Article 14 Digital Operational Resilience Act (DORA), Further harmonisation of ICT Risk Management Tools, Methods, Processes And Policies

Jul 21, 2024by Sneha Naskar

DORA, or the Digital Operational Resilience Act, represents a significant leap towards fortifying the digital backbone of the financial sector. As technology continues to evolve rapidly, the need for a unified approach to ICT risk management becomes increasingly apparent. DORA is designed to address this by harmonizing ICT risk management tools, methods, processes, and policies across the industry. Its goal is to ensure that financial institutions can withstand and quickly recover from operational disruptions, whether they arise from technical failures, cyber threats, or other digital challenges. By establishing a comprehensive and standardized framework, DORA aims to enhance the overall resilience of the financial sector and safeguard its critical operations in an ever-evolving digital landscape.

Further harmonisation of ICT Risk Management Tools, Methods, Processes And Policies

Development of Draft Regulatory Technical Standards by EBA, ESMA, and EIOPA

The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), in consultation with the European Union Agency for Cybersecurity (ENISA), are tasked with developing draft regulatory technical standards aimed at:

(a) Specifying additional elements to be included in ICT security policies, procedures, protocols, and tools, as outlined in Article 8(2). These standards aim to ensure network security, safeguard against intrusions and data misuse, maintain data authenticity and integrity—including the use of cryptographic techniques—and ensure accurate and uninterrupted data transmission.

(b) Prescribing requirements for integrating security controls into systems from inception (security by design), adapting to evolving threats, and implementing defence-in-depth technology within ICT security policies, procedures, and tools referred to in Article 8(2).

(c) Detailing appropriate techniques, methods, and protocols specified in Article 8(4)(b).

(d) Further developing components of access management rights controls under Article 8(4)(c), including human resources policies that define access rights, procedures for granting and revoking access, and monitoring anomalous behavior related to ICT risks using indicators such as network usage patterns, IT activity hours, and detection of unknown devices.

(e) Elaborating on the elements in Article 9(1) to facilitate timely detection of anomalous activities, and specifying criteria under Article 9(2) to trigger processes for detecting and responding to ICT-related incidents.

(f) Further specifying components of the ICT Business Continuity Policy outlined in Article 10(1).

(g) Detailing requirements for testing ICT business continuity plans as per Article 10(5), ensuring scenarios where critical functions deteriorate or fail to unacceptable levels are adequately addressed. This includes considering potential impacts from insolvency or failures of relevant ICT third-party service providers, as well as political risks in their jurisdictions where applicable.

(h) Elaborating on components of the ICT Disaster Recovery Plan specified in Article 10(3).

EBA, ESMA, and EIOPA are required to submit these draft regulatory technical standards to the European Commission by [OJ: insert date 1 year after the date of entry into force]. The Commission is delegated the power to adopt these regulatory technical standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, respectively.

Harmonisation Objectives

The primary objective of Article 14 is to achieve a high level of uniformity in the ICT risk management practices of financial entities. By harmonizing the tools, methods, processes, and policies, DORA aims to:

  • Enhance Consistency: Ensure that all financial entities, regardless of their size or complexity, apply consistent ICT risk management practices.
  • Improve Collaboration: Facilitate better collaboration and information sharing among financial entities and regulatory bodies.
  • Increase Resilience: Strengthen the digital operational resilience of the financial sector as a whole.
  • Reduce Fragmentation: Minimize discrepancies in ICT risk management approaches across different jurisdictions.

Standardized Tools and Methods

Financial entities are required to use standardized tools and methods for identifying, assessing, and managing ICT risks. These tools and methods should be:

  • Comprehensive: Cover all aspects of ICT risk management, including risk identification, assessment, mitigation, and monitoring.
  • Adaptable: Be flexible enough to accommodate the specific needs and risk profiles of different financial entities.
  • Interoperable: Ensure compatibility and seamless integration with other systems and processes used by financial entities.

Unified Processes and Policies

Article 14 mandates the adoption of unified processes and policies for ICT risk management. These processes and policies should be:

  • Documented: Clearly documented and easily accessible to relevant stakeholders.
  • Consistent: Applied consistently across all levels of the organization.
  • Reviewed: Regularly reviewed and updated to reflect changes in the threat landscape and regulatory requirements.
DORA Compliance Framework

Key Areas of Harmonisation

The harmonisation efforts under Article 14 focus on several key areas:

  • Risk Assessment Frameworks: Establishing common frameworks for conducting ICT risk assessments, including methodologies for evaluating the likelihood and impact of different types of ICT risks.
  • Incident Management: Developing standardized procedures for managing ICT-related incidents, including detection, response, recovery, and reporting.
  • Third-Party Risk Management: Implementing consistent approaches to managing risks associated with ICT third-party service providers, including due diligence, monitoring, and oversight.
  • Cybersecurity Measures: Adopting uniform cybersecurity measures, including access controls, encryption, and threat intelligence sharing.
  • Training and Awareness: Ensuring that all employees receive consistent training and awareness programs on ICT risk management and cybersecurity best practices.

Collaboration and Information Sharing

To support the harmonisation efforts, Article 14 encourages collaboration and information sharing among financial entities, regulatory bodies, and other relevant stakeholders. This includes:

  • Shared Databases: Creating shared databases for storing and accessing information on ICT risks, incidents, and best practices.
  • Joint Exercises: Conducting joint exercises and simulations to test and improve ICT risk management capabilities.
  • Peer Reviews: Engaging in peer reviews to assess the effectiveness of ICT risk management practices and identify areas for improvement.

Regulatory Oversight and Guidance

Regulatory bodies play a crucial role in overseeing the harmonisation efforts. They are responsible for:

  • Providing Guidance: Issuing guidelines and best practices for implementing standardized ICT risk management tools, methods, processes, and policies.
  • Monitoring Compliance: Monitoring compliance with Article 14 requirements and taking corrective actions where necessary.
  • Facilitating Collaboration: Facilitating collaboration and information sharing among financial entities and other stakeholders.
DORA Compliance Framework