DORA Compliance Update

Paul C Dwyer
The DORA (Digital Operational Resilience Act) regulation applies to most regulated financial firms. Its goal is to mitigate technology and cyber risks by enhancing firms' technology and cyber risk management and resilience. DORA establishes a regulatory framework that requires all firms to withstand, respond to, and recover from ICT-related disruptions and threats, including cyber-attacks. It also introduces a new "oversight" framework for critical third-party providers of ICT-related services, such as cloud services, to financial firms.

Both regulators and the industry face a challenging task, as the new framework came into play on Jan 16th, 2023, with a 2-year implementation period. Therefore, it takes effect on January 17, 2025, leaving only 19 - 20 months to adapt. The tight deadlines are not arbitrary but reflect the importance and urgency of addressing tech and cyber risks, which pose threats to individual firms and potentially systemic stability.
To achieve timely and high-quality implementation, it is crucial to organize effectively. The Joint Sub-Committee consists of over 40 national competent authorities from across the EU, with observer participants from EU-level bodies like the ESAs, ECB, ENISA, SRB, and European Commission. Various working groups and drafting teams under the Joint Sub-Committee are working diligently on the framework's specifications.
The Central Bank of Ireland has established a set of guiding principles to shape their work approach, consisting of three direct principles and two enabling principles.
Direct Principles:

Momentum: The strong momentum from level 1 negotiations is being carried forward to level 2 actors, ensuring a swift start. The bank is committed to maintaining this forward momentum.

Pragmatism: Given the complexities and diversity of firms involved, the bank has chosen a pragmatic approach to avoid getting entangled in technical details. This involves a long-term perspective, aiming for timely, coherent, and comprehensive regulations while allowing for continuous learning, collaboration, and improvement over time.
Quality: The bank is committed to delivering a high-quality framework based on the Level 1 text that enhances resilience and risk management without compromising momentum or pragmatism.
Enabling Principles:
Proportionality: The new framework must be suitable for firms of all types, sizes, and complexities. Proportionality is key, and the Level 1 text already incorporates a considerable amount of it. The principle of proportionality will be closely considered throughout the process, with input and advice from the proportionality advisory committees of the ESAs.
Engagement: Effective engagement with stakeholders is essential for success. The bank recognises the importance of understanding the perspectives of all stakeholders, including firms, consumers, and other interested parties. In the case of DORA, the bank aims to receive valuable insights from interested parties to improve the regulations and maintain open communication about their approach and expectations.
Through events and consultations, the Central Bank of Ireland seeks to engage with stakeholders as much as possible to effectively develop and implement the new framework.
The Central Bank of Ireland has adopted five principles to guide their work and give a sense of their approach and desired regulatory outcomes. Their timelines are ambitious, aiming for high-quality products delivered promptly, but they also recognize that uncertainties and challenges may arise, requiring adjustments.
The new framework's target application date is January 17, 2025. Two key deadlines have been set by the Level 1 text: January 2024 for the first package of regulatory measures and July 2024 for the second package. These deadlines serve as the foundation for the bank's organization.
For the first package, consultation proposals are planned for summer, including the risk management framework, criteria for ICT-related incident classification, rules on outsourcing policies, and more.
The second package covers the remainder of the regulatory products, such as criteria for classifying IT incidents as "major," reporting requirements for such incidents, threat-led penetration testing framework, and oversight arrangements for Critical Third-Party Providers (CTPP), among others. Consultation proposals for these aspects are aimed for the latter part of the year.
In addition to the mandates given to the ESAs under the Level 1 text, the bank has received a Call for Advice from the Commission at the start of the year. This request seeks advice on criteria for designating CTPPs as critical and calculating fees for their oversight. The deadline for this advice is September, leading the bank to plan a separate consultation paper on these aspects for summer, likely a bit earlier than the other Summer 2024 consultations.
The Central Bank of Ireland's regulatory outputs can be categorised into three areas: (1) Risk Management, (2) Incident Reporting, and (3) Oversight of Critical Third-Party Providers. Here, we'll focus on Risk Management.
ICT risk management, as covered in DORA's Chapter II, has been a key principle in the industry for around 20 years. Initially, it was a part of best-practice frameworks like COBIT, but it eventually became mainstream with guidelines issued by EBA in 2019 and EIOPA in 2020. DORA expands these principles to a wider range of firms, ensuring proportionality and accommodating smaller entities with simplified ICT risk management expectations.
Risk management aims to mitigate inherent risks to acceptable levels, including cyber and IT risks. Firms must have a clear understanding of their ICT assets to identify and address potential risks. DORA requires firms to identify, classify, and document ICT-supported business functions and related assets. This helps in protecting assets, preventing incidents, and detecting unusual system behaviour.
ICT resilience testing is a vital aspect of identifying ICT risk. DORA mandates threat-led penetration testing (TLPT) for larger financial firms, following the TIBER-EU framework of the ECB. Consultation on this will be issued later in the year.
DORA also outlines expectations for financial firms conducting ICT risk assessment when outsourcing ICT services to third-party providers. The same risk understanding is expected, whether the services are provided in-house or by a third party. DORA requires registers of information for all contractual arrangements regarding ICT services from third-party providers, providing templates to guide data collection and recording. The Central Bank of Ireland has successfully implemented similar outsourcing templates across all supervised sectors.
DORA aims to standardise incident reporting requirements, expecting firms to record all ICT incidents and significant cyber threats. This is crucial for individual firms and authorities to be well-informed about patterns, trends, risks, and threats in the interconnected financial system. The criteria for determining "major" incidents will be consulted on during the summer, with a focus on effective supervision and overall financial system resilience.
It is essential that DORA's incident reporting requirements work seamlessly with other frameworks, such as NISD2. The Joint Sub Committee is considering this aspect while developing its work, with ENISA participating as an observer.
The new oversight regime for Critical Third-Party Providers (CTPPs) under DORA's section II of Chapter V is important for maintaining the financial system's digital operational resilience. CTPPs play a significant role in the functioning of the financial system, providing outsourced activities. Regulated financial entities must maintain full responsibility for outsourcing activities and comply with the principles and rules established in DORA and its implementing regulation.
CTPPs are subject to oversight rather than formal regulation or supervision. Components of this oversight framework include registers of outsourced services that financial entities must maintain, which will help identify critical third-party ICT service providers. The Joint Sub Committee is consulting on proposed templates and contents for these registers during the summer.
The criteria for determining critical third-party providers will be established, with the European Commission seeking advice from the ESAs. A separate consultation is planned for early summer. Lastly, the operational arrangements needed for implementing the new oversight arrangements will be put in place. The Joint Sub Committee is working on draft Regulatory Technical Standards and guidelines on cooperation between ESAs and CAs, with July 2024 deadlines for completion and consultation scheduled for later in the year. The ESAs' secretariats are concurrently working on operational aspects for implementing the new regime.