Digital Operational resilience

Cyber resilience is playing an increasingly important role, especially for (financial) companies. In its 2023 status report on IT security in Germany, the BSI explains, among other things, the continuing rise in cyber threats, which are at an unprecedented high [1]. One of the factors contributing to this is the professionalization of cybercrime.

However, cyber risks are not only on the rise in Germany, but also across Europe. Consequently, cyber resilience is also a focus for various supervisory authorities [2].

In order to increase cyber resilience in the EU and at individual financial companies, the regulation and an accompanying directive on digital operational resilience were developed and published, which will be binding in all member states from January 2025.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) aims to increase the digital resilience of companies in order to take account of the increasing importance of ICT systems. It is also intended to enable companies to react quickly to potential threats.

In terms of content, the European legal act deals with the management of increasing dependencies and interdependencies within the financial sector, but also with service providers and infrastructures. It is intended to focus more on ICT security and digital resilience as components of operational risk. As part of this, national requirements will be harmonized and the complexity of existing requirements reduced.

impact analysis

To make it easier for you to get to grips with the topic, we have taken a closer look at the DORA regulation and the accompanying directive.
In doing so, we have looked at its addressees, potentially affected areas of a financial company, the conceivable implementation effort and the implementation period.
We also looked at the delegated acts that further detail DORA.

DORA-Regulation [3]

The DORA Regulation (EU) 2022/2554 sets out the substantive rules, which we will look at in more detail below.
The aim is to improve digital resilience both at the level of institutions and at the level of the financial system as a whole.

Focus in the context of information and communication technology (ICT)

  1. Risk management
  2. Threat and incident management
  3. Test management
  4. Crisis and emergency management
  5. Third-party risk management
  6. Information exchange
DORA-Regulation [4]

The DORA Directive (EU) 2022/2556 makes the necessary changes to the existing regulatory frameworks at EU level. The existing frameworks do not yet adequately address digital operational resilience and are therefore being expanded.

Content expansion of the

  1. OGAW-Guideline 2009/65/EG
  2. Solvability II-Guideline 2009/138/EG
  3. AIFM-Guideline 2011/61/EU
  4. CRD IV-Guideline 2013/36/EU
  5. Settlement Guideline 2014/59/EU
  6. MiFID II-Guideline 2014/65/EU
  7. PSD II-Guideline (EU) 2015/2366
  8. EbAV II-Guideline 2016/2341

Addressees

  • Banks
  • Financial service providers
  • Securities institutions
  • Insurance companies
  • Pension funds
  • KVGs
  • Investment funds
  • ICT third-party service providers

Affected Areas

  • Risk management
  • Governance
  • Corporate management
  • Outsourcing management
  • Provider management
  • Strategy
  • Reporting
  • Information Security
  • Legal & Compliance
  • Process Management
  • IT Strategy & Governance
  • Emergency Management
  • Communication
  • Internal Audit
  • Test Management

Implementation Effort

Overall medium, provided that compliance with the minimum requirements for risk management and proper management as well as the regulatory requirements for IT are met.

Risikomanagement medium
Threat and incident management medium bis high
Testmanagement medium bis high
Crisis and emergency management medium bis high
Third-party risk management high
Exchange of information low

Dates and times

Entry into force: 17.01.2023
Start of validity: 17.01.2025

As a regulation, the requirements will also apply directly to financial companies and ICT service providers in Germany from January 2025. As part of the Financial Market Digitization Act [5], the directive will also be transposed into national law and will result in amendments to the German Banking Act (KWG), the German Insurance Supervision Act (VAG), the German Securities Supervision Act (ZAG), the German Investment Code (KAGB) and several other laws.

ORA addresses various topics and therefore affects many areas in financial companies. The group of institutions exempt from the regulation is also manageable.

BACC
2024 July

Publication of the second wave of RTS and ITS under DORA

  • Determination of aggregated costs and losses for ICT-related incidents (Art. 11 para. 1 DORA)
  • Reporting of significant ICT-related incidents (Art. 20 lit. a), b) DORA)
  • Centralization of incident reporting (Art. 21 DORA)
  • Specification of threat lead penetration testing (Art. 26 para. 1 DORA)
  • Identification of critical / important ICT services (Art. 30 para. 5 DORA)

Further details on the legal acts can be found here.

2025 January

Date of application of the Digital Operational Resilience Act (Regulation (EU) 2022/2554)

2023 September

Criteria for the classification of critical ICT service providers within the meaning of Art. 31 DORA (Call for Advice to the ESAs).

2024 January

Publication of the first wave of RTS and ITS under DORA

  • ICT risk management framework and simplified risk management framework (Art. 15, 16 para. 3 DORA)
  • Classification of ICT-related incidents (Art. 18 para. 3 DORA)
  • Information register (Art. 28 para. 9 DORA)
  • Guideline on the procurement of critical / important ICT services (Art. 28 para. 10 DORA)

Further details on the legal acts can be found here.

Bulletproofing Your Business

Use our checklist to see if you are already in compliance with DORA requirements to identify your need for action by 2025.

In our checklist we present the requirements of the DORA. It also includes an assessment of which requirements are already anchored in the same or a similar form by other regulatory requirements. Have we sparked your interest? Then take this opportunity to stay up to date on regulatory changes around IT security.

Get access to our free checklist.

Sources:

  1. https://bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html
  2. EIOPA: https://www.eiopa.europa.eu/macro-markets-and-digitalisation-risks-are-insurers-top-concern-according-eiopas-insurance-risk-2023-11-06_en,
    ESMA: https://esma.europa.eu/press-news/esma-news/esma-put-cyber-risk-new-union-strategic-supervisory-priority,
    EBA: https://www.eba.europa.eu/eba-publishes-its-work-programme-2024,
    ESAs: https://www.eba.europa.eu/esas-publish-joint-committee-work-programme-2024
  3. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
  4. https://eur-lex.europa.eu/eli/dir/2022/2556/oj
  5. https://www.bundesfinanzministerium.de/Content/DE/Gesetzestexte/Gesetze_Gesetzesvorhaben/Abteilungen/Abteilung_VII/20_Legislaturperiode/2023-10-23-FinmadiG/0-Gesetz.html 

Talk to
PIA STREICHER!

Pia Streicher