My Definition Is… a quick overview of Article 3 of DORA – “Definitions”

The EU Digital Operational Resilience Act (DORA) seeks to protect financial entities within the EU by providing a legal framework for the operation and continuity of service within the realm of information and communications technology (ICT).

Article 3 of DORA, “Definitions”, contains the base-level definitions of ICT concepts and financial entity clarifications which will make the regulation easier to police and understand.

ICT and cybersecurity are never short of alternative explanations for concepts. The meaning of certain terminology can change depending upon whom one might ask for an explanation.

This isn’t acceptable for a regulation which needs to be applied across 27 Member States (and presumably the three additional countries in the European Economic Area; Norway, Lichtenstein and Iceland). ?“Well… we interpreted that phrase from our perspective!” is a line which would undermine any regulation, so Article 3 draws some strong, expansive lines in the sand.

Sections 23 to 50 provide the definitions of things like a “credit institution” or an “investment firm” in order to categorise businesses and their operations to a standard across the EU which is understandable (and enforceable).

Section 1 seeks to define “digital operational resilience” as meaning “the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.”

This is laying out the guidelines for where DORA must take effect. This is immediately looking to build supply chain management into operational resilience “by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.” (my italics).

For compatibility with other regulations and directives, the matters relating to “network and information systems” and “security of network and information systems” we are referred to Directive EU No 2016/1148 (the NIS Directive), points 1 and??of Article 4 (respectively), “concerning measures for high common level of security of network and information systems across the Union.

Under Directive 2016/1148, Article 4 (1) ‘network and information system’ means:

a)?????an electronic communications network within the meaning of point (a) of Article 2 of Directive 2002/21/EC;

b)?????any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or

c)??????digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance

Section 2 of 2016/1148:

‘security of network and information systems’ means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

For any cybersecurity people out there, section 2 of Article 4 of Directive 2016/1148 touches on the Confidentiality-Integrity-Availability triad that is common parlance, with “authenticity” added to sweeten the dish.

As we can see, “electronic communications network” takes its meaning from point (a) of Article 2 of Directive 2002/21/EC, which states;

‘electronic communications network’ means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

As ‘robust definitions for electronic communications networks’ go, that’s quite robust and should leave no one with any technical capability unsure of what an electronic communications network is and what it means within the context of Article 4(1) (a) of Directive 2016/1148 and thence into Article 3, Point (3) of DORA.

This “waterfall effect” for definitions in EU law means that we aren’t considering the definition of ICT elements from different technological, cultural or language perspectives, allowing for the regulation to be equally applied across the 27 Member States.

There are definitions for “ICT risk” and “information asset” which will resonate with cybersecurity professionals as the EU hasn’t sought to reinvent the wheel and so they are definitions which are reasonably unassailable, written to avoid changing fairly well-accepted definitions of these terms.

DORA Article 3, Point 6 defines “ICT-related incident” as “an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity.”

Fair enough.

Article 3, Point 7 defines a “major ICT-related incident” as?an “ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity.”

This may appear a little odd, on first view. We must remember that within DORA there is an obligation to report major ICT-related incidents to European Supervisory Authorities (ESA) and so Point 6 outlines the definition of an ICT-related incident, whilst Point 7 deals with the scale of an ICT-related incident which may require a report to be sent to an ESA.

A ‘cyber threat’ is referred to Regulation (EU) 2019/881, Article 2, point 8, where a ‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.

Regulation (EU) 2019/881 “on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)”

We then see definitions of things like “threat intelligence”, “defence in depth” and the definitions for “ICT third-party risk” and more.

As a cybersecurity professional it is imperative to immerse oneself into the detail of these definitions so that one can deal with what the EU defines, rather than the rainbow of nuanced definitions which are abundantly available within the cybersecurity profession. I have been a party to impassioned debates about the minutiae of definitional terms – DORA tells us what these terms mean in the regulation. No further debate is invited or acceptable outside of a court of law.

The good news is that DORA doesn’t seek to radically redefine terminology. I know that some cybersecurity experts might bristle at additions to the Confidentiality-Integrity-Availability (CIA) triad, but the EU is trying to create a framework to protect the Finance industry, not to preserve the cybersecurity discipline in aspic.

I have read through the 21 points which apply to cybersecurity/operations and can find nothing which jars with my knowledge and experience (I’m a little ‘salty’ about additions to the CIA triad, but I’ll get over it).

Point 22 of Article 3 defines the ‘management body' by reference to other regulations and directives. This point seeks to underline that being a manager with control within the organisation isn’t reliant on a job title, as these invariably change over time. If you are an “assistant” by designation and your work has developed over time for you to make decisions on fundamental elements of operations – you are a part of the management body, regardless of your designation.

In the UK, in the gambling game of Bingo, “22” is often called out to players as “two little ducks” because of the shape of the numbers.

I find It slightly amusing that point 22 is essentially saying “If it quacks like a duck, walks like a duck, swims like a duck – it’s a duck” when dealing with who sits within the management body. There’s no avoiding the responsibility if your job title has been diminished to “protect” the individual. With job title escalation (Managing Directors became CEOs, directors became either “C suite” or “vice presidents”) the strength of point 22 is that the EU – and DORA – doesn’t need to track the fashions and whims of job titles as time progresses.

These definitions underpin the regulation. My next piece, regarding Article 4 “Governance and Organisation” will begin to draw on these definitions as we move from the “what” to the “why” in terms of DORA and its roles and responsibilities.