Navigating DORA | Simplified ICT Risk Management Framework with Proportionality in Mind
The upcoming DORA regulation increases the pressure on financial institutions and critical ICT service providers to manage cybersecurity threats and enhance their digital resilience. However, not all organisations are treated equally. DORA incorporates a proportionality principle, allowing smaller and less complex institutions, in some cases, to apply simplified requirements and thereby achieve DORA compliance. How do you navigate these simplified requirements, and what considerations should you keep in mind when applying the overall proportionality principle to tailor to these requirements?
Discover more about the S-RMF in our upcoming webinar on December 7, register here.
Decoding simplified – Does the remedy serve the purpose?
A range of small and non-interconnected investment firms, payment institutions, electronic money institutions and small institutions for occupational retirement provision can apply DORA’s Simplified ICT Risk management framework[1]. However, at a glance, the requirements do not seem simple at all. This article is based on known facts today; the DORA regulation and the draft Regulatory Technical Standards (RTS) regarding Article 16[2], which stipulates the requirements for the Simplified ICT Risk Management Framework (S-RMF).
Article 16 of DORA presents the requirements for S-RMF and can, at the onset, be enticing as the article is short (in comparison to Articles 5-15 which describe the full-fledged ICT risk management framework). Hidden in the short three paragraphs of Article 16 is quite an austere program to follow, and consulting the RTS reveals a rigid framework. Although this may not be an easy task, we believe there is higher degree of proportionality to leverage in the S-RMF compared to the standard ICT Risk Management Framework.
Requirements from a high-level perspective
- Risk management framework that encompasses ICT risks.
- Information security arrangements to monitor the security of the institutions and minimise the potential impact of a cyber-attack.
- Provisions to detect incidents and anomalies.
- Identification of key dependencies of ICT third-party providers.
- Arrangements for business continuity management.
- Testing arrangements for all of the above.
Requirements from the comprehensive perspective of RTS
The accompanying RTS provides further details on the above requirements, revealing the extent of these requirements. They include obligations for the Board of Directors to define the risk appetite for ICT risk, including the definition of information security objectives. The Board should also receive information regarding the institute’s information assets, key ICT risks identified, results of the business impact analysis, and business continuity plans (including response and recovery plans). Additionally, on a yearly basis, the Board should allocate and review the operational resilience budget, ensure the existence of outsourcing policies, receive reports on the status of information security, and verify that procedures are in place to protect all information and ICT assets.
Furthermore, the organisation should have an information security management system (ISMS) implemented with appropriate ICT security measures to mitigate ICT risks (including risks at third-party providers). All critical or important functions, information assets and ICT assets must be classified. We recommend applying the ISO 27000 standard, as it comprehensively addresses most aspects of DORA.
Concerning the risk framework, the RTS on S-RMF defines specific requirements on the capabilities for ICT risk management. Finally, the RTS also contain specific requirements regarding the reporting on the review of the S-RMF, with detailed specifications on the content.
Key takeaways
The S-RMF may not delve into the complexities of the overall RTS for the ICT risk management framework, it broadly encompasses the same areas as Article 15 that need to be addressed. It aligns with the structure of other RTS documents, providing detailed descriptions of the capabilities that financial institutions must uphold.
The proportionality of the simplified approach is likely to restrict deviation from the specified capabilities. However, it does allow for interpretation, particularly regarding the depth of the requirements. For instance, The RTS specifies that the institution is required to establish and implement an ICT security testing plan. The aspect of proportionality comes into play when determining the types of tests to be conducted, the systems and applications involved and their timing for their execution. Therefore, the S-RMF does indeed provide some relief from the strict requirements of DORA but is, in itself, (based on the companies the S-RMF targets) quite austere. To ensure compliance withstands FSA scrutiny, we recommend thorough documentation of the interpretation of requirement depth. Leverage the overall proportionality principle and tailor the requirements according to the organisation’s size, complexity, inter-connectedness and potential risk exposure.
Discover more about the S-RMF in our upcoming webinar on December 7, register here.
[1] small and non-interconnected investment firms, payment institutions exempted pursuant to Directive (EU) 2015/2366; institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/EC; and small institutions for occupational retirement provision.
[2] Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554.