.svg)
The European Banking Authority (EBA) has published a new set of clarifications on the EU’s Digital Operational Resilience Act (DORA), as the January 17 implementation deadline nears.
DORA, enacted in December 2022, aims to enhance the digital operational resilience of the EU’s financial sector and has widespread reach, including payments and e-money institutions and crypto-asset service providers.
The new framework establishes comprehensive oversight of critical ICT providers and introduces an EU-wide risk management regime.
With the deadline looming, the EBA has begun to respond to Q&As from market participants on to whom and how to apply the framework, publishing three Q&As on December 11.
Non-EU intra-group ICT providers exemption confirmed
In one Q&A, which was submitted to the EU supervisor in May this year, the EBA has clarified that ICT intra-group service providers established outside the EU are exempt from the requirement to establish an EU-based subsidiary under DORA.
The clarification, issued in response to a query from a credit institution, addresses the applicability of Article 31(8) of DORA, which provides exemptions for certain ICT providers.
Specifically, the European Commission confirmed that ICT intra-group service providers, which are defined as entities primarily serving financial institutions within the same group or institutional protection scheme, will be excluded from designation as critical third-party providers.
This exemption applies regardless of whether the intra-group service provider is established within the EU or in a third country.
As such, the requirement under Article 31(12) for critical ICT third-party providers to establish an EU-based subsidiary within 12 months does not apply to these intra-group entities.
Criteria for major ICT incidents reporting
Another Q&A published by the EBA addresses concerns raised by the Association for Financial Markets in Europe (AFME).
At the heart of the query was whether financial entities must meet all three criteria listed in Article 6 of the Delegated Regulation (EU) 2024/1772 to classify an incident as affecting critical services, or, alternatively, if any single component would suffice.
According to the European Commission's response, any one of the three components outlined in Article 6 is sufficient to determine an incident's criticality.
The first criterion is whether the incident affects ICT services or network systems that support critical or important functions of the financial entity.
The second criterion is whether the incident affects financial services that require regulatory authorisation, registration or supervision. This ensures that incidents affecting regulated activities are captured under the classification.
The third criterion focuses on incidents that involve successful, malicious and unauthorised access to the financial entity’s systems, addressing cybersecurity breaches that pose a significant threat to operational resilience.
Furthermore, the classification of an incident as "major" also requires meeting additional conditions under Article 8 of the Delegated Regulation.
In a Q&A submission submitted in April 2024, the AFME had expressed “major concerns” in relation to relying on any single criterion, particularly the second, as this might “result in almost every incident at a regulated entity being classified as major”.
Subsequent overreporting would then result in “obscuring sight of those incidents which may have systemic impact”, the AFME added.
However, the clarification reaffirms the broad scope of critical service considerations under DORA’s framework, emphasising the need for financial entities to maintain robust incident classification and reporting mechanisms.
Duplicating ICT incident reports
The EBA has also clarified in another submission from the AFME that significant credit institutions are not required to duplicate ICT incident reports under both the ECB’s Single Supervisory Mechanism (SSM) Cyber Incident Reporting Framework and DORA.
Here, incident reporting will be streamlined exclusively under DORA’s framework, as outlined in Article 19 of Regulation (EU) No. 2022/2554.
The AFME had highlighted in another query, also submitted in April, its concerns over potential duplication of reporting for significant cyber incidents.
Currently, significant credit institutions are obligated to notify the ECB of cyber incidents through the SSM portal, which overlaps with DORA’s requirement for ICT incident reporting to competent authorities, which could trigger inefficiencies.
However, Recital 51 of DORA underscores the harmonisation of ICT-related incident reporting by requiring financial entities to report directly to their designated competent authority.
For significant institutions as defined under Article 6(4) of Council Regulation (EU) No. 1024/2013, reporting is to be conducted solely under DORA, and national competent authorities will then transmit the reports to the ECB, eliminating the need for dual submissions.
What should firms do now?
These new rules come within weeks of the incoming DORA deadline, and as firms take their final steps towards compliance, clarifications like this are vital to ensuring that firms do not engage in over-compliance or duplication.
Going forward, payments and banking firms would be wise to align their internal incident reporting frameworks with DORA’s clarified requirements, ensuring ICT-related major incidents are classified and reported as such.
This includes avoiding duplication with other frameworks, such as the ECB SSM Cyber Incident Reporting Framework.
Incident classification processes also need to be updated to reflect that any of the three criteria in Article 6 of DORA can trigger an incident’s criticality.
Meanwhile, for firms relying on non-EU intra-group ICT service providers, it is essential to confirm these providers meet the definition outlined in Article 3(20) of DORA.
Appropriate governance structures must also be in place to monitor these services, and firms should evaluate contracts with external ICT providers to ensure compliance with DORA’s oversight framework, particularly if these providers are designated as critical.
What is particularly vital, however, as is the case with many regulatory frameworks, is a good relationship between the firm and the supervisor.
Firms should invest in tools and systems that support seamless, timely and accurate reporting to national competent authorities, while maintaining open communication with competent authorities to address any uncertainties regarding reporting responsibilities.
