BBanking

Quo vadis, financial sector? DORA comes into effect

Quo vadis, financial sector? DORA comes into effect 1
0
Shares
0
0
0
0
0
0

The Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA) is a significant milestone in the regulation of the digital resilience of financial entities within the European Union (EU). With the DORA coming into force on January 17, 2025, companies in the finance and insurance industry are facing extensive obligations and challenges in ensuring their digital operational resilience.

The evaluation of the DORA maturity test conducted by the Annerton law firm within the industry shows that the financial companies affected by DORA and their ICT service providers do not yet feel ready for DORA and assess their own degree of maturity as advanced but not yet fully in line with the requirements.

What does the entry into force of DORA mean?

The enactment of DORA marks fundamental changes for the compliance and risk management processes of the affected financial institutions and their third-party ICT service providers. The financial institutions are required, among other things, to take the following measures:

1. Stronger requirements for operational resilience

  • Robust security measures: Financial entities are required to implement robust IT systems and processes to effectively withstand cyberattacks and other technological risks.
  • Systematic risk assessment: Financial organizations must regularly analyze, assess, and address the risks in their IT infrastructure.
  • Regular tests: The performance of regular tests (e.g. penetration tests) to identify vulnerabilities is mandatory.

2. Higher efforts in Compliance

  • Establishing new governance structures: Companies must define clear responsibilities and introduce comprehensive guidelines for ICT risk management. New functions and roles must be defined. Senior management will be held more accountable for the ICT risks of the company.
  • Detailed documentation: Adherence to DORA requirements demands much more comprehensive documentation of IT processes, tests and measures than before. A great deal of effort is required to update internal guidelines and process descriptions and to implement any new documentation that may be needed to comply with DORA requirements.
  • New classification of ICT incidents: DORA brings with it new requirements for the classification of ICT incidents. The reporting requirements in the event of serious ICT incidents have been expanded, harmonized and clarified.

3. Management of ICT third-party risk

  • Contractual requirements: Financial entities must adapt and expand their contracts with ICT third-party providers in order to meet the DORA requirements. This should enable them to manage and control the risks associated with engaging third parties better than before. The new classification of ICT purchases and ICT outsourcing as “ICT services” and the criticality assessment of ICT services is one of many challenges in this process.
  • Stricter requirements for ICT service providers: Financial entities that use ICT services from third-party providers supporting critical/important functions must ensure that they also meet DORA’s ICT requirements and, in particular, that they have their own risk management systems in place to maintain digital resilience and to manage and control their sub-outsourcing.
  • Higher transparency: Providers categorized as critical ICT service providers will be subject to increased supervision in the future, which should also make the dependency of ICT service providers within the financial sector visible.

DORA contains many other requirements for internal ICT governance, ICT risk management, dealing with ICT security incidents, ensuring digital operational stability, and monitoring and managing risks when outsourcing to and procuring from third-party ICT providers.

Is the finance industry ready for DORA?

After its adoption on December 14, 2022 and entry into force on January 17, 2023, a transitional period was granted for DORA to give affected companies sufficient time to prepare and implement the requirements. This transitional period now ends on January 17, 2025, and the DORA requirements must be fully implemented and enforced by that date.

The financial industry has not yet fully succeeded in implementing DORA. There are still many uncertainties and the lack of supervisory practice is apparently leading to misinterpretations and very conservative interpretations of the DORA requirements. This concerns, for example, the classification of services purchased from ICT third-party providers as ICT services within the meaning of DORA or as ICT service providers of supervised financial companies.

Over the last six months, the Annerton law firm has surveyed the financial sector on its DORA implementation and evaluated the DORA maturity of the financial companies and ICT service providers that took part in the survey by means of a self-test. The test is available at www.annerton.com/en/dora.

The evaluation of the self-test shows that the financial companies assess themselves as only about 60% DORA-compliant and see gaps particularly in the area of ICT risk management. The financial companies also see even larger gaps in the operational resilience of their operating systems.

Quo vadis, financial sector? DORA comes into effect 2

There is a great deal of uncertainty among ICT service providers who support financial companies with their services, particularly in the areas of contracts and sub-outsourcing. In principle, financial companies rate their DORA compliance lower than ICT service providers. According to the survey, around 70% of ICT service providers feel they are DORA-compliant.

Quo vadis, financial sector? DORA comes into effect 3

It is interesting to note that the financial companies feel more secure and assess their DORA compliance more highly as the deadline of January 17, 2025 approaches, while the ICT service providers were still more confident of their DORA maturity six months ago and their self-assessment of their DORA compliance is declining as they approach January 17, 2025. The trend among financial companies is therefore moving more towards full DORA maturity, while the trend among ICT service providers is declining. Apparently, ICT service providers are only now fully realizing the implications of DORA and have therefore revised their self-assessment downwards. This trend is likely due to the fact that financial companies are increasingly putting pressure on their ICT service providers to prove their DORA compliance and to document it in the corresponding contracts.

Quo vadis, financial sector? DORA comes into effect 4

Of course, the self-assessment of DORA maturity varies greatly within the financial industry, as financial companies have different starting points in terms of their digital operational resilience. The assessment depends on the size, the available ICT resources and the previous experience with regulatory requirements. Large banks, payment institutions and insurers with extensive IT infrastructure and existing ICT risk management often see themselves as well prepared because they have already established comprehensive processes for IT security and outsourcing management. The experience gained from discussions with the supervisory authorities and from annual audits has also ensured continuous improvement in the area of IT requirements. By contrast, small and medium-sized financial companies face greater challenges. They often lack sufficient resources, specialized staff or the necessary infrastructure to meet the DORA requirements.

Continuously monitoring your own DORA maturity level and targeted investments in IT systems and personnel are crucial factors in achieving the necessary full DORA compliance.

Support from the supervisory authorities

One key aspect that financial companies are facing in connection with the applicability of DORA is how to deal with the perceived redundancy of DORA requirements and the existing regulatory requirements for IT. In order to address these challenges and any potential duplicate regulations for financial companies, BaFin has announced that its industry-specific circulars on the requirements for IT security,

  • the capital management supervisory requirements for IT (KAIT),
  • the insurance supervisory requirements for IT (VAIT) and
  • the payment services supervisory requirements for the IT of payment (ZAIT)

are repealed with effect from January 17, 2025

The Banking Supervision Requirements for IT (BAIT) will be gradually repealed, with institutions that have to operate ICT risk management in accordance with Articles 5-15 DORA or Article 16 DORA no longer falling within the scope of BAIT from January 17, 2025. This primarily affects credit institutions and financial services institutions within the meaning of Article 1 (1b) of the German Banking Act (KWG), which fall within the scope of DORA in accordance with Article 2 of DORA. In addition, BaFin is rescinding Chapter 11 of BAIT (customer relationships with payment service users) for all remaining addressees.

In addition, BaFin repealed Circular 03/2022 (BA) on the reporting of serious payment security incidents in accordance with Section 54 (1) ZAG, which applied to all payment institutions, e-money institutions and CRR credit institutions, as of January 17, 2025. As already required by recital 23 of the DORA, CRR credit institutions, e-money institutions, payment institutions and account information service providers have to report all payment-related operational or security incidents that were previously reported in accordance with the Directive (EU) 2015/2366 on which Circular 03/2022 is based, have to be reported in accordance with DORA only from January 17, 2025. The corresponding regulation of Section 54 ZAG was adapted accordingly by Section 12 no. 14 of the german Financial Market Digitalization Act.

In context of repealing the Circular 03/2022, Bafin has given a transitional regulation that applies for incidents for which an initial report was made before January 17, 2025, an interim and final report and final reports in accordance with the requirements of the Circular 03/2022 on the PSD2 Payment Security Incident reporting procedure on the BaFin’s reporting and publication platform (MVP) for incidents for which an initial report was made before January 17, 2025.

Incidents occurring on or after January 17, 2025 will only be subject to the reporting requirements under Chapter III DORA. BaFin acts as a central reporting hub for all financial companies under its supervision. The previously required parallel reporting of the KRITIS companies to the Bundesbank is no longer necessary. The reports are to be submitted solely via the MVP portal. A corresponding advance activation for the Digital Operational Resilience Act (DORA) procedure is necessary for this.

In the current adjustment of the previous requirements for ICT risk management in financial companies and their supervision, financial companies should evaluate particularly carefully what consequences the respective adjustments will have for them. For example, the statistical reports on fraud cases in connection with the various means of payment to BaFin in accordance with Section 54 (5) ZAG remain in place. The supervisory regime for outsourcing in accordance with MaRisk/ZAG-MaRisk also remains in place despite the repeal of the xAIT.

Overall, however, it is clear that the BaFin is endeavouring to support the financial companies affected by DORA through various publications, such as the overview of the documentation requirements under DORA or explanations for the DORA information register. However, a corresponding supervisory practice will only emerge in the coming months and years.

Outlook

Although DORA has been in place for two years and the supervisory authorities are facilitating its implementation through workshops and publications, it is clear that a large part of the financial industry is still not sufficiently prepared. The requirements of DORA necessitate not only technical adjustments, but also far-reaching organizational and procedural changes. In particular, smaller market participants appear to be having difficulties implementing the necessary measures in time. On the one hand, the ICT service providers that supply financial companies with their IT services are facing enormous challenges in meeting the requirements of DORA and, on the other hand, they are passing this pressure back to the financial companies by increasing fees and costs.

Where the financial industry is headed in terms of DORA will only become clear in the coming months and years, once standards and supervisory practices have been established. The fuzziness and uncertainties that currently exist will first be resolved when the 2025 auditing cycles have been completed. At present, it seems that the supervisory authority has at least recognized some of the challenges facing the industry and would like to provide further clarity through publications.

0
0

Svetlana is lawyer at Annerton Rechtsanwaltsgesellschaft mbH. She advises national and international FinTech companies as well as financial services institutions on issues of IT and data protection law as well as intellectual property law. Her advisory focus is on outsourcing, IT-legal contract drafting and regulatory requirements for payment service providers in the interface area of IT, data protection and financial supervisory law.

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like