DORA Internal Project

DORA Internal Project: Briefing and Regulatory approach

INTERNAL PROJECT

PROJECT TEAM

Geopraphical approach

For the project development it will be consider a BSA approach in order to define the strategy.

project phases

project phases

STAKEHOLDERS DEFINITION

Following the scope of application of the regulation, we will have the participation of the following impacted areas that will play a relevant role in this project.

Security & Privacy

Procurement

Emeal IT

Global BPO

Legal/Compliance & Risk Management

Global Production

01

What is DORA?

Digital Operational Resilience Act

DORA

DORA Regulation arises from the perspective of harmonizing and normalizing the minimum standards relating to the security of networks and information systems currently in force at the European Union level, due to the importance of information and communication technologies (ICT) in companies and supply of financial services by financial entities.

MANDATORY COMPLIANCE JANUARY 2025

+ info

+ info

DORA GOALS

Due to the importance of information and communication technologies (ICT) in a sector that has gradually become digitalized, it is necessary to:

Prevent and mitigate cyber threats in the financial sector

Strengthen the digital operational resilience of entities operating in the financial sector

Standardize the requirements in this matter

Harmonize the ICT risk management regulations

Improve the supervision by the competent entities with a special focus on the subcontracting chain

OPERATIVE RESILIENCE DOMAINS

It is necessary to foster the ability to develop comprehensive visibility and understanding across all key areas, including:

PILLARS OF DORA

III

II

Digital operational resilience testing

ICT - related incidents management, classification and reporting

ICT Risk management

IV

Information sharing

ICT Third-party risk management

02

How will DORA impact NTT Data?

DORA SCOPE

The scope of DORA encompasses both financial entities and third-party ICT service providers

Financial Entities

ICT third-party Service Providers

info

info

PRIMARY FOCUS AREAS FOR ICT SERVICE PROVIDERS

Main implications of DORA for ICT Service providers such as NTT Data:

Maintenance of Resilient ICT Systems

Collaboration with Financial Institutions

Documentation & Contractual Obligations

Facilitate Information to Supervisory Authorities

CONTRACTUAL OBLIGATIONS FOR ICT SERVICE PROVIDERS

Contractual obligations for ICT third-party service providers

Contractual obligations for Critical ICT third-party service providers

03

Information Under Review

ITS & RTS

Regulatory Technical Standards (RTS) & Implementing Technical Standards (ITS)

In addition to DORA regulation, the framework also includes a set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). RTS explains how to apply regulations in the European Union to ensure consistency, while ITS provides details on how to implement specific aspects of regulations, focusing on practical application.

+ info

The RTS and ITS that complement the DORA regulation have been published in two batches with submission deadlines of the 17th January 2024 (first batch) and 17th June 2024 (second batch). DORA has mandated ESAs to jointly develop altogether 13 policy instruments.

RTS & ITS

Digital Operational Resilience Testing (Chapter IV)

ICT related incident management classification and reporting (Chapter III)

ICT risk framework (Chapter II)

Oversight Framework (Chapter V.II)

Third-party risk management (Chapter V.I)

Questions and answers

10 min

THANK YOU ALL

David Vazquez Rozas

david.vazquez.rozas@emeal.nttdata.com

Eva Soraya Gomes Paz

eva.soraya.gomes.paz@emeal.nttdata.com

• DORA establishes a set of contractual requirements that must be upheld within agreements between Financial Entities and ICT service providers
• The framework distinguishes between regular and critical ICT service providers, where the latter will be subject to more stringent contractual obligations (specified in the next section)

Critical ICT third-party service providers

ICT third-party service providers

• Clear and complete descriptions of all ICT functions and services to be provided

• Location of all contracted and outsourced ICT functions and services are to be provided, especially for data storage sites

• Assurance of data protection in terms of availability, authenticity, integrity and confidentiality

• Guarantee stable access to data and ensure that it will be in an easily accessible format in the event of insolvency, resolution or interruption of operations

• Detailed SLAs service level descriptions and their updates and revisions

• Guarantee of full cooperation with competent authorities and the financial institutions

• Participation in ICT security awareness programmes and digital operational resilience training activities of financial institutions

• RTS to specify threat led penetration testing (Art. 26.1)

The first batch is to be submitted by January 17, 2024

The second batch is to be submitted by July 17, 2024

• Create a consistent ICT risk management framework that shall include strategies, policies, procedures, ICT protocols and tools

• The ICT risk management framework must be well- documented, complete and updated

• The appropriate segregation and independence of ICT risk management functions shall be granted

• The ICT risk management framework shall include a digital operational resilience strategy

Supervisory Authorities may request the following information and documents from ICT service providers:

• business or operational documents
• contracts
• policies
• documentation
• ICT security audit reports
• ICT related incident reports

Supervisory Authorities may also request information relating to parties to whom the critical ICT third-party service provider has outsourced operational functions or activities.

• Financial entities shall:

• define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents

• record all ICT-related incidents and significant cyber threats

• classify ICT-related incidents and determine their impact

• report major ICT-related incidents to the relevant competent authority

• Call for advice on criticality criteria (Art. 31.8) and fees (Art. 43.2)

• Guidelines on cooperation ESAs – CAs (Competent Authorities) regarding DORA oversight (Art. 32.7)

• RTS on harmonisation of oversight conditions (Art. 41)

The first batch is to be submitted by January 17, 2024

The second batch is to be submitted by July 17, 2024

ICT third-party Service Providers

DORA is also focused on overseeing and regulating the risks posed by the financial sector’s reliance on ICT third party service providers and provides an EU-level oversight framework in this respect. As an ICT (Information & Communication Technology) third-party service provider to financial entities NTT Data will be subject to the DORA Framework.

• Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing

• ITS to establish the templates of register of information (Art.28.9)
• RTS to specify the policy on ICT services performed by third-party (Art.28.10)
• RTS to specify the elements to determine and assess when sub-contracting ICT services supporting a critical or important function (Art.30.5)

The first batch is to be submitted by January 17, 2024

The second batch is to be submitted by July 17, 2024

• The digital operational resilience testing programme shall include

• a range of assessments, tests, methodologies, practices and tools

• for the execution of appropriate 12 tests, such as vulnerability assessments and scans, pen source analyses, network security assessments...

• Financial entities shall carry out at least every 3 years advanced testing by means of TLPT (threat-led penetration testing)

• Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework

• Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards

• For ICT services supporting critical or important functions, financial entities shall put in place exit strategies

• Key contractual provisions

• Financial entities shall maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by third-party ICT service providers

¿Tienes una idea?

Usa este espacio para añadir una interactividad genial. Incluye texto, imágenes, vídeos, tablas, PDFs… ¡incluso preguntas interactivas! Tip premium: Obten información de cómo interacciona tu audiencia:

• Visita las preferencias de Analytics;
• Activa el seguimiento de usuarios;
• ¡Que fluya la comunicación!

• RTS on criteria for the classification of ICT related incidents (Art. 18.3)

• RTS to specify the reporting of major ICT-related incidents (Art. 20.a)
• ITS to establish the reporting details for major ICT related incidents (Art.20.b)
• Feasibility report on further centralisation of incident reporting through the establishment of a single EU hub for major ICT-related incident reporting (Art. 21)

The first batch is to be submitted by January 17, 2024

The second batch is to be submitted by July 17, 2024

• Maintain resilient ICT systems and have an appropriate ICT risk management framework that includes provisions for risk identification, protection and prevention, response and recovery

• Realization of periodic tests of ICT business continuity plans

• ICT providers must be able to collaborate with financial entities on their advanced testing of ICT tools, systems, and processes, especially their threat-led penetration tests

• ICT providers must be ready to cooperate in cybersecurity awareness programs and digital operational resilience training activities of financial institutions

• ICT providers should be able to provide information upon request on any ICT processes that Financial Entities relies on - including processes that are subcontracted by the ICT provider

• Financial Entities can exercise audit and inspection rights over ICT service providers, especially when supplying critical functions for the Financial Entity

• Establish notification deadlines and reporting obligations in any event that may materially affect the ability of the provider to effectively deliver ICT services that support essential or important functions

• Participate and cooperate fully in the financial institution's threat-based penetration testing

• Continuous performance monitoring over the provider warrants unlimited rights of access, inspection and audit by the financial institution or a designated third party

• Facilitate exit strategies and transition periods to reduce the risk of disruption and allow the financial institution to migrate to another provider

• Contemplate the use of standard contractual clauses developed by public authorities for specific services (yet to be published)

• RTS on ICT Risk Management framework (Art.15)
• RTS on simplified risk management framework (Art.16.3)
• Guidelines on the estimation of aggregated costs/losses caused by major ICT related incidents (Art. 11.1)

The first batch is to be submitted by January 17, 2024

The second batch is to be submitted by July 17, 2024

• a) credit institutions
• (b) payment institutions
• (c) account information service providers
• (d) electronic money institutions
• (e) investment firms
• (f) crypto-asset service providers

• (g) central securities depositories;
• (h) central counterparties;
• (i) trading venues;
• (j) trade repositories;
• (k) managers of alternative investment funds;
• (l) management companies;
• (m) data reporting service providers;
• (n) insurance and reinsurance undertakings;
• (o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;

DORA is primarily directed towards financial institutions, applying to more than 20 different types of financial entities, including: