With less than three months remaining until the implementation date of the EU Digital Operational Resilience Act (DORA), it’s worth highlighting recent developments in the EU’s efforts to facilitate firms’ transition to DORA compliance by the January 17, 2025 deadline.
In September 2024, the European Central Bank (ECB) published a paper on the European framework for threat intelligence-based ethical red teaming (TIBER-EU framework). The Paper aims to help national competent authorities (NCAs) and financial entities equip themselves to fulfil the threat-led penetration testing (TLPT) requirements under DORA.
The paper considers the benefits of the TIBER-EU framework for NCAs and financial entities in the context of DORA, and suggests that, because the framework is already established and widely used in the EU, it could readily serve as a common solution for financial entities in complying with their TLPT requirements under DORA.
Sixteen EU Member States have already implemented the TIBER-EU framework with more in the process of adopting it.
TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of financial entities’ critical live production systems. Sixteen EU Member States have already implemented the TIBER-EU framework with more in the process of adopting it, and others have expressed an interest in doing so.
The paper argues that the framework could operate as a handbook or a set of detailed guidelines on how to complete DORA TLPT in a qualitative, controlled and safe manner. Iit notes that it will give NCAs and financial entities comprehensive support in fulfilling TLPT requirements under DORA. In particular, it provides guidance on how NCAs, financial entities, threat intelligence providers and red team testers should work together to test and improve cyber resilience by carrying out controlled cyber attacks.
The ECB explains that there are no differences between the existing TIBER-EU framework testing process and the upcoming TLPT process set out in DORA.
Director appointed
On October 1, 2024, the European Insurance and Occupational Pensions Authority published a press release announcing that the Joint Committee of the European Supervisory Authorities (ESAs) has appointed Marc Andries as the Director to lead their joint oversight under DORA.
Mr Andries will lead the ESAs’ new joint Directorate in charge of oversight activities for critical information and communication technology (ICT) third-party providers under DORA. In such role, Mr Andries will be responsible for implementing and running an oversight framework for critical third-party providers at a pan-European scale.
ESAs’ 2025 Work Program
On October 4, 2024, the ESAs published their joint work program for 2025 (Work Program).
The Work Program sets out the ESAs’ priorities for 2025 which includes, among other things, digital operational resilience. The Work Program notes that the ESAs will continue to have a strong focus on DORA-related work and will also continue to co-ordinate the implementation of DORA.
By mid-January 2025, the Work Program states that the ESAs will have delivered all DORA policy mandates envisaged in Level 1 measures, following which the ESAs will focus on supervisory convergence work on the application of DORA framework. Notably, certain policy mandates (for example, incident reporting and TLPT) may require joint governance processes among authorities that will need to be further defined in 2025.
The ESAs will also begin to implement the oversight framework for critical third-party providers as well as the major ICT-related incident co-ordination framework required by DORA. In the first part of 2025, the ESAs will develop the necessary oversight procedures and methodologies, such as establishing the Oversight Forum and Joint Oversight Network, and collecting the relevant information to assess the criticality of the ICT third-party service providers. Following this, the ESAs will designate the first group of critical third-party providers, set up the Joint Examination Teams and begin the core oversight activities.
ESAs’ opinion on the Register of Information
On October 15, 2024, the ESAs published an opinion on the European Commission’s amendments to the draft implementing technical standards on registers of information under DORA.
In accordance with Article 28(3) of DORA, financial entities are required to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by third-party service providers. Article 28(9) of DORA mandated the ESAs to develop draft standards on the usual templates for the purposes of the register of information. The Commission recently sent a letter to the ESAs rejecting the draft standards, on the basis that financial entities should have the choice of using European unique identifiers (EUIDs) as well as legal entity identifier for EU third-party service providers, and proposing a revised version of the standards.
In the published opinion, the ESAs set out their concerns regarding the introduction of the EUID as an alternative identifier. In particular, they consider that this would require unexpected implementation and maintenance efforts and costs for financial entities due to changes in the register templates and the need to collect and provide additional information.
Annexes 2 and 3 to the opinion set out proposed amendments to the draft standards intended to address the introduction of the EUID, if the Commission proceeds with its proposed policy. In addition, the ESAs suggest additional technical amendments to the standards, as a result of feedback received from the voluntary dry run exercise carried out by the ESAs during 2024.
Nathaniel Lalone is a dual-qualified lawyer (England, New York) and a rising leader in the field of providing cross-border regulatory and compliance advice to market infrastructures as well as sell- and buy-side firms active in the over-the-counter (OTC) derivatives, futures and securities markets. Ciara McBrien is an associate with a focus on Financial Markets and Funds.