KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Digital Operational Resilience Act (DORA), which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. DORA sets out uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information and Communication Technologies) services to them, such as cloud computing or data analytics services. DORA creates a regulatory framework on digital operational resilience, whereby all financial entities need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across the EU, with the core aim to prevent and mitigate cyber threats. DORA is complemented with several “regulatory technical standards (‘RTS’)” which give more details on requirements for cyber security.
As the whole DORA legislation cannot be presented in a short timeframe, I will focus on the part that is most important to ensure cybersecurity and the part that is the most interesting one for the audience, the RTS on ICT Risk Management Framework. I will give a quick overview and highlight the topics, which will bring the most workload to the industry. The biggest challenges will be in the areas of Asset Management, Operations Security, Network Security and Encryption.
The Digital Operational Resilience Act (DORA), which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. DORA sets out uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information and Communication Technologies) services to them, such as cloud computing or data analytics services. DORA creates a regulatory framework on digital operational resilience, whereby all financial entities need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across the EU, with the core aim to prevent and mitigate cyber threats. DORA is complemented with several “regulatory technical standards (‘RTS’)” which give more details on requirements for cyber security.
As the whole DORA legislation cannot be presented in a short timeframe, I will focus on the part that is most important to ensure cybersecurity and the part that is the most interesting one for the audience, the RTS on ICT Risk Management Framework. I will give a quick overview and highlight the topics, which will bring the most workload to the industry. The biggest challenges will be in the areas of Asset Management, Operations Security, Network Security and Encryption.
At first, I want to apologize. I am in Singapore right now on a supervisory confluence. That's why I can't be here. And somehow I got shut out of the network by our security system because there's an animal activity, someone trying to connect from Singapore to an unknown teamster. So I got shout out, that's why I have to use my iPad. But I hope you can still hear me and the colleagues will handle the presentation for me. I'm not only working in unk, I'm working in a team that is writing the regulatory technical standard for the risk management framework under dowa.
So I think I'm really a good presenter for that topic and I will try to give you a short overview about dowa and then I will focus on the risk management framework. Okay, next slide please. You'll start with the overview. So doer is a regulation that's very important to know. A regulation means you do not have to wait for like a national implementation later like we used to do with an EBA guideline. And then there's the DAIT or something like that. Regulation means you have to follow that, you have to take measures to CO to be compliant with this regulation.
So that's the first really important thing and this is the regulation on the digital operational resilience in the financial sector Dora and this the European response to the digital challenge and the change in financial services and the increasing threat of cyber threats in the financial sector. So that's why we are doing that and the focus is to enable the European union's financial system to maintain operational stability and event of a serious disruption.
So that's, that's another new thing. It's not like we used to do op risk, try to to have money in the bag and if something happened then I have the money to solve the problems. It's about having the ability to op to, yeah, operational stability in the event of a serious project. And another important thing, that's the new thing and that's something really leading in the world and a lot of other competencies try to follow this approach or try to get an idea if they can do the same. It's to dealing appropriately with increasing dependence of the financial sector on third party providers.
So what's going to happen is we will create surveillance and oversight framework for critical IT third party providers and then there will be over three, four critical third party providers and it's focused on the big cloud providers. And that's something that's really new and we hope to get better leverage on the big cloud service providers for that. The other core of it is the harmonization of the IT risk management framework and the extension and standardization of reporting requirements for serious IT incidents. Next slide please.
So we used to have different regulation for different countries and we different regulation for different sectors and DORAN now applies to almost all financial institutions within the European Union and those are approximately more than 22,000 financial institutions who have to follow the rules set out in over. And as you can see, there's like every kind of financial institute, you can think about it as a credit institution, payment institution waiting when use central counterparties waiting agencies, insurance companies, data provision services.
It's really a lot of companies who fall on the door and a lot of them didn't have a strict regulation yet but they will get one as we move to the next slide. So it's not only the doorway act like the the regulation that is already out since January this year there will be more details and more technical standards and implementation standards. So there will be additional acts and those acts they focus on different topics.
I won't highlight all of them but maybe the most important ones, it's the first one, the ICT risk management framework that will be 2230 pages of additional rules you have to follow for your IT risk management. Then you will have RTS on sweat lab penetration testing. You will have RTS on specifying elements when subcontracting critical or important function.
So if you want to outsource your critical or important function, there will be an an actual regulation, contractual arrangements that you will have to negotiate with your contractor and those RTSs and ITSs and also two guidelines, they come out in two batches. One batch is already deployed and it's already converted and we are currently finalizing it like the feedback from the consultation, that's the the first batch and the second batch will come and yeah in the next few weeks, end of November, early December.
And you are all invited to take part of the discussion of the content of these standards. So there will be process for that and we really would appreciate as much comments as possible so we can have the best regulation. In the end we move on to the timeline of what happened and what will happen. In the past 2020 to 22 there was all this negotiation and preparing of the actual regulation and then the regulation became active on January the 17th and it will be finally in place and all of the measures have to be finished and all of the requirements have to be implemented two years later.
That's 0.7 on January the 17th. So you will now have like 13 and a half months left to fulfill all the requirements that are set out indoor and after that date, if you have an inspection or anything, you will be measured against our and the standards behind the phases. Yeah there we can move on. We don't have time. The main elements and the implementation of the RT SS and IT answer. So these are the six key topics that are addressed in and the first one is the ICT risk management.
IT focus on governance and control framework for ICT risk and for procedures for identification and protection and response. I think we all know that very similar to this recovery then different continuity management and further development and there will also be a relief for microenterprises but microenterprises it's a defined term and it's really micro. So less than 10 million in balance sheet there are less than 50 employees and there are not a lot of financial entities that are that small. I can't think about one for my head.
The next topic will be go, go back please testing on digital operational resilience. That will also be an RTS for that. And you may know the type of framework, a threat led, intelligent based ethic we teaming. So this will be an comprehensive test program with annual tests and this will be mandatory for the biggest financial entities.
We haven't defined exactly yet who will be those biggest financial entities which the test will be mandatory for but that may happen and that's the big difference to tie by T was not mandatory and you could do it if you wanted to but now the TLPT test on the dowa will be mandatory. So the third point is the monitoring framework for the critical ICT third party service providers. And that's like I said, it's a really big game changer. What what's happening is criteria are defined for classifying those critical ICT service providers. I will come back to that later.
And then expectations and monetary classifications will also be added. And the as whole you can think about it that it's comparable like the single supervisory mechanism for the big financial entities. There will be this supervisory mechanism for the big critical third party service providers. And then we have the reporting systems for ICT incidents. So right now you may have to report to the to the ECP for if you're a major significant institute or you have to report to fin under PSD two or you have to report to whatever and this will all be harmonized that's in that topic.
And then we have the third party risk management. There will be strategies and guidelines for using third party providers. For example, you will have to have an exit plan if you have a critical or important function outsourced. And that's sometimes not that easy to get. So that's an example for one requirement there you have to keep an information we guess of all your outsourcings and this information. We guess there will be the base for the definition of the critical third party service providers.
You will have to do risk analysis prior to the conclusion of a contract with the third party service providers. And we define a lot of things that you have to do in the risk assessment here in door and the RTS and there will be requirements for the material contractual provisions. So those requirements ha will have to be in every contract with a third party service provider and also for the existing ones. So you will have to you know, renegotiate them.
And then there's another topic, it's the exchange of information like, like it says the FES are encouraged to exchange insights and threats and the NCAs will have to be informed about membership and a group like that. Now we move on either short overview of the new testing of digital operational resilience. Like I said, it's for the biggest institutes and the TLPT and the RTS is developed in agreement with the existing T framework like tb, this EU wide framework and an agreement with the ECB that was very important for us that those go along together.
And on the right side you see four major difference Tier, tier will be a standardized supervisory instrument. So it won't be, like I said on it will be mandatory. So that's that's the big biggest change.
And yeah, only mandatory for the largest es it will be like ber wars but it will not be restricted to the TBE nations. How it's now it will be open for, well not open but mandatory for all the member states in the European Union. And one difference to thet, another difference to Tai is that internal auditors might be permitted under special circumstances. That was something that was never permitted in Taiba. Then we move on to the framework.
So I told you that we aim to have the biggest third party service providers with the most outsourcing of critical or important functions to under those framework. And there will be a joint commentary between the three major overseers in Europe, the EBA for banking, the now for insurances or no for markets and the I OPO for insurances. And one of these will be the lead supervisor for the third party service provider. It will depend on different criteria. For example, if most of the customers are banks, it might be the CBA in that case.
And then there will be formed and joint examination team, that's the red corner and that's like the supervisory team. You have now foreign financial entity where you have a lead overseer and member from the different states working together in AJST. Then you will have a, then you will have JET and those will, they will do the supervision of that third party service provider. And you may wonder what can they do because it's, it's not a direct supervision because a third party service provider, they do not need a license from the EBA to work because they do not only work with financial entities.
So it's an indirect supervision. But in the regulation there are some really interesting things that they can do. So they can request for information and documentation and they have to give it to them. They then can, they can make recommendations with with regard to the application of the relevant specified ICT security and quality requirements. And if the, if the party service provider doesn't follow the requirements, they can be in imposition of a penalty payment and a penalty payment can be up to 1% of the global daily revenue of the previous financial year.
And that's quite a lot 1% of the daily revenue and this penalty can be issued again and again until their problems are solved. Also the imposed penalty payments that can be published. So everybody knows that there's something going wrong with that financial entity and in the end at like at worst case the lead overseer can prohibit to work with those critical third party service providers anymore and then the financial entities have to quit those outsourcing arrangements there.
So the, that's really interesting and a really big new topic what the jts will do there to oversee the critical third party SET service providers. But important thing is the financial entities who outsource will still have to do their controls. They can't like rely on the J'S work. They still have to do all the controls that they have to do now.
Okay, let's move on to the ICT risk management. According to do, so that's a few on the regulation we have articles eight to 12, it's a typical life cycle. And then the articles nine to 11, those are the ones. Protection and prevention, detection and reaction and recovery. Who will be further specified in the RTS and then the RTS looks like the following slide. We have made five major topics in this RTS and the first topic is ICT security policies, procedures, tools and tools. I think it's protocols and tools. It must be translation error and the topics.
And this are provisions on governance ICT risk management, how to build AICT risk management, ICT asset management with minimum requirements for the asset management, encryption and cryptography. That is something that I will highlight to and ICT, operation security network security and ICT project and change management. And then in addition to that there's the human resources policy and access control I'd say does not like in the in, in the first chapter there's a lot of new things and in the policy and access consulting, I know it's always a big topic for copying the code.
There's not a much of new requirements in there. We really focused on on the first chapter. And then there will be the ICT related incident and detection and response chapter. And there there's quite a change because doorway is always speaking about animal activities. You need to identify animal activities and resolve them. So the example I gave earlier, I am locked out of my network because of the animal activities for my computer in Singapore. That's an example for that. Then we have further requirements for the ICT business continuity management, especially for the testing.
And then there will be also a report on the ICT risk management framework. And that we report will have to be generated by the financial entity upon request by the supervisor. And then it must be handed to the supervisor in a timely manner. So that means you have to be able to create a report, a status of your whole risk management framework, like in a very short manner. So you need really good data aggregation there and connected systems to do that. And there are minimum requirements.
What will, what have to be in this report. Dominic, I think we are running out of time. If you can wrap up perhaps. I have only two points I want to, yeah, to make left on the next slide. The data must be encrypted in all states at rest, in transit and in use. And that's a really big new thing. Encryption of data in use. I know it's very hard. That's why we have that point here. You see it in the, in the blue box. If encryption of data and use is not possible, FE shall put SaaS data in use in a separated and protected environment.
That's a big thing and that will be a lot of work for companies to do. And then on the next slide, vulnerability management. It fits to the presentation we heard earlier. There will be a weekly automated vulnerability scanning be required for critical, important functions because only if you know you have an issue, you can resolve that. And patching has always to be prioritized over other measures. That's it. Thank you.
