2025 brings new ICT related rules for EU financial institutions
Regulation (EU) 2022/2554, commonly known as the Digital Operational Resilience Act (DORA), represents a significant step forward in enhancing the digital resilience of the financial sector within the European Union. Adopted by the European Parliament and the Council on 14 December 2022, DORA aims to establish a comprehensive framework to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The regulation entered into force on 17 January 2025, and applies directly across all EU member states.
In the digital age, Information and Communication Technology (ICT) supports complex systems used for everyday activities. It keeps our economies running in key sectors, including the financial sector, and enhances the functioning of the internal market. Increased digitalization and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions.
Until now, financial institutions were required to comply with the European Banking Authority (EBA) guidelines on outsourcing, ICT and security risk management, among others. These guidelines have been instrumental in establishing a sound basis for technology risk management.
However, DORA establishes a comprehensive framework for digital operational resilience in the financial sector and, unlike the aforementioned guidelines, DORA expands its scope to include a number of more stringent and detailed requirements that will inevitably impose on financial institutions and their ICT providers the need to make a substantial investment in both human and material resources to meet these new regulatory parameters.
Summary of main obligations
DORA imposes several key obligations on financial entities to bolster their digital operational resilience:
- ICT risk management: Implement robust internal governance and control measures to manage ICT risks effectively. This includes maintaining a comprehensive ICT risk management framework that encompasses strategies, policies, procedures, and tools to respond swiftly to ICT incidents. The framework should cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their ICT risk management frameworks to ensure they remain effective in the face of evolving threats.
- Incident reporting: Establish processes for identifying, reporting, and managing ICT-related incidents. This ensures timely communication and resolution of issues that could impact the financial sector's stability. The regulation mandates that significant ICT incidents be reported to the relevant competent authorities within a specified timeframe. This allows for coordinated responses and helps mitigate the impact of such incidents on the broader financial system.
- Resilience testing: Regular testing of ICT systems and protocols is mandated to ensure their reliability and resilience. This includes conducting advanced testing such as threat-led penetration testing to identify and mitigate vulnerabilities. Financial entities must develop and implement testing programs that simulate various threat scenarios, including cyber-attacks and system failures. The results of these tests should be used to improve the entity's ICT resilience measures.
- Third-party risk management: Manage risks associated with third-party ICT service providers. This involves conducting due diligence, monitoring performance, and ensuring that third-party providers comply with DORA's requirements. Financial entities are required to have contractual arrangements in place that specify the responsibilities of third-party providers in managing ICT risks. Additionally, entities must regularly assess the ICT risk management practices of their third-party providers to ensure they meet the required standards.
- Information sharing: Share information on cyber threats and vulnerabilities with relevant authorities and other financial entities to enhance collective resilience. This collaborative approach helps create a more secure financial ecosystem by enabling entities to learn from each other's experiences and adopt best practices in ICT risk management.
Implementing and developing regulations
To support the implementation of DORA, several Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) are being developed. These standards provide detailed specifications and requirements to ensure consistent application of DORA across the EU. The European Supervisory Authorities (ESAs) are responsible for drafting these standards, which cover various aspects of ICT risk management, incident reporting, resilience testing, and third-party risk management.
One of the key areas of focus is the development of RTS on subcontracting ICT services supporting critical or important functions. However, as of the date of issuance of this article, the European Commission recently rejected the draft RTS on subcontracting submitted by the ESAs. The Commission's decision, dated 21 January 2025, cited concerns that the provisions on monitoring subcontractors exceeded the mandate given to the ESAs by DORA. The ESAs now have six weeks to amend the draft RTS in accordance with the Commission's requirements and resubmit it.
Main takeaways and challenges for the financial market
While DORA sets a robust framework for digital operational resilience, it also presents several challenges for the financial market. There is still great uncertainty in the financial sector as to how some of the obligations are to be complied with, and European institutions need to move quickly to ensure that the rules of the game are applied equally by all financial sector players.
Given the increasing regulatory and compliance complexity, the level of concreteness and technical development required to ensure homogeneous and quality information processing is key to the effective supervision of an increasingly interconnected financial sector. The regulators themselves still need to get their own IT systems prepared to this new exchange of information.
2025 will be a transition year, in which many reporting and obligations will be more manual and will become more automatic from 2026 onwards. Glimpsing the evolution of these important steps in technological risk management together with the (increasingly progressive) integration of artificial intelligence in these processes reinforces the need to use quality data. But at least for some time, the success of timely failure detection and reporting will continue to depend, to a large extent, on human intervention.
In short, DORA represents a sound transformation in technology risk management, marking a turning point in the way the financial sector deals with digital resilience. This regulation, without forgoing accumulated experience, raises the standards and broadens the scope of existing guidelines, driving a safer and more resilient financial system. The road to full implementation of DORA is an ongoing process that will require continued commitment and adaptation.