5 Things You Need to Know About DORA

On 10 November 2022, the European Parliament approved two significant pieces of cybersecurity legislation:

• The Network and Information Security 2 Directive (“NIS2”); and
• The Digital Operational Resilience Act (“DORA”).

Whilst the object of NIS2 is to impose requirements for additional security and reporting measures on a larger share of the EU economy, DORA focuses on the financial services sector. A key aspect of both pieces of legislation is that they bring a far greater number of entities under the supervision of sector-specific authorities in respect of cybersecurity requirements.

1. Who is DORA likely to impact?

DORA applies to a broad range of financial entities, including investment firms, (re)insurance undertakings, investment firms, and electronic money organisations. It also extends to ‘critical ICT providers’, including cloud service providers who support financial organisations.

2. What measures will organisations impacted by DORA need to take?

Some aspects of DORA’s requirements may be familiar to a sector already subject to onerous regulatory regimes. However, as we are seeing with the general approach to cybersecurity and data protection regulation, greater focus on documentation of technical and security measures is now being required, in addition to protection against third-party risk:

• Risk Management Framework – DORA’s overarching requirement is that firms must maintain comprehensive and codified security risk management frameworks. This requirement includes both the deployment of cyber defence and risk mitigation tools and the documentation of those tools and associated processes.
• Managing Third-Party risk – As with NIS2, there is a focus on the management of third-party risk. DORA aims to ensure that third-party ICT providers (a) are contractually obligated to support the firm in the event of a cybersecurity incident, and (b) have appropriate information security standards for the service that they provide to firms. Organisations will need to ensure that robust contracting mechanisms are in place.
• Information Sharing Requirements – When DORA was initially announced in 2020, it was suggested that secure information sharing platforms could be set up between financial entities. This was intended to enhance risk awareness through firms sharing known threats, tactics, and procedures, in addition to high-level investigative findings. At this stage, it is not clear how such platforms will operate. Whilst information-sharing platforms can be useful firms will need to ensure that they are used cautiously to ensure that the firm’s own position is not prejudiced by the sharing of that information.

3. What are the incident investigation requirements?

Under DORA, firms will be required to monitor and log IT incidents and report those serious incidents to the relevant financial regulator. Additional focus is placed on root cause analysis and incident containment, in addition to documenting them throughout the incident.

4. What are the consequences of noncompliance?

The potential penalties associated with DORA can be significant and, differently to GDPR and/or NIS(2), encourage the firm to comply by imposing fines on a daily basis. Those organisations deemed noncompliant by the relevant supervisory body may find themselves subject to a periodic penalty payment of 1% of the average daily global turnover in the preceding year, for up to six months, until compliance is achieved. It is unclear as to how compliance will be considered ‘achieved’, and it will be interesting to see how this penalty regime aligns with other financial compliance regimes such as PCI-DSS.

The supervisory body may also issue cease-and-desist orders, termination notices, additional pecuniary measures, and public notices.

5. Will DORA impact organisations in the UK in the same manner as the EU?

At this stage, it is not clear whether the UK will attempt to mirror legislation adopted by the EU. However, whilst domestic UK businesses may be outside of the scope of DORA, those who operate on an international basis through EU entities or branches will be within the scope of DORA. As with other aspects of cybersecurity regulations, DORA outlines critical requirements that organisations should adhere to in order to maintain good cyber hygiene, especially in a sector that is regularly targeted by cyber criminals. The UK Treasury has released proposals for regulating critical third parties, including financial institutions; however, the progress of these proposals is subject to the passage of the Financial Services and Market Bill currently going through Parliament.

Key Takeaways

Organisations need to be clear whether either (or both) of NIS2 and DORA apply to their commercial operations. Those who fall within both regimes should be wary of the multiple reporting regimes that will be triggered in the event of a cybersecurity incident. This multiplicity of reporting requirements should be considered before an incident occurs to avoid falling foul of one or more of the regimes at a time of crisis.

Financial service providers will already have a number of information security measures in place that align with the requirements under DORA. Organisations should see these new pieces of legislation as opportunities to perform gap assessments, identifying those areas where they may not comply with the new regimes. For some organisations, this may result in a positive reminder that their cybersecurity practices are in strong shape; for others, there may be further considerations and adaptations required to bolster their cyber resilience.

The Orrick Cyber and Financial Regulatory teams regularly advise clients in the financial services and fintech sectors on their cybersecurity programs and help to ensure they have addressed critical cyber preparedness requirements.