October 11, 2023
The introduction of DORA (Digital Operational Resilience Act), also known as the Regulation on Digital Operational Resilience, marks a pivotal moment in the banking sector by imposing on credit institutions, i.e., banks, significant cybersecurity requirements.
Clear aims and the principle of proportionality
The Regulation aims to set a uniform approach to cybersecurity and IT services in financial institutions that operate in the European Union. Its implementation necessitates that banks adapt their internal procedures, policies, and strategies to meet these new requirements for them to comply with the regulation.
DORA, which came into effect on January 16, 2023, introduces substantial changes to the operational digital resilience of the financial sector. Its provisions will apply to credit institutions as of January 17, 2025. These new regulations provide the application of the principle of proportionality with regard to the obligations arising from DORA. That means that the most advanced cybersecurity requirements will primarily apply to those banks that have already been subject to such obligations.
In the following sections, we will discuss the impact of DORA on current responsibilities of banks, including data protection, outsourcing regulations, banking law, cloud communication, as well as the European Banking Authority's requirements and Recommendation D and also on the guidelines on the risk management related to the technology and ICT security.
DORA and data protection
Data protection is one of the key areas DORA governs. The Regulation mandates that banks implement relevant technical and organizational measures to ensure a sufficient level of security in processing personal data. Banks must consider the costs, context, and the risk of violating the rights or freedoms of individuals that are related to data processing. The implementation of strong authentication mechanisms and cryptographic key protection will be crucial for effective compliance with DORA's data protection provisions.
Transfer Impact Assessment as a new concept
In relations with data processing entities, the banks will need to account for restrictions on transfers of data outside the European Economic Area. Specifically, when using standard contractual clauses, it will be necessary to perform the so named "transfer impact assessment" (TIA).
TIA is a novel concept in personal data protection, and entails a written analysis performed by a data controller or data processors before transferring personal data to countries outside the European Economic Area (EEA). The purpose of TIA is to assess the impact of such transfers on data privacy and to analyse whether the laws of the target country enable governments access such data.
Notably, the concept of TIA emerged from three key sources. Firstly, the European Court of Justice in the Schrems II case declared that despite the use of GDPR mechanisms, data controllers and processors should assess whether the law of the third country provides adequate protection of personal data. Although the Court did not mandate that documentation be "verified", the concept of a written transfer impact analysis was deemed to be significant.
Secondly, the European Data Protection Board (EDPB) issued guidelines regarding data transfers outside the EEA. EDPB emphasized the need to assess the law of the destination country and the potential access to data by public authorities. It was recommended that such an assessment be documented in detail and that the supervisory authorities could request access to it.
Thirdly, the European Commission approved new standard contractual clauses, and required that parties to data transfer ensure that the law of the destination country does not hinder the fulfilment of contractual obligations. In this context, TIA becomes a process in which data exporters and importers analyse the impact of the transfer on personal data privacy and document this analysis for supervisory authorities.
Banking outsourcing practices
Banking outsourcing is a common practice but it can pose risks related to cybersecurity. DORA imposes on banks obligations to ensure the security of data and information provided to third-party entities. The regulation defines the principles of contracting with third-party entities providing Information and Communications Technology (ICT) services for banks. These entities must meet relevant standards and ensure a high level of data security.
Banks will also need to consider DORA's requirements in the context of existing outsourcing regulations. It is essential to note the Polish Financial Supervision Authority's communication on cloud data processing, which will require adjustments to be able to meet the new DORA requirements.
DORA's impact on banking law
DORA has impact on various aspects of banking regulations, particularly banking law. According to DORA banks must incorporate relevant technical and organizational mechanisms to ensure the security of their processes and services. That applies to both information systems and customer service-related solutions.
Recommendation D and EBA guidelines
Recommendation D and the EBA guidelines on managing risks related to technology and ICT security will also become significant reference points for banks who must adjust their procedures to the new DORA requirements. EBA guidelines focus on risk management in technology and ICT security and implementation of audit and control mechanisms.
In conclusion, DORA introduces significant changes to the banking sector, and imposes on banks requirements to ensure an adequate level of cybersecurity. Banks must take action to meet these new requirements and adapt their procedures accordingly. Elevating cybersecurity standards can bring benefit to both customers and the entire financial sector, and also cause that trust in banking services within the European Union increases.