This is a transcript of the podcast episode Dr Katarzyna Parchimowicz on DORA between GRIP’s senior reporter Carmen Cracknell and Dr Katarzyna Parchimowicz, assistant professor at the University of Wroclaw in Poland.
[INTRO]
Carmen Cracknell: Hello listeners. Today’s episode will focus on the Digital Operational Resilience Act, more commonly known by the acronym DORA. DORA entered into force in 2023 and will become applicable 2025. To discuss this, I’m joined by Katarzhina Parhimovitch, Assistant Professor at the Academic Excellence Hub- Digital Justice Center, of the University of Wroclaw. She’s also Associate Researcher at the European Banking Institute and Research Associate at the Amsterdam Center for Law & Economics.
Katarzyna’s research focuses on international and EU financial regulation, especially the regulation of global, systemically important banks and new technologies in the financial system. The research discussed in this podcast was conducted under the Legal Research Programme 2022, sponsored by the European Central Bank. The views expressed are those of the author and do not represent the views of the bank or the euro system.
It’s great to have you here, Kata. Could you start by telling us about you in your own words and how you came to research in particular DORA?
Katarzyna Parchimowicz: Yeah, so I’m assistant professor at the Digital Justice Centre of the University of Wroclaw. I basically saw a call for papers published by the European Central Bank. This was within the European Legal Research Programme. The one topic that they suggested was the increasing recourse to cloud services.
It was without the reference to DORA at that moment, but I researched the cloud in the financial system. When I looked through all the weird outsourcing guidelines and all that, I got to DORA, first the proposal and then finalized version. I thought that’s actually very, very interesting and it has so many more angles than just the cloud. That’s how I started this research. Also my digital justice centre, we look into law from different technological angles.
That’s why I also was tempted with the topic to begin with. So DORA, as you said, is the Digital Operation and Resilience Act. But what this name does not imply is that it’s an EU regulation on digital operation and resilience, but for the financial sector. So it’s a sector specific regulation. And furthermore, what does it mean is that the regulation is actually directly binding in the EU. It does not require to be transposed to national legal regimes of member states. It’s just the provisions you see, they are directly binding in all member states.
That’s why DORA is so, so important and many people are so scared of DORA.
Carmen Cracknell: Which leads to my next question. Why exactly is it important right now?
Katarzyna Parchimowicz: Basically I think we can safely say that all financial institutions use ICT services, the Information and Communication Technology Services. And that generates many different risks. So first of all, the risks we probably all know, the operational risks. So when there is a bug in the system or when the cable burns down or whatever, then we have some externalities and we need to cope with that. There is also concentration risk. So the risk that many financial entities will rely on the same provider, which will create this link between them that we don’t necessarily want there.
And lastly, the overarching risk that can stem from these types is the systemic risk. So that’s the risk that basically when something happens at one entity, the entire financial sector can be a danger of collapsing. And of course we don’t want that. And as you can imagine, in the recital of DORA, it’s actually even said directly.
We have approximately 22,000 financial entities covered by DORA. And you can imagine if something happens at one of them, then it can really spread very quickly to all the others. And this is what DORA is for. And this is why it’s important to protect the financial system from this contagion and from problems that can actually stem from this contagion. Well, will it work? Will it succeed when it comes to that protection? This is, I guess we will see. We all hope it will.
Carmen Cracknell: Yeah. Has anything like this been implemented in the past or is this the first time this is being tried out?
Katarzyna Parchimowicz: No, this is the very first time. And that’s why everyone was so excited about DORA because this is really unprecedented. Also because of the form of regulation I mentioned before, because we saw some cyber risk oriented directives. So the NIS and the NIS 2 directives. But this was all, as I said, more nationally oriented because member states had to implement these rules. And this is something that works in, we hope it will work in the same way, but the same provisions will be binding in the entire EU. And so this is very exciting to see how it will work out. We keep our fingers crossed, but also with a dose of skepticism.
Carmen Cracknell: Yeah. And it’s very timely, I guess, due to the explosion in cybersecurity attacks on firms, right?
Katarzyna Parchimowicz: Yeah. Yeah. That’s for sure. And it’s not only cybersecurity attacks that we sometimes hear about. And we always imagine these hackers that are kind of breaking some codes and they get into the systems they shouldn’t have access to. But then on the other hand, we also have all these operational failures that can happen. And they are actually much more common than the attacks.
And also, you know, just human failure, just, you know, clicking something. We always laugh that, OK, we cannot do anything wrong when we click incorrectly. But at some level of, you know, advanced systems, you actually can do harm when you click. And so this is all covered by Dora. This is all the digital operation resilience. And we really hope it works, especially because it’s about the financial sector. And, you know, just to put it simply, we want our money to be safe and we don’t want to have any more problems stemming from financial sector than the ones we kind of already lived through.
Carmen Cracknell: So where are we now? And what is the timeline towards the implementation of DORA?
Katarzyna Parchimowicz: So the final text of DORA was published in December 2022. And then in January, it entered into force. But what is important and not everyone gets the difference, it wasn’t directly applicable. There is this two year buffer before it will be applied. So it actually will be applicable starting in January 2025.
But what actually no one mentions is that, you know, the final text of DORA was published in December 2022. But still many technical standards have to be published by European Supervisory Authorities, European Commission and so on. So the final final, so to say, DORA framework will probably be published sometime this year, which gives the entities, both financial entities and the vendors, the ICT providers, much less time to actually prepare for January 2025. Yeah.
Carmen Cracknell: Less time?
Katarzyna Parchimowicz: Yeah, yeah. Less time because, you know, in theory, you have two years, but within these two years, still some new technical standards that are more detailed than the provisions of DORA are published. So, you know, it’s basically you have the main text, but then you get more details and you need to adjust to the technical standards.
Carmen Cracknell: What does that mean for firms? I mean, are they going to request that it be pushed back? Is there any way for firms to get an extension?
Katarzyna Parchimowicz: I don’t I don’t really think so, because, you know, it’s always like that with with regulations in the EU that there are always additional legal acts, technical standards that are basically specifying the criteria included in the original act. And one can say the entities are more or less kind of used to it. They expected that, but it doesn’t change the fact that it leaves them with not that much time because, you know, just this September some some new technical standards were published by the European Supervisory Authorities. And, you know, this leaves the entire financial and ICT services system only a year, a year and a couple of months before they actually they will be applied. So, yeah.
Carmen Cracknell: Yeah. So we’ve talked about why DORA is so important for financial institutions in particular. What do you think the key challenges are for those firms?
Katarzyna Parchimowicz: There will be many at different stages, probably.
First of all, when it comes to adopting the ICT services or maybe adjusting because, you know, it’s not like it’s like they are starting to use ICT services. The minute DORA is applicable, they are doing it already now. So adjusting this will be a challenge because they will have to make some important decisions.
For instance, which service provider to choose or to stick to? So whether to look into concentration risk. So the risk of over-dependence I mentioned. So there will be, of course, the question if the entity choosing the provider wants to be part of this broader network, wants to be interconnected and wants to rely on a provider that many other entities depend on, which can have, of course, advantages and disadvantages. Then also when it comes to third country providers, the rules will change. So decisions in that aspect will also have to be made.
Again, there is another term of critical provider. So also the financial entity will have to decide whether to sign a contract with a critical provider or not. More, there will also be many challenges when it comes to drafting or adjusting contracts because Dora is putting light on the issue of layering. Layering is basically – I really like that example – so when we sign a contract with Netflix, when we buy Netflix, this is our contract with Netflix. But Netflix has another contract with Amazon Web Services for them to provide infrastructure. And we as the Netflix user do not have any influence on the content of that second contract.
So this is what is happening also with financial entities that they don’t really know who the subcontractors are. Sometimes they do, but most of the times they don’t. And they will have to kind of look into that because of DORA too.
Of course, there is there are requirements when it comes to data security. They are not really novel. There’s nothing new in DORA, but still they are stressed many times and the most important aspect, financial stability and the entire framework for ICT risk management that will have to be established actually from scratch in most of these entities.
Carmen Cracknell: Right. It sounds very much like a lot to take on. Let’s talk about the testing for operational resilience and threat-led penetration testing. Do you think this will be a challenge?
Katarzyna Parchimowicz: Yeah, definitely. DORA prescribes two main types of testing. So I call it the general testing – when you basically need to test almost everything. So the source code reviews ought to be undertaken. The scanning software solutions is included within that framework. Also open source analysis and so on.
But then there is this, let’s say, more advanced type of testing. It’s called threat-led penetration testing and it’s probably listeners know it’s basically when you simulate a cyber accident, cyber incident, and you see how the live production systems react. So you see how they would have reacted if it wasn’t simulated. I don’t know if it was clear enough, but this is very challenging because that can really show some omissions and gaps in the systems which we want to identify. But for the firms to establish that framework will be very costly. And I mean, let’s hope it will pay off.
Carmen Cracknell: Yeah. So on the other side of this, DORA will obviously affect vendors. For vendors to understand more about what this will mean for them, who will qualify as an ICT third party service provider or CTP?
Katarzyna Parchimowicz: So basically, there are two main types of … I will just call them providers. We know that it’s ICT third party service provider, but there are two types of providers.
And the first one is, let’s say the one that basically encompasses all undertakings providing ICT services. So you can imagine how many entities are covered by that definition. It’s depending on an estimate, but it’s around 20,000. And these are the ICT third-party providers. And among this group, critical ICT third party providers will be designated by European supervisory authorities.
And these critical providers will be designated based on several criteria. And I must say it’s actually very intuitive. So one of the criteria is this systemic impact on their operation of their operational failure. So what will happen to the financial sector if they fail? Also, the systemic character of the financial entities that rely on their services. So whether Deutsche Bank is using this particular ICT service or some smaller bank in Germany.
Also, the critical and important functions of financial entities and the fact whether they are transferred to this critical provider is one of the criteria and the substitutability. So whether it’s easy to transfer the data somewhere else, whether there are some real alternatives. And this is also what I mentioned at the very beginning. European supervisory authorities just published new detailed, more quantitative criteria. And yeah, I would really advise everyone to look into that because it’s crucial whether you are a critical provider or not.
Because they are going to be the critical providers overseen by the lead overseer. So one of the assets. And they will have to follow some recommendations. And if they don’t, there can be penalty payments imposed on them. So, you know, it’s the oversight framework that is leaning towards supervisory framework.
Carmen Cracknell: Yeah. And what is the difference between a third party provider and a critical third party provider under DORA?
Katarzyna Parchimowicz: Yeah, this is basically so the entire huge group is the ICT third party provider and the ones designated by European supervisory authorities are the critical ones. They are designated as critical. So this will be the these will be the chosen ones.
Carmen Cracknell: So what do you think the biggest challenges are for third party providers or vendors stemming from DORA? Because the difference between regulation and oversight seems quite nuanced.
Katarzyna Parchimowicz: Yeah. So I think first of all, I would say even harsher competition with the larger with the largest providers, of course, and that refers mostly to smaller and medium providers. But I think this will I think this will be problematic. And this is, of course, linked to the other challenge. So the regulatory burden, I know we kind of use that that phrase a lot, but the regulatory burden will be here and will be very difficult to bear for some companies because of the oversight of the reporting of the testing we mentioned before.
And the last challenge, I would say, is the fact that the relationships with financial institutions will have to be redefined, the contractual relationships because the both financial institutions and providers, vendors, need to fulfill some requirements under DORA. And, you know, there are always kind of conflicting interests, everywhere we look so so that will that will have to be kind of reshaped, that relationship with financial institutions.
Carmen Cracknell: What advice do you have for vendors to prepare for DORA? Beyond, I guess you’ve already said, this criteria that’s come out that they can look at.
Katarzyna Parchimowicz: It’s actually good that you mentioned that. It’s actually a broader advice. I would say that I think the vendors should follow the detailed standards that are being published and still will be published because this is really where the criteria are precisely defined. So the detailed standards are crucial for vendors.
Second of all, I would prepare for the changes of contracts that will be required under DORA, you know, just to kind of act maybe a bit preemptively and do it even before it is applicable. Maybe some already do it. I don’t have empirical data, but that would be my advice.
Also, the preparation of subcontractors. If there are some vendors that rely, for instance, on digital infrastructure of someone else, then these contracts will probably have to change too. And finally, well, that is linked a bit with following the detailed technical standards, but I think every vendor should assess whether they will be critical. And of course, look through the obligations if the result is that they probably will be designated.
Carmen Cracknell: There’s some quite specific practicalities about this as well, aren’t there? Like if you are designated a critical third party service provider, you will have to pay about €500,000. Is that right?
Katarzyna Parchimowicz: I don’t know the exact amount, but this is the usual model that works in the EU. When you are being overseen, you need to chip into that oversight. And it works kind of the same when it comes to supervision and all that, because you basically need to pay for the overseers to work.
Carmen Cracknell: Yeah. And given that this is a European policy, you also, I believe, have to have at least some presence in Europe in the form of an office in a European country. Which could be difficult for maybe British companies.
Katarzyna Parchimowicz: Yeah. So basically, there is this new rule in DORA. I’m saying new because in the proposal, there was a complete ban when it comes to using of third country service providers. But in the final text of DORA, there is this ban has been deleted. But now we have this requirement that when there is a third country provider that is designated as critical, they ought to establish a subsidiary within 12 months of after designation. So the EU is kind of trying to, you know, to kind of pull the third country entities under the auspices of the EU legal regime.
So that’s that’s basically how it looks like, of course, for, you know, for third country providers that are small or medium, this will be a huge issue. I think there will be some medium ones being a bit on the brink, and they still may be designated as critical. So I think that that will be most problematic for them.
Carmen Cracknell: Yeah. So this could work to the advantage of the larger third party solution providers. Could this like then lead to sort of monopolization of ICT services? Can you talk a bit about the competitive landscape after DORA?
Katarzyna Parchimowicz: Yeah, so, you know, the first impression when you have this new shiny regulation is always that, oh, the large providers will be hurt. There is so much regulatory burden put on them, right, because they will be designated as critical. I mean, that’s for sure. And all that. But this is only the first impression. The truth is that actually they are always the best equipped to fulfill these requirements and to assure compliance.
So basically, yeah, this will be a big problem because all of these large providers, they already have subsidiaries in the EU. So that requirement will not be a problem. The second thing is that they have enough money to establish, you know, the entire testing framework, the compliance teams and so on.
And what I think DORA misses out on a bit is the fact that it should maybe more, it should maybe discourage financial entities a bit more to contract the largest providers, because that’s what’s not happening. DORA is basically, when you look at the phrasing, it says that financial institutions should weigh costs and benefits or should duly consider contracting the critical provider, largest provider. And, you know, it’s not really, I don’t think it will work, this weighing benefits and costs, because if the largest provider offered the lowest price, then there will be financial institutions that basically sign the contract and that’s it.
So I think the competitive landscape will not improve. There will still be this overwhelming oligopoly, so to say, because it’s now 60% Amazon, Microsoft and Google. So I think you can safely call it oligopoly. And I think it can even get a bit worse because of the regulatory burden.
Carmen Cracknell: A lot of our listeners are in the UK. So could you say a bit about the UK context and how DORA will affect the British market?
Katarzyna Parchimowicz: I don’t really have UK specific analysis, but what I can say is that, well, UK is the third country. As much as I think many regret that it is, it is a third country. So it will be treated in the same way when it comes to the establishing of the subsidiary, when it comes to all the other limitations.
And I’m I’m pretty sure that the UK being a technological hub, so to say, it will impact many companies and it will also probably adversely impact the market in the EU because the largest providers are still from the US and they are already in the EU market. So if the smaller and medium providers from the UK, for instance, cannot really enter the market, then that it could be a bit destructive.
Carmen Cracknell: How long does it usually take to see the effects of a policy like this, whether it’s effective or successful?
Katarzyna Parchimowicz: I would say I would say it’s usually, you know, it’s usually kind of slowing together with, you know, the reporting and the requirements. And in DORA, it’s mostly reporting is mostly once a year or the threat led testing is every three years. I would say probably first effects will be visible after two years, more or less.
Of course, the first round of threat-led testing will also be crucial. But first two years, I guess some some I mean, after the first two years, so 2027.
Carmen Cracknell: Could you share your views on the NIS2 directive and how it’s related to DORA?
Katarzyna Parchimowicz: So NIS2, as you pointed out, is a directive. So it has to be transposed. And that means that actually in every member state, there will be a legal act transposing this directive. And as you can imagine, they will differ. The aim is the same, but the acts and the means can be a bit different.
And so that’s why this regime will be more nationally oriented. It’s also much broader. So NIS directive aims to create this cyber security framework, but it’s not only in the financial sector. It’s also, you know, it encompasses also gas suppliers, drinking water undertakings, all of these, so to say, crucial services.
And when it comes to financial sector, as far as I remember, there are only banks and financial infrastructures, CCPs encompassed. So it’s much, much smaller group when it comes to DORA.
And that is why NIS and DORA kind of complement each other. And DORA constitutes less specialist. So it’s DORA is basically the rule for financial sector where you should first look when there is any doubt when it comes to digital operational resilience regarding financial sector.
Of course, in DORA recitals, there are some claims, some beautiful claims about strong relationship, how all the European supervision, supervisory authorities and all the authorities engaged in these two enforcement have to cooperate. And they need to basically inform each other about cyber incidents and all that.
But again, we will see in practice how that works. The most important fact is that it’s good that we have more nationally oriented framework for, you know, for all the important undertakings. And then we have international EU-wide financial-sector-oriented framework, because this is arguably the most EU wide active sector finance.
Carmen Cracknell: Yeah. What are your views on private versus public cloud? And what do you see as the advantages and disadvantages of each?
Katarzyna Parchimowicz: So this is another choice that the financial institutions have to make when they decide to use cloud computing services. I like to compare private and public cloud to like the two types of cloakroom. So basically, when it comes to public cloud, you know, you go to this counter and there’s this person you give your coat to and you get like a small key chain with a number on it, whatever. And your coat is hanging with all the other coats in some kind of open space, whatever. And in the private cloud, you basically get your own key to a locker that you open and close at will. And this locker is selected especially for you when it comes to size and shelves and all that. So this is basically how private and public clouds work.
The public cloud is you basically get access data and your data is stored with some unrelated multiple customers. And of course, this is very efficient because economies of scale is at work here. And it’s also in most cases cheaper. But in private cloud, you get this adjusted cloud solution for your own needs. And you are the only person, the only person, the only entity using that particular cloud or, you know, or a huge group or whatever.
But you know, the entities are linked because they chose this and this common private cloud. So it has advantages and advantages. Some claim that public cloud is less safe because of this multiple unrelated customer’s aspect. And of course, the private cloud is more costly. So it takes away some of the advantages of the cloud solutions that we expect this cost efficiency. Yeah. So in the end, the financial institutions, majority of financial institutions use hybrid clouds. So they kind of try to get the best of both types.
Carmen Cracknell: I like that cloakroom analogy. I wish some of the other complex terms could be explained that way. It would make it a lot easier to understand. Thank you so much for speaking to me, Kata.
Katarzyna Parchimowicz: Thank you so much, too.