DORA Regulation: Mandatory ICT Risk Management and Reporting Changes

On November 29, 2024, the European Commission introduced the Commission Implementing Regulation (EU) 2024/2956, laying down detailed technical standards for the application of Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA). This update, which will officially come into force 20 days after its publication in the Official Journal of the European Union, aims to standardize operational resilience requirements for the financial sector across the EU.

These technical standards, drafted in collaboration with the European Supervisory Authorities (ESAs)—the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—focus on templates for maintaining a register of information related to ICT service providers and risk management practices.

Source

[1]

Regulation - 2022/2554 - EN - DORA - EUR-Lex

European Union flag

[2]

Digital Operational Resilience Regulation

Find links to implementing and delegated acts for Regulation 2022/2554/EU on digital operational resilience (DORA).

Finance

Commission Implementing Regulation (EU) 2024/2956: DORA Regulation

The new implementing standards under the DORA regulation introduce a stringent framework for financial entities to enhance transparency, consistency, and operational risk management. Below is an expanded analysis of the key regulatory details financial institutions must adhere to under this legislation.

1. Comprehensive Register of Information

Under the DORA regulation, financial entities must maintain a register of information that includes every aspect of their contractual relationships with ICT third-party providers. This register forms the cornerstone of operational transparency and includes:

• Legal Entity Identification:
  Entities must provide unique identifiers like the Legal Entity Identifier (LEI) and European Unique Identifier (EUID) for ICT third-party providers.
  Entities must record the country of origin using ISO 3166-1 alpha-2 codes.
• Organizational Structure:
  Financial institutions must document their group-level and entity-level hierarchies.
  The templates allow for reporting at entity, sub-consolidated, and consolidated levels, ensuring a complete picture of intra-group and external dependencies.
• Contractual Arrangement Tracking:
  Each contractual relationship must be assigned a unique contractual arrangement reference number, which is consistent across all templates.
  Financial entities must include information about overarching, standalone, and subsequent arrangements.

The standardised register facilitates monitoring and reporting of ICT risks while enhancing consistency across entities within the EU under the DORA regulation.

2. Classification and Ranking of ICT Providers

DORA regulation emphasizes the classification of ICT service providers to manage risks effectively. Financial institutions are required to:

• Assign a Rank to Each Provider:
  • The direct ICT third-party provider is ranked as "1".
  • Subsequent subcontractors are ranked incrementally (e.g., rank "2" for the subcontractor of the direct provider).
• Document Subcontracting Chains:
  Financial institutions must track subcontractors critical to ICT services supporting significant functions.
  This includes documenting complex subcontracting chains to identify potential vulnerabilities.
• Assess Concentration Risks:
  Institutions must evaluate the potential for ICT third-party concentration risks. This involves assessing whether reliance on a single provider or limited market options poses operational threats.

This granular classification ensures that risks are traceable and mitigable at every level of the ICT service supply chain, reinforcing the goals of the DORA regulation.

3. Standardized Data Reporting Templates

To ensure interoperability and reduce administrative burdens, the DORA regulation mandates the use of standardized templates. These templates are designed to:

• Be Technology-Neutral:
  Templates consist of predefined columns and indefinite rows, ensuring scalability and adaptability.
• Ensure Data Consistency Across Levels:
  Institutions must maintain accurate and uniform data at three organizational levels: entity, sub-consolidated, and consolidated.
• Link Data Across Templates:
  Each data entry is interconnected using unique identifiers, such as Contractual Reference Numbers, LEIs, and Function Identifiers.

These templates support regulatory oversight and comparability across the financial sector, helping regulators identify systemic vulnerabilities more effectively under the DORA regulation.

4. Risk Assessments for Critical ICT Services

A core component of the DORA regulation is its emphasis on assessing the risks associated with ICT services critical to financial operations. Key regulatory details include:

• Identification of Critical Services:
  Financial entities must identify ICT services that support critical or important functions.
  Each service must be categorized based on its impact, sensitivity, and reliance level.
• Substitutability Analysis:
  Financial entities are required to assess whether ICT services are substitutable and, if so, how easily they can be replaced.
• Impact Assessment:
  Institutions must evaluate the potential impact of service disruptions, categorizing them as low, medium, or high.
• Audit and Review:
  Entities must conduct regular audits of ICT service providers, including internal reviews, pooled audits, or third-party evaluations.

This robust risk management framework enables financial institutions to proactively address operational vulnerabilities as mandated by the DORA regulation.

5. Oversight of Intragroup and External ICT Arrangements

To capture the complexities of ICT dependencies within financial groups, the DORA regulation introduces stringent oversight requirements:

• Intragroup Dependencies:
  Financial entities must document intra-group contractual arrangements and reconcile them with external ICT agreements.
• Subcontracting Management:
  Institutions must identify and assess first-tier subcontractors outside the group, even if their services do not directly support critical functions.
• Consolidated Reporting:
  Parent undertakings are responsible for creating a consolidated register of information that includes all group entities and their dependencies.

This ensures that both internal and external ICT arrangements are fully transparent and compliant with the DORA regulation.

6. Principles of Data Quality and Accuracy

The DORA regulation emphasizes the importance of high-quality data to support effective oversight. Financial entities must adhere to six core principles when maintaining the register of information:

• Accuracy: All reported data must reflect the current state of ICT relationships and services.
• Completeness: No critical information should be omitted.
• Consistency: Data must be uniform across entity, sub-consolidated, and consolidated levels.
• Integrity: Information must remain unaltered unless updates are necessary.
• Uniformity: Standard formats and terminologies should be used.
• Validity: Data must be current and relevant to the reporting period.

These principles ensure reliable data for both institutional use and regulatory scrutiny under the DORA regulation.

7. ICT Service Supply Chain Transparency

The DORA regulation introduces robust requirements for documenting the ICT service supply chain:

• Service Chain Mapping:
  Financial entities must map all third-party providers involved in the delivery of ICT services.
• Identification of Critical Subcontractors:
  Subcontractors essential to critical functions must be identified and assessed.
• Ranking and Accountability:
  Each provider in the chain must be ranked, with rank "1" being the direct provider and subsequent ranks assigned to subcontractors.

This ensures end-to-end visibility of the supply chain, aiding in risk mitigation and regulatory compliance under the DORA regulation.

8. Mandatory Reporting of Critical ICT Dependencies

For services supporting critical or important functions, the DORA regulation mandates detailed reporting:

• Service Characteristics:
  Each critical ICT service must be described in terms of its type, impact, and operational role.
• Data Sensitivity and Storage:
  The location and sensitivity of stored data must be reported, along with the security measures in place.
• Governance Framework:
  Institutions must disclose the governing laws of their ICT contracts and the jurisdictions of data storage and processing facilities.

This level of detail allows regulators to monitor systemic risks effectively in compliance with the DORA regulation.

Implications for Financial Institutions Under DORA Regulation

1. Enhanced Compliance Requirements

Financial institutions face increased obligations under the DORA regulation to maintain operational transparency and mitigate ICT risks. This includes:

• Maintaining detailed and standardized registers of information as mandated by the DORA regulation.
• Conducting thorough risk assessments for critical ICT services.
• Enhancing oversight of subcontracting chains and intra-group ICT arrangements to comply with DORA regulation standards.

2. Investment in Technology and Training

To meet the new data reporting and risk management requirements outlined in the DORA regulation, institutions must invest in:

• Advanced data management systems to ensure accuracy, consistency, and scalability as required by the DORA regulation.
• Training programs for staff to familiarize them with new reporting templates and ICT risk assessment protocols specified in the DORA regulation.

3. Regulatory Oversight and Audits

The DORA regulation introduces more stringent supervisory mechanisms. Institutions must prepare for:

• Regular audits of ICT providers and subcontractors as outlined in the DORA regulation.
• Comprehensive documentation to facilitate regulatory reviews under the DORA regulation framework.
• Potential penalties for non-compliance or incomplete reporting mandated by the DORA regulation.

4. Strengthened Risk Mitigation Strategies

Institutions must reassess their ICT strategies to ensure resilience as per the DORA regulation:

• Develop and implement exit plans for critical ICT services.
• Enhance capabilities to manage disruptions through improved substitutability and reintegration plans under the DORA regulation.
• Regularly review data storage and processing arrangements to ensure compliance with cross-border and local data laws in alignment with the DORA regulation.

5. Compliance Timeline

The DORA regulation timeline is crucial for planning and execution:

• December 2024: The DORA regulation enters into force, with the implementation timeline starting immediately.
• First Half of 2025: Financial entities must begin the transition to standardized templates and start updating their information registers as required by the DORA regulation.
• End of 2025: Entities are expected to complete their risk assessments, register updates, and have compliance systems fully operational under the DORA regulation.
• Ongoing: Annual updates and audits are required to ensure continuous compliance with the DORA regulation.

Institutions should leverage the phased timeline of the DORA regulation to prioritize critical tasks and allocate resources effectively.

Digital Operational Resilience Future

The DORA regulation represents a significant shift toward digital operational resilience, necessitating a unified approach to ICT risk management within the EU financial sector. The standardized templates and comprehensive reporting requirements under the DORA regulation will strengthen oversight, ensuring financial stability in an increasingly digitized landscape.

Financial institutions should act swiftly to align their practices with the new requirements of the DORA regulation, leveraging advanced technology and data governance strategies to meet regulatory expectations and safeguard operational resilience.

For further insights into compliance and implementation of the DORA regulation, consult the European Commission's Official Journal or your regional regulatory body.