DORA from the perspective of on-site inspections Monthly Report – September 2024
Published on 9/18/2024
DORA from the perspective of on-site inspections Monthly Report – September 2024
Article from the Monthly Report
The significance of digitalisation has grown considerably in the financial industry. However, data as well as information and communication technologies (ICT) are not only drivers of progress, but also sources of material risk. Interconnections and dependencies within the financial sector as well as between financial entities 1 and ICT third-party service providers have intensified, making them more vulnerable to system-wide disruptions. In this context, financial entities that provide essential services to national economies are confronted with mounting threats from cyber attacks and ICT disruptions. One prominent example was the major global disruption in July 2024 caused by a third-party provider rolling out a faulty update to a widely used ICT product.
These risks – which arise from the critical roles played by digital systems, their increasing dependencies, and the myriad threats that they face – cannot be caught by conventional financial safety nets. 2 In Germany, the appropriate risk management required by the Banking Act (Kreditwesengesetz), and thus the regulatory expectations for banks, have been set out, in particular, by the circulars issued by the Federal Financial Supervisory Authority (BaFin) on the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) since 2005 and on the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) since 2017, before the European Banking Authority (EBA) published its own Guidelines on ICT and security risk management in 2019. In practice, in addition to tangible progress, vulnerabilities are still regularly apparent and, due to the dynamically evolving threat situation, there is a continual need for improvement in banks’ operations, development and security of ICT systems, and ICT risk management. This is revealed by the Bundesbank’s supervisory inspections of banks and their ICT third-party service providers.
The introduction of the Digital Operational Resilience Act (DORA) marks a major turning point in the management of ICT risks and ICT third-party services. The DORA requirements for digital operational resilience, alongside the other provisions set out in the Regulation, are essential and necessary to adequately shore up the stability of the financial sector in regulatory terms. As European legislators are harmonising the requirements for digital operational resilience across the European Union (EU) and throughout the entire financial sector, existing national and sector-specific frameworks, including BAIT, are being replaced, which is intended to improve the efficiency and cohesion of risk management in the EU financial sector.
The aim of DORA is to strengthen the resilience of the financial sector and establish a common level of protection. By adopting technical and organisational measures, financial entities must ensure that they can maintain business continuity and resume normal operations even in the event of a severe ICT-related incident. In future, the Bundesbank’s special DORA on-site inspections of banks and their ICT third-party service providers will therefore cover governance and organisation, ICT risk management frameworks including ICT third-party risk, as well as the necessary ICT systems, protocols and tools. However, supervisory focus is also increasingly turning to the treatment, classification and reporting of ICT-related incidents, as well as the testing of the digital operational resilience of financial entities. In its ongoing supervision of financial entities’ implementation of DORA requirements, the Bundesbank is able to build on its many years of experience and will make targeted use of its expertise and findings from supervisory inspections. Financial entities are called upon to implement robust ICT risk management frameworks that cover all aspects of digital operational resilience and include ICT third-party service providers.
1 ICT risks at the focus of financial supervision
ICT risks are increasingly posing a challenge to financial institutions. Financial institutions and other financial market participants make extensive use of information and communication technologies to provide services that are crucial to the national economy. To this end, they are increasingly integrating ICT services provided by third parties into their business models and internal processes. Increasing digitalisation also increases ICT risk, making the financial system more susceptible to cyber attacks and ICT disruptions. In the event of financial distress, financial buffers or sector-specific mechanisms, for example, can be used to stabilise a financial institution’s liquidity or solvency in order to prevent systemic contagion to other financial market participants. The same does not apply in the event of ICT-related disruptions. ICT disruptions cannot be overcome using financial buffers alone; the affected institution must instead prevent the corresponding damage by implementing technical and organisational measures that allow it to maintain business continuity and resume normal operations even in the event of a major incident. For instance, financial buffers are of no use in decrypting customer data that have been encrypted as part of a ransomware attack. Instead, it must be ensured that such attacks do not have any contagion effects on backups, which necessitates sufficiently effective physical or logical separation between systems and their backups. In this context, financial institutions need to develop special skills and implement processes such as contingency and recovery plans. These were also recently reviewed in the cyber resilience stress test conducted by the European Central Bank (ECB), which covered 109 banks across the entire Single Supervisory Mechanism (SSM), subjecting them to a scenario of a severe but plausible cybersecurity incident. 3
ICT risks are also increasingly arising from severe cyber threats with high risks of damage. The number of ICT-related incidents reported to supervisors by significant institutions in the SSM as well as the number of reports of major payment security incidents in Germany (PSD2 reports) remain largely constant, despite the rising threats over the past few years. Two decades ago, however, risks in the area of ICT were limited mainly to disruptions that, whilst impacting on work and customer satisfaction, had little potential for damage. The majority of PSD2 reports still concern operational errors or updates to ICT systems. That said, the threat scenarios have changed significantly: organised crime and mounting geopolitical tensions have made cyber attacks a serious danger with considerably greater potential for damage. In 2023, for example, the customer account data of various banks were stolen from an account switching service provider by a hacking attack. 4 More recently, the number of ICT incidents resulting from exploits of vulnerabilities has grown: in such cases, attackers are able to infect the targeted infrastructures with malicious code. The substantial increase in the number of instances of unauthorised access also suggests that there is room for improvement in security information and event management (SIEM) 5 in order to effectively prevent unauthorised access to data or changes to authorisations.
Digitalisation and interconnectivity also pose risks to financial stability. The digitalisation of the financial sector also entails stronger interconnectivity within the sector as well as fundamental dependencies on ICT third-party service providers. Due to their impact on the entire financial sector, cyber attacks and disruptions affecting ICT third-party providers and the widespread use of particular ICT products or ICT services represent a growing threat to financial stability. A recent example of this was the major global disruption in July 2024 triggered by an update to a product from the company CrowdStrike. This affected more than eight million devices worldwide and had a negative impact on functions – in some cases critical and important functions – at hundreds of enterprises, including financial institutions. 7 These global repercussions clearly illustrate the interconnectedness of the financial industry as a whole as well as the degree of dependence on ICT third-party service providers. In this context, the actual risks may be even greater than they appear at first glance, as ICT third-party service providers themselves increase concentration risks by sub-outsourcing to the same critical ICT third-party service providers or because the supply chains for the procured ICT services are not sufficiently monitored.
2 Implications of DORA for financial supervision
2.1 Looking back – national sector-specific oversight of ICT risks
The traditional approach to managing operational risks is aimed, in particular, at maintaining sufficient capital for a loss event. In addition, the qualitative requirements of an appropriate risk management framework must ensure that both the probability of occurrence and the amount of damage caused by ICT incidents are limited to such an extent that resilience is guaranteed at all times. In Germany, the appropriate risk management required by the Banking Act (Kreditwesengesetz), and thus the regulatory expectations for banks with regard to appropriate technical and organisational measures as well as contingency management for ICT systems, have been set out by the circulars issued by the Federal Financial Supervisory Authority (BaFin) on the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) since 2005 and on the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) since 2017. This was the case before the European Banking Authority (EBA) published its own Guidelines on ICT and security risk management in 2019. These guidelines were implemented by BaFin, in close cooperation with the Bundesbank, in amendments to MaRisk and BAIT. This occurred again in 2021 in the circular on Payment Services Regulatory Requirements for IT (Zahlungsdiensteaufsichtliche Anforderungen an die IT – ZAIT). 8
The Bundesbank’s inspections show that, despite significant progress made by institutions, there is an ongoing need for action in ICT risk management due to the dynamic threat situation. For more than a decade, the Bundesbank has regularly been mandated with carrying out special on-site supervisory inspections, which cover proper business organisation in accordance with Sections 25a and 25b of the Banking Act in conjunction with MaRisk and BAIT or Section 27 of the Payment Services Oversight Act (Zahlungsdiensteaufsichtsgesetz – ZAG) in conjunction with ZAIT for financial institutions and their ICT third-party service providers. During this time, the level of maturity of ICT risk management at the inspected enterprises, including the management of outsourcing risks, has risen considerably across the board. However, in light of the mounting threats, the requirements placed on ICT risk management have also increased. Despite the progress that has been made, inspections continue to reveal significant vulnerabilities, critical problem areas and an ongoing need for improvement with regard to the management of ICT risks. For instance, out of the inspection findings from the essential areas of ICT risk management in 2023, more than half were classified as “major” or “critical”.
2.2 Looking ahead – DORA as a cross-sectoral EU Regulation
A key objective of DORA is to strengthen the digital operational resilience of the entire financial sector in the EU. In particular, financial entities should establish robust mechanisms against cyber attacks and ICT disruptions among financial market participants and ICT third-party service providers to guarantee a common level of protection. In addition, DORA obligates the three European Supervisory Authorities 9 (ESAs) to produce drafts for joint regulatory technical standards and implementing technical standards for DORA and then present these to the European Commission. At the same time, the European Commission has the power to supplement DORA with these standards or to adopt these standards.
Due to the harmonisation of the most important requirements for digital operational resilience by European legislators, the national sectoral requirements for IT security in the German financial sector are being repealed. This affects both BAIT and ZAIT. 10 Although the authority to regulate all elements of digital operational resilience lies with European legislators, German financial supervisors, as part of the Joint Committees of the ESAs, participate in the development process for regulatory technical standards and implementing technical standards as well as in the Q&A processes for DORA.
DORA strengthens operational resilience requirements to ensure the stability of key financial functions. DORA requires financial institutions to implement resilient ICT risk management frameworks. In the German financial sector, there are already high supervisory expectations of IT security in accordance with MaRisk,BAIT and ZAIT. At the same time, with its focus on digital operational resilience, DORA is introducing expanded requirements and new priorities in this regard. 11 These aim to ensure not only that potential damage from ICT disruptions is avoided or reduced to a tolerable level, but also, in particular, that critical and important functions of financial entities can continue or be quickly resumed even in the event of a crisis. This should guarantee the integrity and proper functioning of the financial market under any circumstances.
Financial institutions are called upon to implement effective governance structures and organisational forms for managing ICT risks. The ICT risk management framework required for this must cover key elements of digital operational resilience, including identification, protection and prevention, detection, response and recovery, and backup and restoration. These elements should be reinforced by reliable and resilient ICT systems as well as with sound protocols and tools. In light of the constantly evolving cyber threats, ongoing training for all staff and continuous further development of risk management approaches are necessary. In the event of a cyber attack or ICT incident, clear and comprehensive communication with all relevant stakeholders, including supervisory authorities, customers and the general public, is essential. Supplementary regulatory technical standards specify the requirements for certain areas of ICT risk management in greater detail. 12
ICT competence in management bodies will be indispensable. The management body of an institution, which, in the case of credit and payment institutions, consists of the management board and the supervisory board, bears full and ultimate responsibility for the appropriate management of ICT risks. This includes, amongst other things, defining strategic objectives for the institution’s digital operational resilience. To do so, the management body itself needs to have sufficient knowledge and skills and must constantly keep these up to date so that it can adequately understand and assess ICT risks and their impact on the financial institution. For this purpose, training courses tailored to the institution’s specific needs should be completed at regular intervals.
Governance and control frameworks are fundamental to the proper management of ICT risks. Only a comprehensive ICT risk management framework set down in writing can reliably convey the strategic requirements of the management body and ensure a high level of digital operational resilience that meets the latest technological standards. This framework must include detailed strategies, policies, procedures and control mechanisms specifically aimed at identifying, assessing, managing and monitoring ICT risks particular to the institution. In order to keep up with the constantly changing threat landscape, it is essential to review and update the framework on a regular basis – annually at the least. Ad hoc reviews in the event of serious ICT-related incidents or on the basis of supervisory instructions or findings are also necessary. These are vital for the continuous optimisation of the entities’ security strategies and to further strengthen their digital operational resilience.
Financial entities should pay particular attention to the ICT risk management framework, not least because supervisory MaRisk,BAIT and ZAIT inspections have repeatedly revealed weaknesses in this regard over the past few years, particularly in terms of the completeness, level of detail and up-to-dateness of written procedural instructions. Under DORA, financial entities will, in future, be required to provide full and up-to-date information on their ICT risks and their ICT risk management framework to the competent authorities upon request.
An internal, independent ICT control function is crucial for effectively monitoring ICT risks and strengthening digital operational resilience. The introduction of DORA has changed regulatory requirements. The previous regulations in Germany, which, in accordance with BAIT, generally provided for an internal information security officer (ISO), will be replaced by a broader ICT control function responsible for managing and monitoring ICT risk. The implementation of an independent ICT control function is essential for effective monitoring of ICT risks and to support the management body.
In order to monitor the institution’s individual ICT landscape, it is vital that the responsible control function is well-versed in the processes and products employed. Instead of outsourcing this ICT control function, it is therefore appropriate to keep it within the institution in order to maximise synergies and ensure a rapid response when ICT incidents occur. The internal anchoring of this function promotes effective control over ICT risks and contributes significantly to strengthening the operational digital resilience of the financial institution.
The ICT control function is to be implemented in line with the three lines of defence model 13 or an internal risk management and control model, and is specifically responsible for independent monitoring of ICT risk. German financial supervisors had already enshrined these requirements in the relevant national circulars previously. Nevertheless, supervisory inspection findings have repeatedly revealed weaknesses, in particular with regard to the necessary independence of this control function, the adequacy of reporting channels to the management body, and the availability of the requisite resources for the effective performance of tasks.
Financial entities must retain full control over their ICT risk. This includes controlling the risks arising from the use of ICT services provided by ICT third-party service providers or their subcontractors (ICT third-party risk). This also applies to critical ICT third-party service providers that are subject to the European Oversight Framework (see the supplementary information The new EU Oversight Framework for critical ICT third-party service providers). The classification of an ICT third-party service provider as “critical” is based on the information registers of financial entities, which contain all contractual agreements on ICT third-party services provided. DORA focuses on a wide range of ICT third-party service providers. These include, inter alia, providers of data centre services, cloud computing, software and data analysis, but also payment services with payment processing activities and payment infrastructure operation. While procuring ICT third-party services from specialised providers can lead to different or better management of some risks, the increased interconnection with and associated dependencies on other entities create additional risks for both the institution itself and the financial market as a whole.
Financial entities’ dependencies on individual ICT third-party service providers may increase and also result in systemic dependencies in the financial sector. The services offered by ICT third-party providers are growing dynamically in both breadth and depth, and are becoming increasingly integrated into financial entities’ value chains. This market dynamism also means that some ICT third-party service providers are able to gain considerable market power, which puts regulated financial institutions in a difficult position at the negotiating table when, for example, it comes to ensuring that the information and audit rights required by the supervisory authorities are sufficiently implemented or that ICT risks are properly monitored.
Meeting the regulatory requirements for ICT third-party risk management poses enormous challenges for financial entities.DORA brings with it more comprehensive and detailed requirements for the management of ICT third-party risk, in particular. However, inspections carried out under national sector-specific rules have already frequently identified that financial entities are falling short of existing supervisory requirements – signing incomplete contracts with ICT third-party service providers and failing to sufficiently assess and manage third-party risks.
Supplementary information
The new EU Oversight Framework for critical ICT third-party service providers
The Joint Committee of the European Supervisory Authorities (ESAs) is establishing an Oversight Forum as a subcommittee to support the work of the Joint Committee and the Lead Overseers. The Lead Overseer function, performed by one of the three ESAs (i.e. the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) or the European Securities and Markets Authority (ESMA)) is the core element of the Oversight Framework for critical ICT third-party service providers. Coherent operational collaboration between the Lead Overseers will be ensured by the formation of a Joint Oversight Network (JON), which will draw up a common oversight protocol for this purpose.
The Lead Overseers are supported by a Joint Examination Team (JET), which will be set up for each critical ICT third-party service provider. The JETs will comprise employees of the ESAs and the competent supervisory authorities supervising the financial entities for which the critical ICT third-party service provider performs ICT services. The Lead Overseer is authorised to issue recommendations to a critical ICT third-party service provider, while the latter is obliged to comment on these and to address the concerns of the former. A critical ICT third-party service provider should, first and foremost, cooperate in good faith with the Lead Overseer and assist it in the fulfilment of its tasks; however, under DORA, a periodic penalty payment can be imposed on the service provider by the Lead Overseer as a last resort. Moreover, in principle, the Lead Overseer can publicly report the critical ICT third-party service provider for not informing it adequately or in a timely enough manner about how it has handled recommendations.
Any mutual interdependencies and highly critical concentrations of ICT third-party service providers can be identified by analysing the registers containing information on the third-party services provided to the financial entities under supervision. Critical ICT third-party service providers are defined on this basis. The Lead Overseer’s supervisory duties are to be carried out while maintaining a continuous dialogue with such ICT third-party service providers with regard to their ICT risk situation. In order to perform its tasks and supervision activities, the Lead Overseer is entitled to request information and conduct general investigations and on-site inspections of the critical ICT third-party service providers assigned to it. This involves assessing the management of ICT risks that can be transferred from the critical ICT third-party service provider to the financial entities because they affect ICT third-party services that support critical or important functions of financial entities.
DORA defines the areas of ICT risk management that are to be covered by the assessment of critical ICT third-party service providers. Such an assessment is based on an oversight plan and is intended to:
take into account the security, availability, continuity, scalability and quality of services;
include the availability, authenticity, integrity and confidentiality of data;
examine the ICT risk management strategy, the ICT business continuity policy and the ICT response and recovery plans as well as considering the governance arrangements;
include the processes for ICT-related incidents, investigation, monitoring, reporting to financial entities, handling and resolution;
include mechanisms for the effective exercise of termination rights by financial entities to ensure data portability, application portability and interoperability;
include the testing of ICT systems, infrastructures and controls;
consider ICT audits and the adoption of relevant standards.
However, the critical ICT third-party service providers are not subject to the requirements that DORA imposes on the ICT risk management of financial entities.
Effective ICT risk management requires complete and up-to-date information on ICT assets. 14 Effective ICT risk management can only be achieved if the underlying information is up-to-date and correct. Only those who are familiar with the functions it entails and the assets at its disposal can protect these from risks in a targeted manner. It is therefore essential to precisely identify both specific ICT risks and critical and important functions. Strategic requirements and the specific business model must also be taken into account. The ICT systems and data supporting these critical and important functions must demonstrate a high degree of digital operational resilience. In order to ensure high standards of availability, authenticity, integrity and confidentiality, clear criteria must be established for assessing the criticality of data and ICT systems. This requires comprehensive and up-to-date information on data and ICT assets as well as on their interdependencies. Bundesbank inspections have repeatedly identified shortcomings in the scope and completeness of impact and criticality analyses (also known as protection needs analyses) and in keeping information on ICT assets up to date. In the future, financial entities will have to keep appropriate inventories of their ICT assets and risks and update them both regularly and in the event of significant changes.
Stricter monitoring of legacy ICT system risks is needed. ICT systems become outdated, because at some point spare parts for the hardware or security updates for the software are no longer provided. Any outdated (legacy) ICT systems that do remain in operation require special attention, as this lack of security updates increases their vulnerability to cyber attacks. It is therefore imperative that the lifecycle of ICT systems be monitored and managed. Although this problem was highlighted in the 2021 BAIT amendment, inspections have often shown that these systems are inadequately monitored and managed. DORA requires that a thorough risk evaluation be conducted when an ICT system is integrated and a new assessment be carried out least once a year.
Once critical data and ICT systems have been identified, protection measures must be implemented that are present and effective at all stages of the data management procedure – storage, transfer and processing. The effectiveness of the implemented protective measures must be tested regularly.The management body is responsible for adopting an information security guideline that makes the fundamental protection requirements for availability, authenticity, integrity and confidentiality binding. ICT security policies, procedures, protocols and tools need to be developed in line with the above to specify individual security measures more precisely. For example, network segments and devices should be able to be isolated automatically wherever possible in the event of a cyber attack and automatic vulnerability scans should be carried out at least weekly for ICT systems that support critical or important functions.
In addition to these technical and procedural requirements, the human factor must be taken into account and the necessary awareness of ICT risks raised. A 2022 study by Gartner, for example, found that more than two-thirds of employees knowingly violate security regulations in order to work comfortably. 15 It is therefore important that security measures are integrated into ICT systems while being as simple and practical as possible. Tests have repeatedly shown that important security measures were missing or not effectively implemented. Protection breaches were not discovered due to inadequate vulnerability management and therefore not remedied, making institutions more vulnerable to cyber attacks. DORA requires that protective measures be reviewed regularly and independently as part of a comprehensive testing programme.
Supplementary information
Threat-led Penetration Testing (TLPT)
As soon as DORA takes effect in January 2025, the previously voluntary TIBER tests now referred to as Threat-led Penetration Testing (TLPT) will become mandatory for certain financial entities in the EU.TLPT will therefore become an instrument of the financial supervisory authorities. However, it is not primarily aimed at meeting regulatory requirements; through its special learning character, it aims to show entities the potential for improving their own resilience to cyber-attacks.
The general requirements concerning the execution of TLPT are defined in the technical regulation standard (RTS on TLPT 1 ). This standard relies on the TIBER framework 2 for guidance, which is widely used in the EU and serves as an “execution guideline” for specific procedures involved in individual tests. TIBER, short for “Threat Intelligence-Based Ethical Red Teaming”, comprises the simulation of realistic cyber-attacks on critical ICT systems of financial entities by “ethical hackers” (red team testers) based on threat analyses. This facilitates near-realistic testing of the entity-specific security level. In Germany, the Bundesbank’s TIBER competence centre, TIBER Cyber Team Deutschland (TCT-DE), has been supporting the execution of TIBER tests according to this framework since the year 2020. The experience acquired by the TCT-DE in five years is seamlessly integrated into the implementation of TLPT under DORA.
Various types of financial entities are eligible under DORA for mandatory execution of TLPT, including credit institutions, insurers and financial market infrastructures. Since TLPT is an advanced tool for reinforcing operational resilience, it calls for a minimum measure of maturity when it comes to the level of ICT security. Only then can the test be executed effectively and beneficially. Accordingly, not all financial entities mentioned are required to carry out TLPT. Art. 26(8) of DORA defines three selection criteria: (1) impact-related factors (impact of the financial entity’s activities on the financial sector), (2) financial stability and (3) ICT risk profile and ICT maturity. The RTS on TLPT further details these selection criteria and introduces a distinction between quantitative institution-related and qualitative risk-related criteria.
In particular, systemically important credit institutions (G-SIIs and O-SIIs under Art. 131 of Directive 2013/36/EU) fall within the scope of application of the RTS and are required to carry out TLPT. In Germany, this chiefly applies to credit institutions under direct ECB supervision. The RTS designates central security depositories (CSDs), central counterparties (CCPs) and the largest trading venues (exchanges) in a member state as well as insurance companies, payment institutions and electronic money institutions if they meet certain quantitative criteria.
The competent supervisory authority ultimately decides which financial entities meet the criteria and notifies them in advance of the tests. The relevant authority for major credit institutions is the ECB and for stock exchanges it is the stock exchange supervisory authority in the relevant federal state; all other financial entities in Germany fall under the competence of BaFin. The TLPT requirements are predominantly relevant for large, systemically important financial entities. Often, these financial entities have already carried out a TIBER test in the past and are already in contact with the Bundesbank’s TCT.
As has been the case in the past, operational support for the TLPT will continue to be provided by the Bundesbank’s TCT, which will act as the first point of contact for the relevant entities and be responsible for ongoing communication during the TLPT. In order to ensure that the tests are realistic, they must be carried out in a strictly confidential setting and knowledge of the TLPT must be restricted to only a limited group of persons at the entity. The TCT supports the entities with its expertise and experience gained from other tests to guarantee smooth execution of the TLPT and to maximise the learning experience for the entities.
In the future, however, the supervisory authorities at the European and national levels will be increasingly involved in the preparation and follow-up work on the TLPT. In addition, collaboration with the existing national TCTs in the respective EU member states will be intensified. The supervisory authorities are involved especially in the identification, planning and organisation of the tests and in validating the scope thereof. On completion of the TLPT, the entity tested prepares a final report and a remediation plan; these are sent to the supervisory authorities, which then follow up the weaknesses identified.
The specific information gathering and targeting steps of the TLPT are carried out by specialised threat intelligence and red teaming service providers. The threat intelligence service provider carries out the threat analysis and creates near-reality attack scenarios. The red teaming service provider subsequently implements these scenarios. The RTS on TLPT defines minimum criteria for their experience and expertise that rely on the requirements of the TIBER framework for guidance, substantiating and extending said requirements in some areas. This ensures that TLPT is carried out in conformity with the highest quality standards. While the threat intelligence service provider must always be commissioned externally, red teaming can be carried out by internal testers under certain conditions; every third TLPT must be carried out by external testers at the very least, however. Art. 26(8) DORA prohibits the use of internal testers for credit institutions directly supervised by the ECB.
For further particulars on TIBER, please refer to: bundesbank.de
The timely detection of anomalous activity and behaviour is an essential part of proactive defence. Given the complex and constantly evolving threat landscape, it is essential that mechanisms be implemented that allow unusual activities and behaviours in ICT systems and amongst users to be quickly identified and effectively responded to. It is therefore necessary to continuously collect, securely store and carefully analyse all relevant information from ICT systems. When patterns are identified that attackers frequently use or that deviate from normal conditions, an automated alarm must be triggered and an immediate check for potential ICT incidents must be carried out by specialised personnel.
Past BAIT inspections have found that not all necessary information was collected, or that collected data were not analysed appropriately or sufficiently quickly. In future, DORA calls for sufficient resources and suitable ICT tools to be maintained and clear responsibilities to be defined.
Comprehensive contingency plans and regular testing of said plans keep institutions functioning. Despite comprehensive preventive safeguards and proactive strategies to detect ICT disruptions and cyber attacks, the possibility of an ICT system becoming impaired needs to be considered. Effective contingency plans must be maintained to sustain critical or important functions in the event of ICT disruptions or cyber attacks, limit damages and ensure a swift resumption of normal operations. These plans must include immediate containment measures as well as response and recovery procedures adapted to all relevant situations, including the necessary resources. To this end, effective communication strategies must be established for internal and external stakeholders and for authorities. Sufficiently detailed contingency plans must have their effectiveness tested on a regular basis; this is an area in which supervisors see potential for improvement in the supervised institutions. DORA sets out the necessary scenarios in much more detail and makes plan effectiveness tests mandatory.
Robust backup and recovery tools are fundamental for financial institutions to minimise catastrophic damage. Given the growing threat posed by ransomware – where attackers encrypt both operational data and backups while demanding a ransom for decryption – it is critical that entities arm themselves with robust backup strategies, coordinated backup cycles, and effective data recovery and system repair methods. These measures, some of which were found to be missing during supervisory inspections, are crucial in order to reduce business interruptions in the event of an attack and to minimise potentially catastrophic data loss and the associated damage. DORA addresses the threat of ransomware by, amongst other things, improving protection against attackers by physically and logically separating backups from production systems.
An active exchange of information on cyber threats and lessons learnt from incidents improves security. The ever-changing cyber threat landscape requires entities to do more than merely develop and update their ICT risk management frameworks. Rather, they must continuously acquire information on vulnerabilities and threats in order to strengthen their own resilience. In addition, the risk management framework must be regularly evaluated for opportunities for improvement, particularly following serious ICT-related incidents or when deficits are detected. Where necessary, the framework will then need to be adjusted. Past inspections have often shown that financial institutions make insufficient use of external threat information and therefore do not have an accurate picture of their individual security situations. DORA now recommends that institutions actively form networks to exchange information and insights relating to cyber threats.
Communication plans and clear responsibilities reduce reputational risks in the event of ICT disruptions.ICT disruptions and cyber attacks can cause considerable reputational loss in addition to financial damage. In the past, delayed or inconsistent communication with the relevant stakeholders has prevented appropriate responses to ICT incidents. DORA now requires entities to maintain specific communication plans for all relevant parties, including customers, other financial entities and the general public. In addition, responsibility for communication in the event of ICT incidents must be clearly defined.
3 Looking ahead
In this digital age, information and communication technologies are essential for highly interconnected and interdependent financial entities. It is therefore vital that the associated risks are addressed through digital operational resilience. DORA represents a significant milestone in the management of ICT risks in the financial sector.
Entities benefit from a harmonised risk management approach that takes into account the risks arising from ICT third-party services, thereby supporting the financial sector in its dealings with ICT third-party service providers. At the same time, it is essential that supervised institutions continue to remain aware that implementing and maintaining a robust ICT risk management framework is not solely a matter of meeting regulatory requirements. Rather, it is in institutions’ own fundamental interest to establish and maintain such sound risk management practices.
In the past, German supervisors have always been actively involved in ensuring that institutions’ ICT risk management is effective and practice-oriented. In particular, the findings from inspections and dialogue with financial corporations and ICT third-party service providers provide fertile ground for identifying future challenges that may arise from ICT risks and advancing the further development of regulatory requirements in a practical manner.
DORA contributes to ensuring the integrity, availability and confidentiality of the information and communication systems of supervised financial entities, thereby protecting against potential financial losses, reputational risks and other operational risks that may result from ICT-related threats. However, given the dynamic developments caused by digitalisation and the constantly changing threat situation, it is foreseeable that future adjustments to regulation will be necessary. European legislators therefore plan to review DORA by 2028 and submit a report on it and, if required, a legislative proposal.
List of references
Tremmel, S. (2024), “Vermeidbares Übel – Hergang und Folgen des CrowdStrike-Vorfalls” in c’t, No 18/2024, p. 14 f.
Footnotes
Pursuant to DORA Article 2(2), the entities listed in DORA Article 2(1), points (a) to (t) shall collectively be referred to as “financial entities”; these include, inter alia, credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, and issuers of asset-referenced tokens.
These include, for example, private and public deposit guarantee schemes.
A SIEM system is a system that gathers, analyses and monitors security information and events (such as instances of access, for example) within an ICT infrastructure. See csrc.nist.gov, last accessed on 26 August 2024.
In a distributed denial of service (DDoS) attack, instead of a single attacking system, a large number of different ICT systems are used to conduct a large-scale coordinated attack. Via mass requests, e.g. to a website or server, the attack attempts to overload the targeted system. These attacks are particularly effective due to the large number of systems attacking simultaneously. See bsi.bund.de, last accessed on 26 August 2024.
See, for example, Tremmel (2024).
See, for example, bundesbank.de, last accessed on 16 August 2024.
These are the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
See “Start getting ready for DORA now”, bafin.de, last accessed on 16 August 2024.
See the results of the working groups of industry, the Deutsche Bundesbank and BaFin in Hinweise zur Umsetzung von DORA im IKT-Risikomanagement und IKT-Drittparteienrisikomanagement, bafin.de, last accessed on 16 August 2024.
See Commission Delegated Regulation (EU) 2024/1774 on RTS specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework (OJ L, 25 June 2024) and Commission Delegated Regulation (EU) 2024/1773 on RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (OJ L, 25 June 2024).
See European Banking Authority: Final Report on Guidelines on Internal Governance under Directive 2013/36/EU, last accessed on 26 August 2024. As the first line of defence, the business areas take risks and are directly and permanently responsible for their operational management. The risk management function and the compliance function form the second line of defence. As the third line of defence, the independent internal audit function conducts risk-based and general audits and reviews internal governance rules, processes and mechanisms to ensure that they are sound and effective and have been correctly implemented and uniformly applied.
ICT assets refer to “software or hardware [...] in the network and information systems used by the financial entity”; see DORA Article 3(7).
See 2022 Gartner Drivers of Secure Behavior Survey, gartner.com, last accessed on 16 August 2024.
