EU prepares for the Digital Operational Resilience Act strengthening financial cybersecurity
The EU’s Digital Operational Resilience Act, known as “DORA,” was implemented through Regulation (EU) 2022/2554 and is set to become applicable on 17 January 2025. It aims to enhance the security of network and information systems in supporting the business processes of financial institutions across the European Union, in particular against cyber-attacks and similar threats.
We set out the latest updates on DORA below.
Joint ESA technical advice on DORA
On 29 September 2023, the European Supervisory Authorities (ESAs) issued a technical advice report responding to the European Commission’s request for guidance on the new regime. The purpose of the technical advice is to assist the Commission in draft delegated legislative acts addressing these issues.
In summary:
- The report focusses on specifying the criteria for identifying Critical Information and Communication Technology Third-Party Providers (CTPPs), typically critical outsourced service providers to financial institutions (such as cloud-based services) which will be subject, going forward, to oversight under DORA.
- The report determines related fees that CTPPs will need to pay to their “Lead Overseer”, which will be one of the ESA, ie the EBA, ESMA, or EIOPA, depending on the relevant industry.
- The report outlines a set of quantitative and qualitative indicators which the ESAs consider relevant for each criterion set out in DORA, including essential information for understanding and using these indicators. It also suggests minimum relevance thresholds for quantitative indicators, clarifying that these thresholds do not trigger so-called “criticality” but represent the minimum requirement for conducting a criticality assessment.
- The second part of the report outlines the types of expenses that oversight fees should include and provides guidance on the suitable method, basis, and available data for determining the relevant turnover of CTPPs, which serves as the foundation for fee calculation. It also details the fee calculation method and addresses practical matters related to fee payment. Additionally, the report includes a proposal for a financial contribution for voluntary opt-in requests.
The joint ESA technical advice can be found here.
European Commission guidelines – Interaction of NIS 2 and DORA
On 18 September 2023, the European Commission published guidelines outlining the relationship between Directive (EU) 2022/2555 (NIS 2) and existing and future sector-specific EU legal acts concerning cybersecurity risk management or incident reporting.
These guidelines address the relationship between Directive NIS 2 and sector-specific Union legal acts related to cybersecurity risk management and incident reporting. In effect, where an entity is further to a sector-specific union legal act subject to requirements which are at least equivalent in effect to the NIS 2 requirements, the relevant provisions of NIS 2 do not apply to it.
The guidelines clarify which sector-specific union legal acts may be considered equivalent to NIS 2 for these purposes and specifically list only one legal act, DORA, as considered by the Commission to be equivalent. The Commission does make clear however that the fact that an act is not listed by the Commission in the guidelines does not necessarily mean that the act is not equivalent to NIS 2.
In preparing these guidelines, the European Commission considered feedback from the NIS Cooperation Group and the European Union Agency for Cybersecurity, as per Article 4(3) of Directive NIS 2.
The Directive NIS 2, which aims to enhance cybersecurity across EU Member States, was published on 27 December 2022. EU Member States must incorporate NIS 2 into their national laws by 17 October 2024 and implement these measures by 18 October 2024. Article 4 of the Directive covers these aspects, with guidelines to clarify Article 4 (1) and (2).
Communication from the Commission can be found here and here.
Directive (EU) 2022/2555 (NIS2) can be found here.
ALFI webinar
On 9 October 2023, the Association of the Luxembourg Fund Industry (ALFI) hosted an exclusive webinar dedicated to the DORA implementation roadmap tailored for investment fund managers. This event offered ALFI members an opportunity to gain insights directly from the Commission de Surveillance du Secteur Financier (CSSF) and covered:
- An in-depth understanding of DORA and its implementation roadmap, specifically tailored to investment fund managers
- Practical insights offered by CSSF regarding the effective implementation of DORA within the investment fund industry
- DORA and the upcoming level 2 regulation
- Implementation steps for investment managers
- CSSF's points of attention
- CSSF's organisational approach with regards to supervision on DORA implementation
DORA as part of an ecosystem
DORA is part of the European Commission’s Digital Finance Package published on 24 September 2020, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection.
More information on the Digital Finance Package can be found here.