Will more targeted regulation through the enactment of the Digital Operational Resilience Act in the European Union aid and/or otherwise impact the UK cyber sector?
Technology evolves at a swift pace, bringing new products and services to the market and imparting efficiencies and cost-savings across the supply chain. A side of effect of rapid growth can be the creation of new threat vectors and an expansion of the surface area of vulnerabilities. In short, growth and network complexity comes at the cost of hidden operational fragility. We have previously covered the findings of the Department for Digital, Culture, Media and Sport which published figures in March 2022 showing 39% of business have reported cybersecurity breaches or attacks in the last 12 months. A survey of SME managers in 2021 found that 62% reported an increase in attacks in the last two years.
At particular risk are financial organisations who arguably provide a more attractive reward for cybercriminals. The Carnegie Endowment for International Peace maintains a timeline of cyber incidents targeting financial institutions, chronicling a wide and evolving range of attacks such as the $322m smart contract exploit which affected the crypto platform Wormhole, and FBI warnings of ransomware actors using market information to extort company insiders; each of which indicate this is an area of risk.
Europe's approach to operational resilience
The financial sector is no stranger to crisis. In the wake of the 2007/08 financial crisis the EU financial system experienced a series of reforms to bolster liquidity, enhance capital buffers and reduce credit risk. However, the risks posed by information and communication technologies (ICT) were only addressed indirectly as part of general measures to address operational risk in the financial sector. No specific legislation was proposed.
Since then, the European Commission (the Commission) appears to have recognised the tension between fostering innovation within "digital finance" and managing the concomitant cyber and operational risk. Accordingly, the Commission has developed a package of measures to protect digital finance (the Digital Finance Package). As part of this package, the Commission has proposed a regulation commonly known as the Digital Operational Resilience Act (DORA). At a high level, DORA comprises "uniform requirements concerning the security of network and information systems supporting the business processes of financial entities needed to achieve a high common level of digital operational resilience" (Article 1, DORA). In addition to DORA, the Digital Finance Package proposes regulations covering (i) markets in crypto assets, (ii) a pilot regime for market infrastructures based on distributed ledger technology, and (iii) clarification, by way of a proposed directive, on certain related EU financial services rules.
DORA
The Digital Finance Package can be distinguished from the reforms made after the 2008 financial crisis (the Single Rulebook) on a variety of levels. The Commission believes that to protect and enhance digital resilience, measures should move away from minimum harmonisation directives and principle-based regulations so that consistent rulesets can be adopted across the Single Market. The Commission is also aware that absence of rules at the EU level has led to an increase in initiatives at the Member State level, which have had limited success due to the cross-border nature of cyber-risk.
It is within this 'gap' that the Commission proposed DORA as a comprehensive framework aimed at European financial entities. With the broader Single Rulebook already in place, this new package aims to deepen the digital risk management part of the Single Rulebook. It does so by (i) enhancing how financial entities manage cyber-risk, (ii) introducing powers for financial supervisors to oversee risks stemming from third-party IT service providers, and (iii) establishing a thorough testing system of IT functions and incident reporting mechanism.
How, and to whom, will DORA apply?
DORA will be in the form of a Regulation (not a Directive), applying uniformly across Member States, to the 21 entity types listed in Article 2 comprising:
- Financial entities regulated at EU level such as credit and payment intuitions, investment firms and trade repositories, through to audit firms, critical benchmark administrators; and
- "ICT third-party service providers", which are defined as undertakings that provide digital and data services. This includes core service providers such a cloud computing and data centres, and even ancillary services such as software and data analytics services. The definition excludes providers of hardware components and undertakings authorised by Union law which provide "electronic communication services" (as defined in Directive (EU) 2018/1972 establishing the European Electronic Communications Code).
Despite their broad application, the regulations are tailored to the risk and requirements of specific entity characteristics. In particular, proportionality is embedded in the regulations covering ICT risk management, digital resilience testing, ICT incident reporting and oversight of critical ICT third-party service providers.
Importantly, being situated outside of the EU will not preclude application of the regulations. DORA is designed to reach across critical junctures of the trans-European financial network. Necessarily, that involves oversight of elements of the financial supply chain which reside outside of the Union. To the extent a service feeds in or supports the European financial sector, it is likely that DORA will apply in some respect, regardless of where the provider is headquartered, or the service is delivered from. The establishment of an ICT third-party service provider in a third country is actually considered by DORA as a risk factor and therefore UK institutions must also take note.
Main themes
As proposed, DORA is an extensive and complex set of regulations (the most up to date version of the legislative proposal can be found here). The key themes of the legislation are as follows:
- Governance related requirements (Article 4);
- ICT risk management requirements (Articles 5 to 14);
- ICT-related incident reporting (Articles 15 to 20);
- Digital operational resilience testing (Articles 21 to 24);
- ICT third-party risk (Articles 25 to 39); and
- Information sharing (Article 40).
Third-party providers
DORA requires financial entities to manage ICT third-party risk as an integral component of ICT risk within their risk management framework. DORA aims to harmonise financial entities' contractual relationship with third-party providers, and prescribes at Article 27 a number of key contractual provisions which include: specifying locations where data will be processed, full service level descriptions (with quantitative and qualitative performance targets and reporting obligations), provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recovery and return in the event of third-party service provider failures. Article 27 also mandates the inclusion of a right to monitor, access, inspect and audit the ICT third-party service provider. Naturally, these provisions will demand increased collaboration between procurement, legal and compliance teams, and are likely to generate points of friction in contract negotiations, at least and until standard contractual clauses have been fully developed and recognised by the market.
The European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) (together the ESA(s)) will designate certain ICT third-party service providers as "critical". Those critical providers will be subject to the Oversight Framework set out in Articles 29 to 39. In summary, each critical party will be assigned an ESA lead overseer. The lead overseer will have wide powers to monitor the critical provider and assess whether it has effective sets of rules and mechanisms in place to manage ICT risks. The lead overseer is able to request (or require) the provision of information and documentation from the critical provider, to conduct investigations, and even to prevent the critical provider from subcontracting under certain circumstances where (i) the envisaged subcontractor is an ICT third-party service provider or an ICT sub-contractor established in a third country, and (ii) the subcontracting concerns a critical or important function of the financial entity.
Key reporting obligations
Financial entities will be required to establish an ICT-related incident management process to detect, manage and notify ICT-related incidents, and to put in place an early warning indicator system. Incidents will need to be logged and categorised and, as appropriate, communicated to clients, counterparts, external stakeholders and the public.
ICT-related incidents with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity will need to be reported to the relevant competent authority. Materiality thresholds will be specified by regulatory technical standards developed by the ESAs in consultation with the European Central Bank and the European Union Agency for Cybersecurity. Financial entities must report major incidents via a common template, and will be required to submit (i) an initial notification before the end of the business day or as soon as reporting channels become available, (ii) an intermediate report no later than one week after the initial notification, and (iii) a final report no later than one month from the initial report.
Extant legislation and guidelines
The existing technical and legislative terrain has been involving, and incudes the Payment Services Directive, Single Supervisory Mechanism, the GDPR, the Network and Information Security Directive, as well as guidelines issued by the EBA, EIOPA and ESMA.
The European strategy for data (as communicated by the Commission to the European Parliament in 2020) notes four pillars – data protection, fundamental rights, safety, and cybersecurity – with which DORA appears to be consistent. We anticipate that DORA will also be consistent with the "horizontal" framework on cybersecurity, such as the proposed NIS2 Directive, as well as procurement staples such as the EBA's outsourcing guidelines. Naturally, we expect extant guidelines will require amending to maintain consistency with DORA; the position will of course become clearer once DORA's final text is confirmed and the relevant requirements are formally codified in law. Adoption of DORA is expected later this year, after which it will shortly enter into force and then apply 24 months thereafter.
Where does the UK sit?
DORA's reach beyond the Member State boundaries will mean that UK-based financial entities and ICT third-party service providers should appreciate the legislation's significance and the impact it will have on contracting parties' expectations. Moreover, the Financial Services and Markets Bill intimated in the Queen's speech of May this year will likely result in a parallel set of domestic obligations, similar to the way organisations that service or monitor EEA-based data subjects now find themselves navigating both EU and UK data protection legislation.
Despite the inevitable teething pains DORA will likely bring, it is clear that there is significant value in establishing a unified and streamlined framework for coordinated incident reporting, resilience testing, coordination of third-party risk management, and direct regulatory oversight of critical ICT providers. Prevailing market commentary in the technical and legal space is largely positive; Google Cloud, which has engaged with policymakers since the tabling of the DORA proposal in 2020, has announced its support.
As is the nature of ICT, praise is rarely sung when things go to plan, though voices quickly raise when things go wrong. At the very least, DORA introduces a long-awaited legislative consistency, as well as a range of novel commercial opportunities for third-party providers to demonstrate competitive value. After implementation costs and frictions have begun to settle, the legislation's design should impart long term protections and efficiencies that will be enjoyed, perhaps unknowingly, by market participants and the public alike.
DORA is likely an indicator of things to come in the UK, and a focus on cyber security, regardless of sector, is greatly welcomed by many.
