DORA: What you should know about the latest changes

Our Cyber Security and Privacy team is continuously following the latest developments on the Digital Operational Resilience Act, or “DORA”. Since its first draft developed by the European Commission in September 2020 - which we covered in a previous article - numerous important changes have been made to the Act’s official text, published on 24 June 2022.

A quick overview of the regulation

What is the objective of DORA?

The EU’s aim with DORA is that of strengthening the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that will be homogenous across EU member states. This act provides a very detailed set of criteria, templates and instructions that will shape how financial organisations manage ICT and cyber risks, carry out resilience testing, undergo cyber incident reporting and response, and develop cyber threat information sharing processes. Such requirements have been presented within five main pillars, each of which addressing a core ICT and cyber security issue within the financial sector.

Who will be impacted by DORA?

Financial entities (e.g., credit institutions, insurance organisations, payment processors) and ICT third party service providers (e.g., cloud providers, software providers, data analytics services, data centres) to the financial sector.

When will DORA be enforced?

The implementation timeline has moved to two years after publication of the DORA act within the Official Journal of the EU. Therefore, financial entities will be expected to be compliant to DORA by early 2025 Q1.

What are the new changes to DORA?

The essence of DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. A summary of the key new changes are provided below:

ICT Risk management

New responsibilities for the board of directors, as they must now:
- Develop and approve the Digital Operational Resilience Strategy (DORS)
- Put in place policies to protect the confidentiality, integrity, and availability of all data
- Ensure communication, cooperation, and coordination by implementing an ICT governance framework
- Ensure the use of ICT solutions to prevent breaches of confidentiality, impairment of integrity, and lack of availability and loss of data.
New requirements for the Digital Operational Resilience Strategy (DORS):
- Must include key performance indicators and key risk metrics.
- Shall include a communication strategy for disclosure of ICT incidents.
- Must detail how the financial entity will implement digital operational resilience testing.
New requirements for the design and construction of the ICT risk framework:
- Stricter requirements for independence and avoidance of conflicts of interests for the second line of defence.
- Digital Operational Resilience training to all staff and senior management shall now be customised and cover ICT third-party service providers.
- The Information Security policy should now consider control objectives for the protection of customers’ data confidentiality, integrity and availability.

Expansion of the ICT risk management scope:
- Financial entities must now conduct a comprehensive Business Impact analysis (BIA) mapping business functions, processes, third-party dependencies and high-value assets.
- All information assets will need to be assessed. Previously only ICT assets were within scope.
- Inventories and assessments must now be updated periodically and every time any major change occurs.
Stricter requirements for Business Continuity Management (BCM):
- ICT Business Continuity Plans and the ICT response and Recovery Plans yearly testing shall now cover all supporting functions.
- Testing of backup and restoration procedures shall now be undertaken on a periodic basis.
- Central securities depositories shall now directly maintain at least one secondary processing site.

ICT-related incident reporting

As part of new recording requirements:
- Financial entities must now report to the authorities only on major ICT incidents and not on all ICT incidents
- In addition, most financial entities will have to report to the authorities on major operational or security payment-related incidents
- Financial entities will need to identify and document their cyber threats however, their reporting would only be on a voluntary basis
- Financial entities shall now be ready to submit a report on the review of the ICT risk management framework
- Financial entities must now report ICT incident related losses to the authorities
New records requirements, financial entities must now record all:
- ICT-related incidents
- Significant cyber threats. Cyber threats reporting is also addressed within the new version of DORA.

New requirements for financial entities conducting internal tests have been issued. Entities must now:
- Put in place early warning indicators for ICT-related incidents.
- Classify cyber threats as significant based on several aspects detailed within the DORA new version.
- New notification timelines (all timelines have been redacted from the new version).

Digital operational resilience testing

New requirements for the threat led penetration testing (TLTP):
- Financial entities must conduct a threat led penetration testing every three years. However, the Malta Financial Services Authority (MFSA) may require financial entities to reduce or extend the testing frequency.
- Financial entities must now contract an external tester every three tests.
- Financial entities may subscribe for ICT Third party providers’ pool testing.

New requirements for financial entities conducting internal tests, they shall now:
- Obtain the approval for use of internal testers by the Malta Financial Services Authority (MFSA).
- Provide sufficient resources to conduct the tests.
- Ensure that conflicts of interest are avoided.
- Demonstrate the highest suitability and reputability.
- Possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing.
- Be certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks.
- Provide an independent assurance or an audit report in relation to the sound management of risks associated with the execution of threat led penetration testing.
- Be duly and fully covered by relevant professional indemnity insurances.

ICT third-party risk

Financial entities must now consider the ICT third-party risks of their provider not following the lead overseer recommendations.
New requirements for ICT third-party contracts, which shall detail:
- Service level descriptions including updates and revisions.
- The obligation of the ICT third-party service provider to provide assistance in case of an ICT-related incident at no additional cost or at a previously determined cost.
- The obligation of the ICT-third party service provider to fully cooperate with the competent authorities and resolution authorities of the financial entity.
- Termination rights and related minimum notices period for the termination of the contract.
- The conditions for the participation of ICT third-party service providers in the financial entities' ICT security awareness programs and digital operational resilience training.
- The obligation of the ICT third-party service provider to participate and fully cooperate in a threat led penetration test of the financial entity.

Information sharing

The supervisory authority will now provide relevant anonymised information and intelligence on similar cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.