Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) and Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 (the “Amending Directive”), came into force yesterday 16 January 2023 and will become applicable on 17 January 2025.
Forming part of the EU’s digital finance package, DORA aims to consolidate and upgrade ICT risk management requirements of financial entities falling within scope of this regulation. These financial entities include, credit institutions, payment institutions, electronic money institutions, investment firms, AIFMs and insurance and re-insurance undertakings (together, the “Financial Entities”). DORA is also applicable to ICT third–party service providers.
In broad terms, DORA sets out six pillars which are applicable to Financial Entities and in certain situations, their appointed ICT third-party service providers. These pillars are:
- ICT risk management;
- reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
- reporting of major operational or security payment-related incidents to the competent authorities by certain Financial Entities;
- digital operational resilience testing;
- information and intelligence sharing in relation to cyber threats and vulnerabilities; and
- measures for the sound management of ICT third-party risk.
DORA also regulates the contents of contractual arrangements concluded between Financial Entities and ICT third-party service providers and the establishment and conduct of the Oversight Framework for critical ICT third-party service providers.
The intention behind the Amending Directive is to amend sector specific EU directives, such as Directive 2013/36/EU (CRD), Directive 2014/65/EU (MiFID II) and Directive 2009/138/EC (Solvency II), in order to bring these directives in line with DORA.
Financial Entities are currently subject to industry specific ICT risk management rules and guidelines, such as the MFSA’s Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements dated 11 December 2020. However, following the introduction of DORA, it is pertinent that Financial Entities undertake a holistic exercise to comply with the requirements set out therein during the next two years. These requirements include, where applicable, the establishment of a role to monitor the arrangements concluded with ICT third-party service providers, designating a member of senior management to be responsible for overseeing ICT risk, ensuring that the relevant controls, policies and procedures relating to ICT risk management are in place and their contractual arrangements with ICT third-party service providers are in line with DORA.
Should you have any queries or require any further information on DORA or the Amending Directive, kindly get in touch with Andrew Caruana Scicluna (firstname.lastname@example.org), Alexia Valenzia (alexia.valenzia@camilleripreziosi) and Kyle Debattista (email@example.com