that they can be normal or serious and operational or security incidents related to payments that can also be normal or serious. In addition, in this current or accident phase we can include cyberattacks.

c) Digital operational resilience understood as the defining property of the system designed by DORA and its legal concept is “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.

12th. The functioning of the digital operational resilience (DOR) system designed by DORA operates in a triphasic sequence that starts with digital operational risk management, continues with the prevention of incidents through resilience and ends with the solution of incidents that will undoubtedly occur, despite the preventive measures that are adopted.

13th. In the first phase of digital operational risk management, financial entities must have established a global risk management system, which will include the digital operational risk (DOR,) management subsystem, which is based on a basic document, the ICT-related risk management framework that must meet the quality requirements demanded by the DORA and be efficiently managed by the management body of the financial entity. This requires financial entities to adopt the following measures:

a) The establishment of an ICT-related digital operational risk management framework that meets the requirements of quality (adequacy, reliability, capacity and resilience) and quantity or content (strategies, policies, procedures, and protocols and tools).

b) The governance and control of the internal management framework of the DOR by the management body of the financial entity.

c) The implementation of the DOR management framework through a process consisting of the following phases: protection and prevention, detection of anomalous activities, response and recovery, learning and evolution, and communication.

14th. The second phase of prevention of digital operational incidents rests on digital operational resilience tests according threat-led penetration testing (TLPT) that must be adjusted to test programs that must meet two types of requirements:

a) Objective requirements of normal and advanced tests.

b) Subjective requirements of external and internal testers.

15th. The third phase of the solution of digital operational incidents is ordered in the following activities that financial institutions must carry out:

a) Detection of digital operational incidents.

b) Classification of digital operational incidents and cyber threats.

c) Notification of digital operational incidents and cyberthreats to the competent authorities with a different scope: Mandatory notification of serious ICT-related incidents and voluntary notification of major cyberthreats

16th. DORA pays special attention to the management by financial entities of exogenous digital operational risk derived from third parties, establishing its fundamental principles (responsibility and proportionality) and its expression in the contracts that financial institutions enter into with third-party providers of ICT services that are projected in the pre-contractual, contractual and post-contractual phases or termination of the obligational relationship.

17th. ICT-related risk management system established by DORA ends with its public supervision and the eventual sanction of its infringements by financial entities.

18th. Supervision of the ICT-related risk management system established by DORA can be of two types: First, private supervision by the financial entities themselves or self-supervision.

19th. Public supervision by the competent authorities is organized at three levels: European Supervisory Authorities, through the Mixed Committee, Supervisory Forum and Designated Supervisor for each essential third-party provider of ICT services who will be assigned the tasks and powers of request, information and inspection, over supervised entities located inside and outside the EU.

20th. Sanctioning regime established by DORA rests on a legal relationship of administrative responsibility that is developed in the following three phases:

a) Supervision, because the competent authorities will have all the powers of supervision, investigation and sanction necessary to comply with their obligations.

b) Infringement, because the Member States of the EU must establish rules that provide for administrative sanctions and adequate corrective measures in case of infringement of the DORA and will guarantee its effective application.

c) Sanction, because the Member States of the EU must grant the competent authorities the power to apply administrative sanctions or corrective measures in case of infringement of the DORA to guarantee that financial institutions continue to comply with legal requirements.