With cyber threats on the rise, the European legislature has recognized the importance of equipping the Union's financial, banking and insurance institutions with a regulatory framework that fosters their digital operational resilience.
EU Regulation 2022/2554, known as “DORA” (Digital Operational Resilience Act), which is scheduled to be implemented as of January 17, 2025, is the most important reform to date in the field of cybersecurity in banking, finance and insurance. As its recitals confirm, the increasing degree of digitization and interconnectedness has amplified cyber risks as a result of the essential role acquired by ICT services. With the increase in cyber threats and operational disruptions resulting from security incidents, the European legislature has recognized the importance of equipping the Union's financial, banking and insurance institutions with a regulatory framework that fosters their “digital operational resilience,” i.e., the ability to build, secure and review their operational integrity and reliability, ensuring through the ICT services of third-party providers, the security of their information systems even in the face of disruption. As such, it is crucial that financial entities and their ICT service providers take appropriate and adequate measures to ensure the security and reliability of their operations.
The main pillars underpinning DORA's discipline are essentially five:
(i) Risk management: obligation to map all functions and activities supported by ICT services and manage their risks, cybersecurity threats, and vulnerabilities by having internal governance structures and formalizing relevant policies to monitor them.
(ii) Operational resilience: requirement to provide a testing program to assess and remediate any cybersecurity gaps.
(iii) Third-party vendor relationships: risk assessment and monitoring of relationships with external vendors (particularly vendors with whom they have direct relationships and also subcontractors) through the drafting of contractual agreements that include the minimum requirements outlined in the regulation.
(iv) Incident management: obligation to inform the relevant authorities of any significant incidents and the measures taken to address them.
(v) Information sharing mechanisms: possibility of mutual exchange of information and analysis of cyber threats.
Impacts of DORA
The impact of DORA on the various types of financial entities will not be the same for all recipients, both in terms of internal governance safeguards (e.g., updating IT security policies) and in terms of reviewing contracts with ICT service providers supporting essential or important functions.
In particular, banks (given their relevance at the level of systemic risk) were already subject to a particularly advanced regulatory framework due to the transposition of both the EBA guidelines on outsourcing and the EBA guidelines on ICT and security risk management (both later recalled and implemented in Circular 285), which already anticipated some of the measures later reaffirmed by DORA.
Along with banks, insurance companies, as well as SGRs and AIF managers, are already currently required to adopt a number of safeguards when outsourcing essential or important functions. For insurance companies, there will be impacts on the activities to be carried out internally to adapt to and comply with the provisions of DORA, also in light of the now outdated industry regulation (i.e. IVASS Regulation No. 38 of 2018). SGRs, AIF managers, and investment firms in turn will have a significant impact (in terms of internal compliance efforts); current sources do not elaborate and do not comprehensively consider digital operational resilience rules (think of EU Regulation 2013/231 and the Bank of Italy and Consob Regulation of December 5, 2019, but also EU Regulation 2017/565; although partially, the only source that tries to regulate the topic are the ESMA cloud guidelines, applicable, moreover, only to cloud services).
In any case, each financial entity will first have to identify all contracts attributable to ICT services provided by third-party vendors; among these, services supporting essential or important functions will have to be distinguished, i.e., those functions whose interruption or interrupted, deficient or insufficient execution would substantially jeopardize the financial results or the soundness or continuity of its services and activities, or even the continued fulfillment of the conditions and obligations inherent in its authorization or other obligations under applicable industry regulations. Subsequently, it will be necessary to conduct a gap analysis in order to be able to properly assess the risks and actions to be taken in order to bring all internal policies and procedures and contracts in line with the new requirements of the DORA Regulations and delegated regulations.
In this sense, the DORA framework is far from being completed and, in particular, (i) most of the implementing technical standards are still missing (so-called RTS and ITS, think for example of accident classification, management of relations with subcontractors, methodologies for accident notification and reporting) and (ii) it will be necessary to issue a legislative decree to “harmonize” the Italian legal system to the new features introduced by the DORA package as provided for in Article 16 of Delegated Law No. 15/2024. Inevitably, all this makes this phase of implementation and progressive adaptation to this new “hyper-technical” legislation even more difficult.
