DORA implementation firmly on track according to EU regulators

Remarks by Gerry Cross of the Central Bank of Ireland also highlight challenges and provide useful details.

A 2023 Regulatory Series session hosted by A&L Goodbody LLP heard the positive assessment on DORA from Cross, who is Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland.

He indicated that the first phase of DORA implementation, which requires the Joint European Supervisory Authorities to develop regulations on risk management, incident classification and outsourcing, is on track for submission to the EU Commission in January 2024. The regulations on outsourcing will include a “register of outsourced services to be maintained by firms”.

The second phase, focusing on major incident reporting, penetration testing as well as subcontracting chains, will start with a consultation to be published “in the coming weeks” with a response deadline of the “middle of the year.”

He also indicated that “the work to implement DORA by the deadline of January 2025 remains firmly on track.”

Key challenges

The speech drew attention to some key challenges facing the implementation of an effective digital operational resilience framework:

  • cross-sectoral nature of the issue;
  • diversity of risks and threats;
  • highly dynamic risk and threat landscape;
  • fragmentation of the ecosystem;
  • technical complexity.

In order to address these challenges the overall regulatory approach of DORA has been:

  • wide-scope and cross-sectoral;
  • inclusive of all parties reflecting key relationships within the ecosystem;
  • third-party services focused;
  • prompt – with the new regime in place two years after the legislation was adopted.

After discussing the principles guiding the implementation of the new framework, Cross turned to some of its noteworthy aspects. He said DORA:

  • builds on the existing regulatory structure for ICT risk management with a strong emphasis on outsourcing and the management of third-party risk, including sub-outsourcing risk;
  • will require firms to establish comprehensive digital operational resilience-testing proportional to their size and sophistication with larger entities required to do more advanced testing based on threat-led penetration testing (TLPT);
  • will supersede most of other incident reporting requirements for the sector and is expected to lessen the reporting burden as a result; and
  • will identify and designate critical third party providers (CTPPs) falling within the new oversight regime.

Important for financial services firms and any potential CTPPs is the EU Commission consultation on the draft delegated regulation which specifies criteria and fees relating to critical ICT third-party service providers. The feedback period on this draft regulation will close on 14 December 2023.

Cross pointed to the distinction between ‘oversight’ and ‘supervision’ and suggested that CTTPs do not “fall directly within the regulatory framework” but remain “the responsibility of regulated financial entities”. A regulatory technical standard (RTS) on the conduct of this oversight is “being finalized for public consultation in the coming week.” This RTS will not include details of the operational functioning of the framework, which will be found in “arrangements” that are currently under development.

GRIP View

This is a very informative speech and an excellent practical update on the regulatory progress being made in implementing DORA.

The publication of a number of RTSs over the coming months will complete the regulatory framework being established and may give more insight into the operational workings of the new regime, although, as indicated in the speech, the actual practical workings of the new rules will be worked out between the European Supervisory and National Competent Authorities.

The distinction between oversight and supervision is a nuanced one and it remains to be seen how precisely this might actually function in practice. The powers accorded to the European and National authorities in connection with third-party oversight seem to be far-reaching and have some teeth.

Given the potential impact of DORA not only on financial institutions but the entire third party ecosystem supporting them this is one to watch very closely.