Preamble 21 to 30, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a legislative proposal by the European Commission designed to fortify the operational resilience of the EU financial sector against cyber threats and ICT-related risks. The following key points from Preamble 21 to 30 outline the Act's comprehensive approach to enhancing the EU's financial stability in an increasingly digitized environment.

21 Harmonization of ICT Incident Reporting

ICT incident reporting across EU member states varies widely, with differing thresholds and classifications, complicating compliance for financial entities operating across borders. Despite efforts by the European Union Agency for Cybersecurity (ENISA) and the NIS Cooperation Group, inconsistencies persist, making centralized reporting at the Union level challenging. DORA addresses this by pushing for uniform reporting mechanisms essential for quick information exchange during significant ICT incidents that could impact the system as a whole.

22 Strengthening Supervisory Oversight

To empower competent authorities in their supervisory roles, DORA emphasizes the need for comprehensive rules to enhance the ICT incident reporting regime. Current gaps in reporting requirements necessitate harmonization across all financial entities. DORA aims to streamline reporting obligations and empower the European Supervisory Authorities (ESAs) to standardize reporting elements, such as taxonomy, timeframes, datasets, templates, and thresholds, thereby improving supervisory capabilities and facilitating better information sharing across public authorities.

23 Coordinated Digital Operational Resilience Testing

DORA addresses the lack of coordination in digital operational resilience testing across financial subsectors and national jurisdictions. This lack of consistency leads to duplicated costs and barriers to mutual recognition of testing results. DORA proposes mandatory coordinated testing frameworks and the mutual recognition of results among competent authorities, helping cross-border financial entities avoid inefficiencies. These measures are crucial for identifying vulnerabilities, testing defense capabilities, ensuring business continuity, and building trust among stakeholders.

24 Addressing ICT Third-Party Risks

As financial entities increasingly rely on ICT services to enhance business efficiency, complex contractual arrangements with ICT third-party providers often fall short of industry standards. This gap hinders effective monitoring and risk assessment of subcontracting processes. DORA aims to establish clear principles and minimum contractual rights for managing ICT third-party risks, empowering financial entities to enforce regulatory requirements, monitoring third-party activities, and mitigating external ICT-related risks more effectively.

25 Enhancing Union Oversight of Critical ICT Providers

The concentration of critical ICT third-party providers presents systemic risks to the financial sector. Current Union legislation and supervisory tools inadequately address these risks, particularly in outsourcing practices and dependencies on key ICT service providers. DORA advocates for a robust Union oversight framework that enables continuous monitoring of critical ICT third-party providers. This framework will help financial supervisors effectively quantify, qualify, and mitigate the consequences of ICT-related risks, thereby enhancing financial stability and resilience against external ICT dependencies.

26 Evolution of Financial Entities' Reliance on ICT

Financial entities' increasing reliance on ICT services drives efficiency, scalability, and competitiveness in a digital global economy. However, this reliance also underscores the need for robust regulatory frameworks to manage associated risks effectively. DORA acknowledges the evolving nature of ICT dependence and aims to ensure that regulatory standards keep pace with these developments to safeguard financial stability.

27 Challenges in Contractual Arrangements with ICT Third-Party Service Providers

Complex contractual arrangements with ICT third-party providers often fail to meet regulatory requirements or provide adequate safeguards. Financial entities struggle to negotiate contracts that align with prudential standards, complicating risk management and oversight of subcontracting processes. DORA seeks to address these challenges by establishing key principles and contractual rights that ensure effective risk monitoring and management at the ICT third-party level.

28 Regulatory Gaps in Outsourcing and ICT Third-Party Dependencies

While some Union legislation addresses outsourcing in financial services, the monitoring of contractual dimensions remains insufficiently anchored in Union law. The absence of specific standards for contractual arrangements with ICT third-party providers leaves financial entities vulnerable to external ICT risks. DORA aims to fill this gap by setting clear principles for managing ICT third-party risks, including core contractual rights to ensure effective risk monitoring and management.

29 Lack of Homogeneity in ICT Third-Party Risk Management

There is a significant lack of consistency in managing ICT third-party risks across the Union. Despite efforts like the 2017 recommendations on outsourcing to cloud service providers, systemic risks from reliance on critical ICT third-party providers are still inadequately addressed. DORA highlights the need for national supervisors to have specific mandates and tools to fully understand and monitor risks associated with dependencies on these critical ICT providers.

30 Establishing a Union Oversight Framework for Critical ICT Providers

Given the systemic risks associated with increased outsourcing and reliance on critical ICT third-party providers, DORA advocates for a comprehensive Union oversight framework. This framework will enable continuous monitoring of critical ICT providers, ensuring that financial supervisors can effectively quantify, qualify, and mitigate ICT-related risks. This proactive approach is essential for strengthening financial stability and resilience against external ICT dependencies within the Union.

These preambles highlight DORA's commitment to fortifying the EU financial sector's resilience against ICT risks, ensuring service continuity, and protecting stakeholders' interests in an increasingly digital landscape.