New cybersecurity requirements for digital finance

DORA comprises both a directive and a regulation and is part of a larger digital finance regulatory initiative, which aims to 'develop a European approach that fosters technological development and ensures financial stability and consumer protection'.^[1] The package also includes a digital finance strategy, a proposal for distributed ledger technology and a proposal on markets for crypto assets.

DORA is quite comprehensive, and this article is limited to outlining the main categories of duties and responsibilities that financial entities will face. For fintech undertakings, such as financial entities that combine their businesses with innovative technologies or third party service providers, DORA may in some cases have a major impact and thus, we will also briefly look at what could be expected for the fintech industry.

DORA must be implemented within 24 months counting from 20 days after publication in the EU Official Journal, which took place on 27 December 2022. Hence, by January 2025 firms will be expected to be in full compliance with all of DORA’s new requirements, including requirements adopted through secondary legislation by the European Banking Authority, the European Insurance and Occupational Pension Authority and the European Securities and Markets Authority.

The most important aim of DORA is to prevent and mitigate the impact of cyber threats on financial entities. The EU acknowledges that financial institutions and payment systems provide essential services in the European society. Thus, Europe risks being severely impacted by a disruption of the technological services on which financial institutions and payment systems rely, regardless of whether those disruptions are the result of natural disasters or actions by hostile powers.

On this basis, more specifically, DORA aims to

…enhance and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers.^[2]

To accomplish this goal, several obligations related to the management of information and communications technologies ("ICT") are imposed upon financial institutions. Further, it is hoped that DORA will ensure a holistic framework that can strengthen competition and innovation within the European Union.

DORA will impose obligations on a variety of financial institutions, cf. Article 2 ("financial entities"). The list, which appears to be exhaustive, includes credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers.

In addition, DORA will cover ICT third-party service providers.

Accordingly, DORA affects a large variety of entities. There are, however, certain obligations which do not affect "microenterprises", in accordance with the EU's efforts to mitigate compliance costs for small to medium sized businesses.

In essence, the obligations placed on financial entities can be divided into four main categories. The responsibility mainly lays with the "management body", defined as

…the body or bodies of an investment firm, market operator or data reporting services provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity.^[3]

In Norway and Sweden, this is effectively the board of directors of the financial entity.

The main categories of obligations are summarized in the following:

1. Governance and control (Article 4)

The management body are tasked with a number of duties to 'define, approve, oversee and be accountable' for arrangements relating to the ICT management framework outlined. The management body shall, for example

• bear financial responsibility for the entity's ICT risks;
• determine the ICT risk tolerance level;
• approve and periodically review ICT business continuity policy and their ICT disaster recovery plan; and
• be duly informed about ICT-related incidents and their impact.

1. Managing of the ICT-risks (Articles 5 to 14)

These provisions impose obligations to have an ICT risk management framework. Article 5 outlines the most important contents of this framework, while Articles 6 to 14 elaborate on the contents and appropriate corresponding procedures.

1. Reporting of ICT-incidents (Articles 15 to 20)

The provisions specify the processes necessary to properly manage ICT-related incidents, including detecting, classifying, reviewing, and reporting to the supervisory authorities.

1. ICT third party risk (Articles 25 to 39)

The provisions relate to the subject of third party risks. ICT services are often outsourced or contracted to third parties, assessing and mitigating third-party risks is therefore essential. The obligations include implementing a number of specific clauses in contracts with third parties, making assessment of third party risks an integrated part of the ICT-risk management, and prohibiting the supply of ICT services which do not comply with "high, appropriate and the latest information security standards".

Additionally, businesses designated by the government as "significant" (e.g. essential payment service providers) are required to complete performance testing of their operational resilience (Articles 21 to 24).

For fintech undertakings that are financial entities and combine financial services with new technological innovations, DORA will be especially relevant in relation to distributed ledger, artificial intelligence, and machine learning technologies. This will also have an indirect impact on third party services providers of such technologies. For example, financial entities' use of e-signing for customer authentication, payment solutions, data protection and so on will be covered by the new regime.

The introduction of DORA means that financial entities will be subject to uniform requirements in relation to identifying relevant risks that may be affiliated with their businesses and the technologies used. Such risks may be related to the business and the financial services offered, digital vulnerability, confidentiality, data protection as well as the effectiveness of internal routines and policies. Where ICT-related incidents occur, financial entities will be expected to ensure business continuity and to prevent or limit damage from such incidents.

The obligations pursuant to DORA aim to address the cyber risks associated with the continuing interconnectedness of financial entities, financial markets and financial market structures, as well as protect consumer and market trust and confidence.

Accordingly, financial entities shall, in addition to the already applicable acts within their respective fields, comply with DORA in order to ensure sufficient risk management and take necessary measures to address the cyber risks relevant to their respective businesses. Financial entities will also be expected to have proportional measures and recovery plans in place for instances where ICT-related incidents occur. This will also have an indirect impact on third party service providers that provide such services.

Some financial entities may have already implemented guidelines issued by the European Banking Authority and the European Insurance and Occupational Pension Authority in relation to cyber security and ICT risk. These businesses will be better prepared for DORA; however, even these entities will be obliged to undertake further measures pursuant to the new cybersecurity requirements.

It remains to be seen whether compliance with other cybersecurity rules and standards (e.g. NIS2, GDPR, ISO27001, national security laws, etc.) will benefit those financial entities that have previously carried out cybersecurity compliance projects with comparable requirements.

Even though some businesses might be near to compliant, service providers within IT security and risk management will be in high demand both before and after DORA becomes binding. IT service providers with adjacent cybersecurity service offers might want to expand the range of their services and appear as providers of tools to become "DORA compliant".

In order to prepare for DORA, financial entities may want to assess the current state of their digital security and look at how the business can adapt to the new and specific requirements. In a time where digital vulnerability is becoming ever more relevant, companies may benefit from optimizing their digital security regardless of the implementation of new requirements.

We recommend financial entities start mapping out their digital finance cybersecurity risks and how to mitigate them. We also recommend implementing routines and procedures on how to manage risks and potential incidents. These routines and procedures should be designed to be practical, targeted and effective to enable the company to meet the deadline for notifying authorities of incidents. Furthermore, we recommend third party service providers analyse how DORA will affect their products or services.

Our specialist lawyers have extensive experience in advising Nordic and international financial entities concerning digital financing, IT, fintech, cybersecurity, data protection, national security issues and regulatory compliance. We regularly assist financial and corporate clients in creating and implementing routines, IT contracts, compliant outsourcing and cloud arrangements as well as providing strategic and legal advice in a commercial context.

^{[1] https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/digital-finance-council-adopts-digital-operational-resilience-act/}

^{[2] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&from=EN, page 1.}

^{[3] Directive 2014/65/EU of 15 May 2014, on markets in financial instruments, Article 4 nr. 1 (36).}