Preamble 21 to 30, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a legislative proposal by the European Commission aimed at ensuring the operational resilience of the EU financial sector against cyber threats and other risks related to information and communication technology. Here are the key points from Preamble 21 to 30 of DORA:

21. Harmonization Of ICT Incident Reporting

ICT-related incident reporting varies significantly across EU member states, with diverse thresholds and taxonomies. This diversity complicates compliance for financial entities operating across multiple jurisdictions or within financial groups. Despite efforts by the European Union Agency for Cybersecurity (ENISA) and the NIS Cooperation Group under Directive (EU) 2016/1148 to establish common standards, disparities persist. These differences hinder the establishment of centralized reporting mechanisms at the Union level, crucial for rapid information exchange during large-scale ICT attacks with potential systemic impact.

22. Strengthening Supervisory Oversight

To enable competent authorities to effectively fulfill their supervisory roles, comprehensive rules are essential to enhance the reporting regime for ICT-related incidents. Current gaps in reporting requirements within subsector legislation necessitate harmonization. This includes streamlining reporting obligations across all financial entities to their respective competent authorities. Additionally, empowering the European Supervisory Authorities (ESAs) to standardize reporting elements such as taxonomy, timeframes, datasets, templates, and thresholds would bolster supervisory capabilities and facilitate enhanced information sharing across relevant public authorities.

23. Coordinated Digital Operational Resilience Testing

Frameworks for digital operational resilience testing vary widely across different financial subsectors and national jurisdictions, leading to duplicated costs and barriers to mutual recognition of testing results. This lack of coordination poses challenges for cross-border financial entities and undermines the integrity of the single market. By mandating coordinated testing frameworks and facilitating mutual recognition of results among competent authorities, DORA seeks to mitigate these inefficiencies. Such measures are essential for identifying vulnerabilities, testing defense capabilities, ensuring business continuity, and fostering trust among stakeholders.

24. Addressing ICT Third-Party Risks

Financial entities increasingly rely on ICT services to enhance business efficiency, meet consumer demands, and compete in a digital economy. However, complex contractual arrangements with ICT third-party service providers often lack adequate safeguards tailored to financial industry standards. This deficiency hampers financial entities' ability to monitor subcontracting processes effectively and assess associated risks comprehensively. DORA aims to establish clear principles and minimum contractual rights for managing ICT third-party risks. These provisions will empower financial entities to enforce regulatory requirements, monitor third-party activities, and mitigate external sources of ICT-related risks effectively.

25. Enhancing Union Oversight Of Critical ICT Providers

The concentration of critical ICT third-party service providers poses systemic risks to the financial sector. Current Union legislation and supervisory tools inadequately address these risks, particularly concerning outsourcing practices and dependencies on key ICT service providers. To address this gap, DORA advocates for the establishment of a robust Union oversight framework. This framework will enable continuous monitoring of critical ICT third-party service providers, ensuring that financial supervisors can quantify, qualify, and mitigate the consequences of ICT-related risks effectively. By enhancing transparency and oversight in this area, DORA aims to safeguard financial stability and resilience against external ICT dependencies.

26. Evolution Of Financial Entities' Reliance On ICT

Financial entities increasingly rely on ICT services to adapt to the competitive digital global economy, enhance business efficiency, and meet consumer demands. This reliance has driven cost reduction in financial intermediation and enabled scalability in financial activities. The continuous evolution in the nature and extent of ICT reliance underscores the need for robust regulatory frameworks to manage associated risks effectively.

27. Challenges In Contractual Arrangements With ICT Third-Party Service Providers

Complex contractual arrangements with ICT third-party service providers often do not adequately address regulatory requirements or provide sufficient safeguards. Financial entities face challenges in negotiating contracts that align with prudential standards and regulatory needs, including access and audit rights. Moreover, standard contracts may not cater to the specific needs of financial industry actors, complicating risk management and oversight of subcontracting processes.

28. Regulatory Gaps In Outsourcing And ICT Third-Party Dependencies

While some Union legislation addresses outsourcing in financial services, monitoring of contractual dimensions remains insufficiently anchored in Union law. The absence of bespoke standards for contractual arrangements with ICT third-party service providers leaves financial entities vulnerable to external ICT risks. DORA aims to establish key principles guiding the management of ICT third-party risks, including core contractual rights to ensure effective risk monitoring and management at the ICT third-party level.

29. Lack Of Homogeneity In ICT Third-Party Risk Management

There is a lack of consistency and convergence in managing ICT third-party risks across the Union. Despite efforts such as the 2017 recommendations on outsourcing to cloud service providers, systemic risks stemming from concentration on critical ICT third-party service providers are inadequately addressed in Union legislation. National supervisors lack specific mandates and tools to fully understand and monitor risks arising from dependencies on critical ICT third-party providers.

30. Establishing A Union Oversight Framework For Critical ICT Providers

Given the potential systemic risks associated with increased outsourcing practices and dependencies on critical ICT third-party providers, DORA advocates for the establishment of a comprehensive Union oversight framework. This framework will facilitate continuous monitoring of activities by critical ICT third-party providers servicing financial entities. Enhanced oversight will enable financial supervisors to effectively quantify, qualify, and mitigate the consequences of ICT-related risks arising from concentration on critical ICT providers. This proactive approach aims to strengthen financial stability and resilience against external ICT dependencies within the Union.

These points underscore DORA's comprehensive approach to strengthening the resilience of the EU financial sector against ICT risks, ensuring continuity of services, and protecting stakeholders' interests in an increasingly digitised environment.