Does DORA require directors of financial entities to become ICT experts?
Interview with Francis Kass, Partner in the Investment Management practice area of Arendt & Medernach
The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023 and will apply as of 17 January 2025. We have recently interviewed Francis Kass,  a partner in Arendt & Medernach’s Investment Management practice area, for the latest updates and way forward.

Does DORA require directors of financial entities to become ICT experts?

“No, DORA does not require financial entity directors to become ICT experts,” said Francis Kass, a partner at Arendt & Medernach, “but they must actively ensure they have sufficient knowledge and skills, thus enabling them to understand and assess ICT-related risks and their potential impact on the operations of the financial entity”.

The EU’s Digital Operational Resilience Act will apply from 17th January 2025. It will harmonise financial sector digital resilience rules across all EU Member States. The final and detailed Level 2 rules have yet to be published, but the CSSF is already encouraging the industry to make preparations, as the broad outlines are already clear.

Broad financial sector impact

Almost all financial services firms are affected, be they credit institutions, payment institutions, e-money institutions, investment firms, investment fund managers or insurance undertakings. “Although other entities such as investment funds are not directly in the scope of DORA, they are nevertheless in the scope of GDPR and the board of any company should assess which ICT risks are potentially affecting the company and its service providers,” said Mr Kass. “If there is an ICT-related incident affecting the shareholders or investors in a company, the latter will challenge the board and will question whether the board has adequately protected the company’s data and assets. It is therefore in the interest of the board of any company (even those not directly in scope of DORA) to make sure that adequate measures are taken to protect the company against ICT risks”, he added.

Ensuring good governance

Ultimately, DORA requires financial entities to have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk. There is already regulation of this nature in place, for example, the NIS Directive (for those falling under its scope), the GDPR, and the CSSF circulars on outsourcing arrangements or on ICT-related incident reporting. DORA does, however, put greater emphasis on the ultimate responsibility of the management body for managing the financial entity’s ICT risk. Also, competent authorities will be given the power to apply penalties to members of the management body and other individuals who are responsible for breaches of DORA.

DORA emphasises that the management body is required to maintain a pivotal and active role in steering and adapting the ICT risk management framework as well as the overall digital operational resilience strategy. The approach to be taken by management bodies should also cover people and processes through a set of policies which cultivate a strong sense of awareness about cyber risks and a commitment to observe strict cyber hygiene. This should apply at each corporate layer and to all individual staff members. The ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach.

Business decisions

The principle of the management body having full and ultimate responsibility for the management of ICT risk goes hand in hand with the need for the management body to secure an adequate level of ICT-related investments and operating budget. These should enable the financial entity to achieve a high level of digital operational resilience.

So what should directors be doing now? They are responsible for ensuring that an adequate ICT risk management framework is implemented. This includes, in particular, setting clear roles and responsibilities for all ICT-related functions as well as implementing policies and procedures on ICT business continuity, ICT internal audit plans, the use of ICT third-party service providers, and reporting. For this purpose, the board should create a DORA task force, perform a gap analysis and define an action plan.

Training courses

Mr Kass advised that members of the management body of the financial entity are required to follow specific training on a regular basis to equip them to make the necessary business decisions on a well-informed basis. ILA has organised presentations and discussions about the implications of DORA for directors. Arendt & Medernach also offers training courses on DORA and can further assist inter alia by performing gap analyses, defining ICT governance models, drafting policies and procedures, and drafting, reviewing and/or negotiating agreements with ICT service providers, as well as managing ICT incident events.

“Every organisation will face ICT-related attacks or data breaches,” said Mr Kass. “While risk cannot be eliminated, DORA gives added impetus to boards to ensure their organisations are resilient.”

Francis Kass
Partner at Arendt & Medernach

Retailisation of AIFs: opportunities, trends and challenges
14 March 2024 - BNP Paribas