DORA – CBI comments on implementation and key aspects of the new framework

At the '6-Months to DORA' event organised by the Institute of International Finance and Amazon Web Services on 28 June 2024, Gerry Cross, Director of Financial Regulation in the Central Bank of Ireland, provided an update on the timing for delivering the new regulatory framework under the Digital Operational Resilience Act (DORA) and outlined some key points in relation to the framework.

In this article, we summarise the main aspects of his speech and the implications for financial entities and their information and communication technology (ICT) service providers. As Mr Cross is also Chair of the European Supervisory Authorities' Sub-Committee on DORA implementation, his insights will be of particular interest to financial services firms that fall within the scope of DORA.

Level 2 implementation timetable

Mr Cross confirmed that the European Supervisory Authorities (ESAs) and other EU stakeholders remain "pretty much on track" to deliver the new regulatory framework on time, in advance of DORA applying from 17 January 2025.

In relation to the technical standards that form part of the 'Phase 1' proposals of the DORA implementation plan, three regulatory technical standards (RTS) were published in the Official Journal on 25 June 2024. These RTS contain requirements to:

• specify the ICT risk management framework (and simplified framework)
• classify ICT-related incidents and cyber incidents and specify the details of reports of major incidents
• prescribe the elements in financial entities' policies governing outsourcing of ICT services to third parties

The fourth proposal within Phase 1 is a set of implementing technical standards that set out the templates for the registers of information on ICT outsourcing and are awaiting adoption by the European Commission prior to publication in the Official Journal. 

The technical standards and guidelines under 'Phase 2' of the DORA implementation plan are being finalised and are on track for submission to the European Commission, for adoption, by 17 July 2024. The technical standards, which were subject to public consultation earlier this year, will contain requirements relating to:

• sub-contracting of ICT services that support critical or important functions
• threat-led penetration testing (TLPT)
• the content, timelines and templates for the reporting of major ICT-related incidents and cyber threats
• harmonisation of oversight activities by the Lead Overseer

In response to industry concerns that the time available to implement the technical standards following their finalisation is too short, Mr Cross set out the following points:

• The ESAs and national competent authorities (NCAs) do not have the power to alter the implementation date, as the technical standards are set out in Commission Delegated Regulations and are legally binding.
• DORA and the overall regulatory framework represent, in many respects, what any well managed firm should be doing. While it is recognised that there are aspects that are only becoming clear now, financial entities can be expected to have already started laying much of the groundwork for implementation over recent years.
• For some sectors, many of the requirements under DORA are already in place under sectoral legislation and, for those firms, the gap to ensure implementation is narrower.
• Despite the above, there is often benefit in taking a ‘Day 1/Day 2’ perspective when it comes to supervisory expectations for initial implementation – "while legal requirements remain legal requirements, there is often merit in seeing the value in a committed journey by firms and supervisors from initial implementation and compliance to a richer, more fully achieved implementation over time".

Multi-year approach to supervision

Mr Cross emphasised that the supervision of digital operational resilience is "not a once-and-done exercise" and it is "optimal to adopt a multi-year, multifaceted perspective". The ESAs have adopted the view that they need to find the best solutions possible in the limited time available before implementation, while also recognising that the new framework will need to evolve and adapt over time. For example, while finalisation of the level 2 texts is nearing completion, the Joint Committee Sub-Committee on DORA will nonetheless remain in existence to provide the bridge to and organisational basis for any future level 3 guidance.

Proportionality

Mr Cross highlighted that ensuring proportionality has been a central focus of the work to develop the DORA framework.

Proportionality is strongly built into the foundational architecture of the framework, as well as in the more detailed regulatory rules. For example, a proportionate approach is taken in the requirement to implement a risk management framework that is consistent with the size and nature of a firm's activities, in concepts such as "criticality", "major", and "systemic", in the quantitative values used for the classification of ICT related incidents and in the selection criteria for financial entities to be subject to TLPT requirements.

Outsourcing and subcontracting

Regulators acknowledge that financial entities that outsource ICT services via chains of subcontractors, sub-subcontractors, and sub-sub-subcontractors are concerned that they might find themselves subject to regulatory requirements for detailed knowledge, monitoring and engagement which would be impossible or very difficult to achieve. In this context, the new framework "should not and must not impose requirements that are not aligned with sound but reasonable business practices".  

The approach adopted by the ESAs is based on the fundamental principle that financial entities remain responsible for all the activities that they outsource. Mr Cross stated that this means they need to have ongoing knowledge about the overall functioning of the chain of subcontracting arrangements and that there should be “appropriate monitoring of the overall functioning” of that chain. But it does not mean that each link in the chain needs to be monitored. A way of fulfilling the responsibility may be to ensure that primary or material subcontractors themselves have in place an approach to subcontracting and due diligence that is robust and appropriate.

Mr Cross added that more detailed monitoring should be required only in respect of those subcontractors that are material to the critical or important functions of the firm. This is embedded in the proportionality principle and the idea that expectations for oversight should be aligned with financial entities’ responsibility for activities whether or not they have been outsourced.  

Oversight of critical third-party providers

The new oversight regime for third-party providers of critical ICT services was also discussed, and it was reiterated that such technology firms are not providers of financial services but rather the providers of outsourced activities, and the financial entities remain fully responsibility for the ICT outsourcing activities and ICT services received.

The ESAs and NCAs have established a 'High-Level Group on Oversight' to help to oversee the establishment of the operational aspects of the new framework. Work is under way to develop the arrangements to put in place the Joint Examination Teams that will carry out the oversight of critical third-party providers under the coordination of the Lead Overseer. However, it was acknowledged that there will be challenges with setting up and running a wholly new oversight framework, particularly given the scarcity of the expert resources needed to implement a regime that is technically, logistically and strategically complex.

Next steps

Mr Cross's speech provides useful insights into the current state of play and the approach that regulators are likely to take in relation to key features of the new DORA framework, including in the early stages of implementation. Financial entities and their ICT service providers should reflect on their progress to date towards implementation and the challenges ahead and prepare accordingly for the upcoming deadlines and requirements. Financial entities should strive for full compliance by 17 January 2025, while also focusing on the relative flexibility provided for by the proportionate approach taken under the legislative framework.

Financial entities also need to be mindful that the regulation of digital operational resilience is an evolving and dynamic area, and that the ESAs and NCAs will continue to monitor and guide the implementation and development of the framework over time.

For further information on DORA and its impact on your firm, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team, or alternatively, visit ALG’s DORA Hub.

Date published: 30 July 2024