EU financial services firms face tougher cybersecurity rules in two years

The digital age of financial services brings both exciting opportunities and new risks, as the sector relies more heavily on information communication technology (ICT). The EU regulation on digital operational resilience for the financial sector, known as the Digital Operational Resilience Act (DORA), aims to boost and harmonise ICT requirements for firms, helping to ensure they can effectively withstand, respond to and recover from ICT-related disruptions and threats. 

The European Parliament and the Council of the EU adopted DORA in November 2022. The text will be published in the EU's Official Journal and enter into force by early 2023. DORA will then be applicable 24 months after its entry into force, around late 2024 or early 2025.

Who will be in scope?

DORA will apply to a broad range of financial entities regulated in the European Economic Area (EEA), including banks, payment and e-money institutions, investment firms, fund managers, and cryptoasset service providers. 

The rules will also catch ICT third-party service providers, including providers of cloud computing services, software, data analytics, and data centres, where the European authorities will designate them as "critical". This measure is being introduced in response to growing concern that, with many EEA financial institutions relying on a small group of major service providers, the collapse of one service provider has the potential to cause significant instability to financial entities and, in turn, the financial markets.

Obligations for firms

In-scope firms must be able to withstand, respond to and recover from ICT incidents. Important requirements for firms will include:

• Having internal governance and control frameworks that allow them to manage ICT risks effectively and prudently
• Having a robust and well-documented ICT risk management framework in place that allows them to address ICT risks quickly and comprehensively
• Reporting major ICT-related incidents to the relevant regulator
• Regularly carrying out digital operational resilience testing, including a range of assessments, methodologies, practices and tools
• Managing ICT third-party risk within their ICT risk management framework

Osborne Clarke comment

In-scope firms still have plenty of time to implement the new requirements ahead of the go-live date. However, firms may wish to assess their ICT systems and consider what uplift may be required for compliance sooner rather than later, especially as some preparation may take significant time, such as migrating operations from older systems. 

In some cases, firms may also wish to upgrade or supplement contract provisions with specific service providers in order to facilitate their ability to meet the new obligations. There may be some tension here, as, in essence, DORA is about reducing dependence on critical providers, although it is likely to be the larger providers that are best placed to meet any new requirements which firms request. 

The UK government has proposed the introduction of its own regulatory regime for critical ICT providers, bringing material services they provide to the financial sector under the direct supervision of regulators; measures to this effect are included in the Financial Services and Markets Bill which is making its way through Parliament, and the new regime could be launched as early as 2023. The EU regulation will also overlap with existing UK rules on operational resilience.

If you have any questions about the potential impact of DORA or the UK equivalent regimes, please contact our experts below.

Jamie Roberts, a Trainee Solicitor at Osborne Clarke, contributed to this Insight.