Preamble 41 to 50, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) aims to enhance the EU financial sector's resilience against cyber threats and ICT risks through improved information sharing, robust testing, and effective third-party risk management.

41. Flexibility In Recovery Time Objectives

Financial entities under this Regulation have the flexibility to determine recovery time objectives based on the nature and criticality of relevant functions and specific business needs. However, when establishing these objectives, an assessment of their potential impact on overall market efficiency should be required.

42. Enhancing Reporting Of Major ICT Incidents

Given the heightened vulnerability of the financial sector to cyber-attacks aimed at financial gains, improving the reporting of major ICT-related incidents by financial entities is crucial. Harmonizing ICT-related incident reporting across all financial entities, requiring direct reporting to competent authorities, would facilitate timely access to incident information. Financial supervisors should relay relevant information to non-financial public authorities, such as NIS competent authorities, national data protection authorities, and law enforcement agencies, for incidents of a criminal nature. This two-way information flow enhances sector-wide resilience, with ESAs providing anonymized threat and vulnerability data to support collective defense efforts.

43. Centralization Of ICT Incident Reporting

Consideration should be given to centralizing ICT-related incident reports through a single EU Hub. This could involve direct receipt of reports and automatic notification of national competent authorities or centralized collection of reports forwarded by national authorities, serving a coordinating function. ESAs, in consultation with the ECB and ENISA, should prepare a joint report exploring the feasibility of establishing such a central EU Hub by a specified date.

44. Regular Testing For Digital Operational Resilience

Financial entities should conduct regular testing of ICT systems and personnel to ensure robust digital operational resilience aligned with international standards (e.g., G7 Fundamental Elements for Threat-Led Penetration Testing). This testing should evaluate the effectiveness of preventive, detection, response, and recovery capabilities against potential ICT vulnerabilities. Testing requirements should vary based on financial entities' maturity and systemic role, with significant entities and core systemic subsectors subjected to more demanding testing. Cross-border financial entities operating within the Union should comply with advanced testing requirements in their home Member State, covering ICT infrastructures in all jurisdictions.

45. Principle-Based Monitoring Of ICT Third-Party Risk

Establishing principle-based rules is necessary for financial entities to monitor ICT third-party risks effectively, including outsourced functions and dependencies. Monitoring should be proportionate to the scale, complexity, and importance of ICT-related dependencies, ensuring continuity and quality of financial services at individual and group levels. Management bodies should adopt a strategic approach to ICT third-party risk, continuously screening dependencies. At the same time, financial supervisors receive essential information regularly from registers and can request ad-hoc extracts to enhance oversight.

46. Responsibilities In Monitoring ICT Third-Party Risk

Financial entities are responsible for complying with obligations under this Regulation, including monitoring ICT third-party risks. Monitoring should be proportionate to the scale, complexity, and criticality of services, processes, or functions under contractual arrangements, focusing on potential impacts on service continuity and quality at individual and group levels.

47. Strategic Oversight Of ICT Third-Party Dependencies

Management bodies should formulate a dedicated strategy for overseeing ICT third-party dependencies, ensuring effective governance and risk management. Financial supervisors play a crucial role in supervising ICT third-party dependencies through regular exchanges and access to essential information from registers.

48. Pre-Contractual Analysis And Contract Termination

Thorough pre-contractual analysis is essential before entering into contractual arrangements with ICT third-party service providers. Contract termination should be triggered by specific circumstances indicating shortcomings at the ICT third-party service provider, ensuring the financial entity's operational resilience and continuity.

49. Addressing Systemic ICT Third-Party Concentration Risk

A balanced approach should be promoted to mitigate systemic risks posed by ICT third-party concentration, considering business conduct and contractual freedom. To identify and manage concentration risks, financial entities should assess contractual arrangements, particularly sub-outsourcing to ICT third-party providers in third countries. Oversight by designated ESAs should focus on understanding interdependencies and engaging in dialogues with critical ICT third-party service providers to mitigate risks to Union financial system stability and integrity.

50. Harmonization Of Key Contractual Elements

Key contractual elements should be harmonized throughout the contract lifecycle to facilitate ongoing monitoring of ICT third-party service providers and ensure digital resilience. These elements should include minimum contractual aspects necessary for comprehensive monitoring by financial entities, ensuring stability and security of ICT services.