Preamble 41 to 50, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) aims to bolster the EU financial sector's defense against cyber threats and ICT-related risks by enhancing information sharing, rigorous testing, and effective third-party risk management. The following sections outline essential provisions of DORA from Preamble 41 to 50.

41 Flexibility in Recovery Time Objectives

DORA allows financial entities the flexibility to set their recovery time objectives based on the specific nature and criticality of their functions, as well as their individual business needs. However, when defining these objectives, entities must also consider their potential impact on overall market efficiency.

42 Enhancing Reporting of Major ICT Incidents

Given the financial sector’s increased vulnerability to cyber-attacks, improving the reporting of major ICT-related incidents is crucial. DORA emphasizes the need for harmonized ICT incident reporting across all financial entities, with direct reporting to competent authorities. This approach ensures that financial supervisors can relay critical information to relevant non-financial public authorities, such as NIS authorities, data protection agencies, and law enforcement, especially in cases involving criminal activity. This two-way information flow is vital for enhancing resilience across the sector, with ESAs providing anonymized threat and vulnerability data to support collective defense efforts.

43 Centralization of ICT Incident Reporting

DORA proposes the centralization of ICT incident reports through a single EU Hub. This hub could directly receive incident reports and automatically notify national competent authorities or serve as a coordinating center for reports collected by national authorities. ESAs, in collaboration with the ECB and ENISA, are tasked with preparing a joint report to assess the feasibility of establishing such a central EU Hub by a specified date.

44 Regular Testing for Digital Operational Resilience

DORA mandates that financial entities regularly test their ICT systems and personnel to ensure strong digital operational resilience in line with international standards, such as the G7 Fundamental Elements for Threat-Led Penetration Testing. This testing should evaluate the effectiveness of preventive, detection, response, and recovery capabilities against potential ICT vulnerabilities. Testing requirements should be scaled according to the maturity and systemic importance of the financial entities, with more significant entities and core systemic subsectors subjected to more stringent testing. Cross-border financial entities operating within the EU must comply with advanced testing requirements in their home Member State, covering all ICT infrastructures across jurisdictions.

45 Principle-Based Monitoring of ICT Third-Party Risk

DORA calls for the establishment of principle-based rules to effectively monitor ICT third-party risks, including those related to outsourced functions and dependencies. Monitoring efforts should be proportionate to the scale, complexity, and significance of ICT-related dependencies, ensuring the continuity and quality of financial services at both individual and group levels. Management bodies should adopt a strategic approach to monitoring these risks, continually screening dependencies. Financial supervisors, in turn, should receive regular updates from registers and can request additional information to enhance their oversight.

46 Responsibilities in Monitoring ICT Third-Party Risk

Financial entities are responsible for adhering to their obligations under DORA, particularly in monitoring ICT third-party risks. This monitoring must be scaled to the complexity and criticality of services, processes, or functions under contractual arrangements, with a focus on ensuring service continuity and quality at both individual and group levels.

47 Strategic Oversight of ICT Third-Party Dependencies

Management bodies must develop a dedicated strategy for overseeing ICT third-party dependencies, ensuring effective governance and risk management. Financial supervisors play a key role in this oversight by regularly exchanging information and accessing essential details from registers.

48 Pre-Contractual Analysis and Contract Termination

Before entering into contracts with ICT third-party service providers, financial entities must conduct thorough pre-contractual analyses. Contract termination should be considered if specific circumstances indicate deficiencies in the ICT third-party service provider, thereby ensuring the financial entity’s operational resilience and continuity.

49 Addressing Systemic ICT Third-Party Concentration Risk

DORA advocates for a balanced approach that respects business conduct and contractual freedom to mitigate systemic risks posed by ICT third-party concentration. Financial entities should assess their contractual arrangements, particularly those involving sub-outsourcing to ICT third-party providers in third countries. Oversight by designated ESAs should focus on understanding interdependencies and engaging in dialogues with critical ICT third-party service providers to safeguard the stability and integrity of the EU financial system.

50 Harmonization of Key Contractual Elements

DORA calls for the harmonization of key contractual elements throughout the contract lifecycle to facilitate ongoing monitoring of ICT third-party service providers and ensure digital resilience. These elements should include minimum contractual aspects necessary for comprehensive monitoring by financial entities, thereby ensuring the stability and security of ICT services.

These provisions underline DORA's commitment to enhancing the EU financial sector's resilience against ICT risks through targeted strategies, robust testing, and effective third-party risk management.