The first quarter of 2024 has lapsed and there are only less than three quarters to go for the implementation of the Digital Operational Resilience Act (Dora). Dora will apply to most EU financial entities, including (Ucits) management companies alternative investment fund managers (AIFMs), as well as ICT third-party service providers (including providers of cloud computing services, software, data analytics services and data centres). All in-scope-entities of Dora will have to be digitally and operationally resilient by 17th January 2025.
From time to time, the Dutch Authority for the Financial Markets (AFM) publishes updates, the last one on 7 March 2024. This update deals with ICT Risk Management. The former two updates related to “Getting Ready for the arrival of Dora” and “Management of ICT risk for third party service providers. The next update, to follow in the second quarter of 2024 will deal with ICT-related incidents.
In terms of getting started for Dora (insofar not yet started) the AFM outlines two topics that financial institutions can start elaborating on:
Dora articles 6 to 14: (i) development of an ICT Risk management framework (including in relation to outsourcing); and (ii) checking compliance with the requirement as regards Business Continuity Management; and Dora article 15: development and implementation of policies and procedures with regard to ICT asset management, network security and encryption and cryptography and other things.
CSSF has prepared Luxembourg
In Luxembourg, the Commission de Surveillance du Secteur Financier (CSSF) has already implemented many rules regarding ICT and security risk management as outlined in CSSF Circular CSSF 22/806 on outsourcing arrangements or Circular CSSF 20/750 on requirements regarding information and communication technology (ICT) and security risk management. In 2023 the CSSF addressed by 3rd April a compliance preparation survey to certain investment fund managers in Luxembourg, enquiring about the gaps identified and mitigation plans for each pillar of Dora. This survey had been completed by 15th June 2023.
On 5th January 2024, the CSSF finally published its Circular 24/847 on ICT-related incident reporting framework and the related FAQ by which the range of ICT incidents to be reported to the CSSF has been expanded. The Circular itself is set to repeal and replace Circular CSSF 11/504 on frauds and incidents due to external computer attacks. In-scope entities will be required to classify ICT-related incidents based on the criteria indicated in Circular 24/847 and notify major or significant incidents to the CSSF.
Circular 24/847 just entered into force on 1st April 2024 for all supervised entities and on 1st June 2024 for management companies and AIFMs. As a result, it can be concluded that the CSSF has proactively to a certain extent been preparing for the upcoming entry into application of Dora by monitoring the readiness of Luxembourg financial institutions to comply with Dora’s requirements. This will further strengthen the competitiveness and attractiveness of the Luxembourg marketplace.
Apart from this and the text of Dora itself, certain topics are set forth in regulatory technical standards (RTS). These RTSs are in the course of being established. At this moment, RTS for article 15 of Dora (further harmonisation of ICT risk management tools, methods, processes and policies) and for article 16 (Simplified ICT risk management framework) have been submitted to the European Commission and are thus subject to further amendment (though the expectation is that no major changes will be made).
Interplay between Dora, NIS2 and GDPR
Dora is not a stand-alone regulation for financial institutions to operate in an isolated manner within the EU legislation. One should navigate prudently through a web of various applicable regulations and directives, among which, for financial institutions, in any case Dora, NIS2 (Network and Information Systems Directive) and the GDPR (General Data Protection Regulation) are of specific importance to be compliant with.
In terms of differences: NIS2 specifically focuses on cybersecurity across various sectors among which the financial sector. Dora focuses on the financial sector in terms of digital operational resilience; GDPR applies across all sectors, focusing on personal data protection.
Dora, NIS2 and GDPR have overlapping areas e.g. for risk management where NIS2 and Dora have requirements of robust risk management, albeit that NIS2 specifically focuses on cybersecurity and Dora on ICT and resilience. Another overlap is on incident reporting which can be aligned to work for both NIS2 and Dora. The provisions of the GDPR provide an overall framework, to be used for compliance with NIS2 and Dora.
A full understanding of the various requirements of NIS2, Dora and GDPR and awareness of overlaps and synergies will help financial institutions in setting up their internal compliance organisation, their operational resilience and their compliance with personal data protection.
Implementation train at full speed
In terms of the implementation of Dora, the train towards the deadline is running full speed. To be best prepared for January 2025, entities and third-party service providers from the financial sector must first assess if they fall within the scope of application of. In-scope entities must then assess as soon as possible their ICT management risks and any existing ICT contractual arrangements. Specific attention needs also to be given in this context to the overlaps between Dora, NIS2 and GDPR to align the various workstreams and achieve a maximum level of regulatory compliance.
Jan Saalfrank is an investment funds partner at Pinsent Masons Luxembourg. Lous Vervuurt is a lawyer at Pinsent Masons Netherlands and advises clients on financial regulation and anti-money laundering compliance. The law firm is a knowledge partner of Investment Officer.