European Union: Digital Operational Resilience – Are You DORA Ready?

The Digital Operational Resilience Act (Regulation EU 2022/2554) (DORA) came into force on 16 January 2023, and on 19 June 2023, the European Supervisory Authorities (ESAs) have launched a public consultation on the first batch of draft technical standards under DORA.

DORA is a cross-sectoral regulation which will apply to regulated financial service providers (RSFPs) such as (re)insurance undertakings and insurance intermediaries, banks, payment institutions, e-money institutions, and investment firms, to name a few. Notably, DORA also applies to certain in-scope ICT third-party service providers. DORA aims to improve operational resilience in RFSPs, enabling them to withstand ICT-related disruptions and threats, having particular regard to the increased risk of cyber-attacks, as well further harmonise operational resilience requirements for all EU financial services firms.

Implementing Measures

DORA will be directly effective across EU Member States from 17 January 2025. In advance, the ESAs are required to develop and adopt technical regulatory standards to implement the DORA framework. Earlier this month (June 2023), the ESAs launched the first of two proposed batches of technical standards for public consultation to include the following regulatory technical standards (RTS) and implementing technical standards (ITS):

• RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
• RTS on criteria for the classification of ICT-related incidents;
• ITS to establish the templates for the register of outsourcing information to be maintained;
• RTS to specify the policy on ICT services performed by ICT third-party providers.

The second package of implementing measures must be finalised by 17 July 2024 and a public consultation is expected to be launched towards the latter part of 2023. This second package will address areas such as the:

• classification of IT incidents as "major";
• reporting arrangements and requirements for such incidents; and
• framework around threat led penetration testing and aspects of the oversight arrangements for Critical Third-Party Providers.

Gerry Cross, Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland (CBI) and Chair of the ESAs' Joint Sub-Committee on DORA Implementation, has been particularly vocal in anticipation of these implementing measures. In a recent speech delivered at an event organised by Amazon Web Services, Insurance Ireland and the European Fintech Association, Mr Cross referenced the importance of proportionality as a direct governing principle of the ESAs' approach, noting that

At a high-level, Mr Cross explained that the ESAs are focused on three primary headings in developing these implementing regulations: (1) Risk Management; (2) Incident Reporting; and (3) Oversight of Critical Third-Party Providers (CTPPs).

1. Risk Management

Many of the risk management provisions contained in DORA will not be unfamiliar to the banking and insurance sectors, as the EBA and EIOPA have both issued guidelines on ICT security and governance in recent years. However, DORA now extends these principles to a wider range of firms. DORA expects firms to identify ICT assets, know how to protect these assets including how to prevent incidents and detect unusual system behaviours. Once firms have detected incidents, they must be able to know how to respond and recover from them. DORA also introduces mandatory threat-led penetration testing and sets a clear expectation on how firms conduct ICT risk assessments when outsourcing ICT services to third party providers. Firms will need to compile outsourcing registers with regard to ICT services provided by third parties. Templates prescribing the data financial services firms have to collect and record will be provided by DORA, similar to the recent exercise carried out in the submission of outsourcing registers to the CBI in late 2022.

2. Incident Reporting

DORA aims to harmonise existing incident reporting requirements, including recording of ICT incidents and significant cyber threats. The ESAs' consultation process will include a consideration of what is considered a "major incident". The recently adopted Network and Information Systems Directive 2016/1148 also contains incident reporting requirements and Mr Cross noted that the interaction between the regimes will be a key aspect of the ESAs' review.

3. Oversight of Critical Third-Party Providers

DORA introduces a new oversight regime for CTPPs in recognition of the important role that they play in the financial system. While CTPPs are not subject to formal supervision or regulation, they will be subject to oversight under DORA. The outsourcing registers mentioned above will provide data which will facilitate assessments as to the identification of CTPPs. The ESAs are now consulting on the criteria for determining which CTPPs are deemed critical which will no doubt yield some interesting feedback.

Timing – "important and challenging"

As noted by Mr Cross in his recent speech, the "timelines are important and challenging". DORA takes full effect in approximately 18 months' time (17 January 2025), which does not give Irish RFSPs significant lead-in time following the publishing of the finalised implementation measures on 17 January 2024 and 17 July 2024 respectively. While some of the measures introduced by DORA will be reasonably familiar to certain sectors (for example, insurance), they will be a new development for many RFSPs, and, in particular, designated CTPPs who have not previously been subject to such oversight. It is clear from the CBI messaging to date that it expects RFSPs to organise themselves effectively to prepare in a manner that will

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.