Article 14 Digital Operational Resilience Act (DORA), Further Harmonisation of ICT Risk Management Tools, Methods, Processes and Policies
Article 14 of the Digital Operational Resilience Act (DORA) focuses on advancing the harmonization of ICT risk management tools, methods, processes, and policies across financial entities within the European Union. This article mandates the development of draft regulatory technical standards to ensure consistency and effectiveness in managing ICT risks and enhancing digital resilience. The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), in consultation with the European Union Agency for Cybersecurity (ENISA), are tasked with this responsibility. Here’s a detailed breakdown of the requirements and objectives under Article 14.
Development of Draft Regulatory Technical Standards
In line with Article 8(2) of DORA, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), working in collaboration with the European Union Agency for Cybersecurity (ENISA), are tasked with developing draft regulatory technical standards. These standards will further define the elements that must be incorporated into ICT security policies, procedures, protocols, and tools. Their primary focus is to enhance network security, safeguard against intrusions and data misuse, ensure data authenticity and integrity through cryptographic methods, and guarantee accurate and prompt data transmission without significant disruptions.
One crucial aspect of these standards is the emphasis on security controls and adaptability. ICT security policies and tools must integrate security measures from the design phase, commonly referred to as "security by design." This ensures that security mechanisms are embedded into systems from the beginning, allowing them to adapt to the ever-evolving threat landscape. The draft standards will also require the utilization of defense-in-depth technology, a layered approach to security that provides multiple levels of defense against potential cyber threats. This adaptability ensures that as threats evolve, security measures can be adjusted to remain effective.
Additionally, the regulatory standards will provide further specifications on the techniques, methods, and protocols necessary for effective ICT risk management. This addresses the requirements in Article 8(4), ensuring that financial entities can standardize their practices and implement robust risk management strategies. These standardized techniques are designed to strengthen the overall security framework of financial institutions, ensuring consistency and efficacy across different entities.
Access management is another key area of focus. The draft standards will elaborate on components related to access control, ensuring that human resources policies regarding the granting and revoking of access rights are well-defined. Monitoring anomalous behavior through indicators such as network usage patterns, IT activity, and the detection of unknown devices will be central to these controls. Such measures ensure that only authorized personnel can access sensitive systems and data, reducing the risk of breaches or unauthorized access.
In terms of detecting anomalous activities, the standards will provide guidance on detection mechanisms and criteria for triggering incident detection and response processes. These components, referenced in Articles 9(1) and 9(2), will ensure that financial entities are equipped to promptly detect and respond to potential threats. This focus on real-time detection and response is vital in minimizing the impact of ICT-related incidents.
The ICT Business Continuity Policy, referenced in Article 10(1), will be further detailed in the regulatory standards. The standards will specify the necessary components of continuity planning to ensure financial institutions are prepared to maintain critical functions in the face of ICT disruptions. This includes accounting for various scenarios that could impact the stability and functionality of ICT systems, thus ensuring resilience and continuity.
Testing requirements for ICT business continuity plans will also be covered, as outlined in Article 10(5). These standards will specify how testing should address different scenarios, including the deterioration or failure of critical functions, the collapse of ICT third-party service providers, and potential political risks in relevant jurisdictions. Such tests are essential to verify that continuity plans are effective and can withstand real-world challenges.
The ICT Disaster Recovery Plan, referenced in Article 10(3), will also be addressed in the regulatory standards. These standards will ensure that recovery plans are comprehensive and capable of restoring ICT systems and operations in the event of a disruption. By detailing specific components that need to be included in recovery plans, financial entities can ensure a structured and efficient approach to disaster recovery, minimizing downtime and restoring services promptly.
The EBA, ESMA, and EIOPA are required to submit these draft regulatory technical standards to the European Commission within one year of DORA’s entry into force. The Commission, under delegated authority, will then adopt these standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010. This process ensures that the technical standards are formally adopted and applied uniformly across the European Union, strengthening ICT security and resilience in the financial sector.
Conclusion
Article 14 of DORA aims to further harmonize ICT risk management practices within the EU financial sector by establishing detailed regulatory standards. These standards will guide the development and implementation of ICT security policies, controls, and recovery plans, ensuring consistency and robustness in managing digital operational resilience. By setting clear requirements and providing a framework for continuous improvement, Article 14 helps financial entities better safeguard their ICT systems and respond effectively to emerging threats and disruptions.
