Impact of DORA Regulation on legal and IT departments

With the increasing digitalisation of the financial sector, more and more attention is paid to the risks involved. Recent cases in Estonia (SEB, Luminor), Sweden and, already a few years ago, in Finland have demonstrated that incidents related to information and communication technology (ICT) occur more frequently. Market participants have probably already noticed that financial supervision in Estonia and Finland has started to place more emphasis on the management of ICT risks. The qualitative requirements for ICT risk management are therefore becoming increasingly important.

EU Regulation no. 2022/2554, on digital operational resilience for the financial sector (DORA), which will apply to a large part of the financial sector, will enter into force on 17 January 2025. However, a number of regulatory and implementing technical standards are to be expected before DORA enters into force.

The DORA Regulation aims to improve the digital operational resilience of the financial sector and alleviate ICT-related risks. Although not all of the DORA requirements are entirely new, it should be noted that the objective of DORA is to harmonise existing requirements related to ICT risks and update them as part of the operational risk requirements that have so far been addressed in a variety of EU legislation or non-binding ICT standards and guidelines. Previous requirements focused on operational risk (including ICT risks) primarily from the quantitative perspective, instead of specific qualitative standards that concern protection, detection, containment, recovery and repair capabilities against ICT-related incidents or reporting and digital testing possibilities. Thus, DORA aims to eliminate current deficiencies and harmonise qualitative requirements for the management of ICT risks at EU level.

Who is subject to the Regulation?

The Regulation will not only apply to credit institutions, but also a wide range of other market participants in the financial sector (with certain exceptions) – e.g. payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance undertakings and intermediaries, as well as management companies, managers of alternative investment funds and also (critical) ICT third-party service providers. It is important to note that critical ICT third-party service providers will partially be subject to supervision.

What are the main obligations arising from DORA?

According to DORA, financial institutions in the EU must comply with a number of requirements concerning ICT risk management, the classification and reporting of ICT incidents, digital operational resilience testing, risk management of ICT third-party service providers and information sharing between financial institutions. Here are some more specific examples of obligations that DORA imposes:

allocation and periodical review of an appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources; this includes relevant ICT security awareness programmes and digital operational resilience training as well as ICT skills for all employees;
identification and registration of (critical) ICT third-party service providers;
review of contracts entered into with ICT third-party service providers – DORA sets out specific requirements and provisions for the regulation of contracts between financial institutions and ICT service providers;
assessment of the operational resilience of ICT third-party service providers (the subcontracting chain should also be taken into consideration) and, where necessary, implementation of appropriate risk mitigation measures;
critical ICT third-party service providers are required to ensure the security and resilience of their ICT systems and services and to cooperate with the financial institutions to which they provide services in the management of operational resilience risks;
updating documentation related to the ICT risk management framework to ensure compliance with DORA (e.g. information security procedure, procurement policy, business continuity plan and related processes, disaster recovery plan, regular testing, etc.);
development of ICT security awareness programmes and provision of training for staff and management.

Under the Regulation, microenterprises and certain financial sector entities may apply a simplified ICT risk management framework.

As always, if financial institutions fail to comply with the requirements of DORA, they may be fined. In addition, it should be borne in mind that the supervisory authorities have the right to request information, carry out on-site inspections, demand the temporary or permanent cessation of any activity deemed to be in breach of the Regulation by a competent authority, and impose fines on critical ICT third-party service providers if they fail to comply with DORA.

Will DORA have an impact on your legal and IT department?

It is very likely that DORA will have an impact on both departments, since it aims to ensure the digital resilience, continuity and availability of ICT systems – in particular in the case of systems that support critical or important functions. Particular attention must also be paid to awareness and information sharing as well as cooperation within the company. It should be borne in mind that according to DORA financial institutions, with the exception of microenterprises and entities subject to a simplified ICT risk management framework, must appoint a person who oversees the performance of agreements entered into with ICT third-party service providers or designate a member of senior management to be responsible for overseeing the related risk and relevant documentation.

IT departments should review the requirements related to DORA in order to update the ICT risk management framework and conduct an ICT risk assessment that includes all business-critical information systems, including those of critical ICT third-party service providers (or ask third-party service providers to submit their ICT risk assessment results), to obtain an updated overview of ICT-related risks. ICT risk assessments should also take into consideration cyber threats and risks. This can be done by using ‘red teaming’ testing, which tests the security of an organisation’s systems by imitating a malicious actor trying to hack security systems or data. When using red teaming, it is recommended to follow the TIBER-EU framework – an EU framework that provides a controlled, customised and knowledge-based red team test for critical systems used by financial sector companies. TIBER-EU aims to improve the protection, detection and response capabilities of companies, increase the digital resilience of the financial sector and provide certainty for public authorities with respect to the cyber resilience of organisations under their responsibility.

How can we help?

KPMG’s cross-disciplinary and cross-border teams help you to navigate the maze of implementing new requirements. We can carry out a detailed analysis based on DORA (gap analysis), highlighting the requirements arising from DORA and the current deficiencies in your business, and help to eliminate the deficiencies with ongoing regulatory advice and project management. We also help to develop advanced scenario-based testing capabilities with respect to digital operational resilience, assist with the review of third-party service provider registers and subcontracting contracts, or ICT risk assessments (including red team testing). We can also assist you in developing and conducting ICT security awareness programmes and training for staff and management required under DORA.

Katri Remmelgas
Attorney / Banking and financial law
Advokaadibüroo KPMG Law OÜ

Ivar Anton
Cyber Security Expert / IT Auditor
KPMG Baltics OÜ

Raija Tuokko
Legal Adviser / Financial services
KPMG Law Nordic-Baltic Region