DORA (Digital Operational Resilience Act)

​

DORA - Overview and Context:

• DORA’s Goal and Purpose: DORA pursues the overarching goal of strengthening operational resilience in the financial sector and ensuring financial system stability in the digital age. It aims to better prepare financial institutions for cyber attacks, system failures, data loss, and other ICT-related disruptions and minimize such incidents’ impacts. Protecting critical infrastructures, ensuring financial market integrity, and strengthening trust in the financial system are DORA’s central concerns. DORA should help ensure that financial institutions have robust ICT systems, processes, and controls to minimize these risks and ensure business continuity in case of disruption.
• Scope: DORA applies to a broad range of financial companies, including credit institutions, payment institutions, investment firms, insurance companies, asset management companies, and critical ICT third-party providers. ecrop, as a crypto securities registry manager under § 1 Para. 1a Sentence 2 No. 8 KWG and as a crypto custodian under § 1 Para. 1a Sentence 2 No. 6 KWG (financial services institutions), falls within DORA’s scope. ecrop’s customers (issuers) using the white-label platform for crowdinvesting are also indirectly affected by DORA, as they must consider operational resilience requirements in their contracts with ecrop. This particularly applies to ICT risk management, incident management, testing procedures, and reporting obligations.
• Relationship to Existing Regulations (BAIT, VAIT, KAIT, NIS2): DORA replaces existing sector-specific IT security guidelines BAIT (Banking Supervisory Requirements for IT), VAIT (Insurance Supervisory Requirements for IT), and KAIT (Capital Management Supervisory Requirements for IT) and sets a unified, sector-specific framework for IT security in the financial sector. It complements the NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and Council of December 14, 2022, on measures for a high common level of cybersecurity across the Union), which addresses critical infrastructure operators. DORA consolidates and expands ICT risk requirements and sets higher requirements for financial institutions’ operational resilience. The regulation thus accounts for financial sector specificities and creates a unified legal framework for IT security. Link to NIS2 Directive
• Timeline and Implementation: DORA will come into effect on January 17, 2025. The European Supervisory Authorities (ESAs – EBA, ESMA, EIOPA) have developed technical regulatory standards (RTS) and implementing standards (ITS) to specify DORA requirements. National supervisory authorities, such as BaFin in Germany, are responsible for implementing and monitoring DORA in their respective jurisdictions.

​

ICT Risk Management under DORA

• ICT Risk Management Framework: Financial institutions must implement a robust ICT risk management framework that includes the following elements and meets Article 5 DORA requirements:
  • ICT Risk Management Strategy: Definition of objectives and strategic orientation of ICT risk management.
  • ICT Governance: Clear responsibilities and reporting lines in ICT risk management.
  • ICT Risk Identification: Systematic identification of all relevant ICT risks, including cyber risks, operational risks, and compliance risks.
  • ICT Risk Assessment: Assessment of identified risks regarding their probability of occurrence, potential damage, and impacts on business continuity.
  • ICT Risk Control: Implementation of risk mitigation and treatment measures, including technical and organizational measures.
  • ICT Risk Monitoring: Continuous monitoring of risk situation, effectiveness of implemented measures, and compliance with regulatory requirements.
• ICT Systems, Protocols, and Tools: DORA sets high requirements for security, reliability, resilience, and capacity of ICT systems, protocols, and tools. Financial institutions must ensure their systems are always state-of-the-art and regularly updated. Effective patch management is essential to close security gaps and protect systems from cyber attacks.
• ICT Third-Party Risk: Increasing dependence on ICT third-party providers poses significant risks to financial institutions’ operational resilience. DORA therefore defines strict requirements for managing ICT third-party risks, particularly regarding selection, contract design, monitoring, and exit management. Financial institutions must carefully assess and manage risks associated with using ICT services, especially for critical or important functions. ICT third-party provider selection must be based on due diligence considering security standards, compliance processes, and provider financial stability. Contract design must meet DORA requirements, particularly regarding responsibilities, service levels, and security measures. ICT third-party monitoring must be continuous and risk-based. Exit management must ensure dependency on ICT third-party providers is minimized if cooperation ends. Special attention is given to risks associated with cloud providers, as they often process critical infrastructures and sensitive data.

​

Incident Management under DORA

• Process for Handling ICT-Related Incidents: DORA requires a structured and documented procedure for handling ICT-related incidents according to Article 33 DORA. This process must include the following steps:
  • Detection: Early detection of ICT-related incidents through monitoring systems and processes.
  • Recording and Documentation: Comprehensive recording and documentation of all relevant incident information, including type, scope, timing, and affected systems.
  • Categorization and Classification: Incident classification by severity, type, and impact on business continuity.
  • Treatment: Implementation of measures to contain and resolve the incident, including technical and organizational measures.
  • Reporting: Reporting the incident to competent authorities (e.g., BaFin) and internal departments according to legal reporting obligations.
  • Communication: Informing affected stakeholders (e.g., customers, employees, supervisory authorities) about the incident and measures taken.
  • Learning Processes: Incident analysis, cause identification, and derivation of measures to prevent future incidents. Analysis results feed into continuous improvement of ICT risk management.
• Reporting Obligations: Serious ICT-related incidents must be reported to the competent authorities within strict deadlines, according to Article 33 DORA. The reports must contain all relevant information about the incident, such as the type and scope of the incident, affected systems and data, number of affected users, estimated financial damage, and measures taken to contain and resolve the incident. The reports must also comply with the requirements of BAIT and MaRisk. ecrop GmbH has implemented a reporting system that ensures compliance with reporting obligations and automatically captures the necessary information.
• Cooperation and Information Exchange: DORA promotes cooperation and information exchange between financial institutions, authorities, and supervisory bodies in the area of cyber threats. This should help increase the financial system’s resilience against cyber attacks, share best practices in cyber security, and develop a common understanding of threats and vulnerabilities. ecrop GmbH actively participates in this information exchange and works closely with relevant authorities and organizations.

​

Testing Procedures under DORA

• Testing Digital Operational Resilience: Financial institutions must regularly test the effectiveness of their ICT systems, protocols, tools, and procedures regarding operational resilience, according to Article 32 DORA. Tests must cover various scenarios, such as cyber attacks, system failures, data loss, power outages, or critical system failures. Scenarios must be tailored to the financial institution’s individual risks. Test results must be documented and analyzed to identify vulnerabilities and derive measures to improve operational resilience. Results must also be reported to competent supervisory authorities.
• Threat-Led Penetration Testing (TLPT): TLPT is an advanced testing procedure that examines financial institutions’ cyber resilience based on real threat scenarios tailored to their individual risks. TLPT simulates targeted attacks on ICT systems and processes and assesses the company’s ability to detect, contain, and resolve such attacks. DORA sets specific requirements for conducting TLPT, including tester qualifications, methodology, and results documentation. TLPT results must also be reported to competent supervisory authorities.

​

DORA and ecrop GmbH’s Customers

• DORA’s Impact on Issuers: Issuers using ecrop’s white-label platform must consider DORA’s operational resilience requirements in their contracts with ecrop. This particularly concerns ICT risk management, incident management, testing procedures, reporting obligations, and ICT third-party monitoring. Issuers must ensure their processes and systems comply with DORA requirements and technical regulatory standards (RTS) and that they can respond appropriately to ICT-related incidents. ecrop GmbH supports its customers in meeting these requirements and provides necessary information and resources.
• Support from ecrop: ecrop supports its customers in implementing and complying with DORA requirements. The white-label platform is designed to meet DORA’s technical requirements and associated technical regulatory standards (RTS). Additionally, ecrop offers its customers tools, templates, best practices, and training to support them in implementing, documenting, and monitoring required processes and measures. ecrop also ensures the platform is regularly checked and updated for DORA compliance.