The EU’s Digital Operational Resilience Act nearing the finish line has been saved
The EU’s Digital Operational Resilience Act nearing the finish line
Intended audience: risk, regulatory affairs, operational resilience, cyber and third party risk management teams in financial services firms.
- At a glance
- When will firms have to implement the DORA?
- Early implementation actions need to be identified
At a glance:
- The finalisation of the EU’s Digital Operational Resilience Act (DORA) is a significant regulatory development for financial services (FS) firms that we expect later this year.
- Now that negotiations on the DORA are well progressed, the final shape of the legislation is becoming clearer. EU-based firms should take note of the state of play in the talks to gain a better understanding of the requirements they will soon have to implement.
- The DORA will likely have a 24-month implementation period, but important Level 2 technical standards will take longer to finalise, leaving firms with less time to prepare to comply with the new requirements they will face.
- Firms cannot afford to wait for the political process to conclude but should already be considering what successful implementation requires. We identify several “no regret” actions on the DORA’s key initiatives that firms should begin to reflect on now.
The DORA establishes a unified set of requirements for a broad scope of FS firms in the EU in the areas of cyber and ICT risk management, incident reporting, resilience testing and third-party outsourcing. It also introduces a framework that allows FS supervisors to oversee Critical ICT Third Party Providers (CTTPs) including Cloud Service Providers (CSPs).
The European Parliament (EP) and European Council have reached their respective positions on the DORA package and have begun inter-institutional negotiations called “trilogues,” which are the final stage of talks necessary before the file can become law. This aims to align the positions of the EP and Council where they currently differ. We expect these talks to conclude by mid-2022.
When will firms have to implement the DORA?
The European Commission’s original proposal was for a 12-month implementation period for most of the DORA’s requirements and a 36-month period for resilience testing requirements. Both the EP and the Council want to extend the general implementation period to 24 months. However, the EP and Council disagree on the implementation timeline for resilience testing requirements. The EP wants to keep the original 36-month implementation period, while the Council wants it reduced to 24 months. A shorter timeframe here could be difficult for mid-size firms that have not run tests such as Threat-Led-Penetration-Testing (TLPTs) before. While timeframes can still change, the Council’s text is likely to strongly influence the outcome. As a result, we believe that firms should use a working assumption of a 24 month implementation period for all the DORA’s requirements, running from H2 2022 to H2 2024.
What is the state of play in key components of the DORA?
We see several important takeaways from our analysis of where the Council and EP are aligned on the DORA, and where they differ. These are:
- ICT risk management requirements: The Council and the EP’s positions on ICT risk management and governance are mostly aligned. Both have a similar approach on proportionality and agree that smaller and less-complex FS firms should implement a simpler set of rules. Crucially, both delegate much of the detailed rulemaking for ICT risk management to the European Supervisory Authorities[i] (ESAs) to produce in Regulatory Technical Standards (RTS). These RTS are likely to be an evolution of existing Guidelines on ICT Risk Management published by some of the ESAs. Some significant differences between the two include the EP pushing for firms to disclose a record of all ICT-related incidents in an annual public report and the Council using more specific language to require firms to conduct business impact analyses of their exposure to severe disruptions.
- ICT incident reporting requirements: The introduction of a harmonised reporting requirement for major ICT-related disruptions is maintained in both texts, as well as instructions to the ESAs to develop important RTSs to further specify the materiality threshold for reporting disruptions as well as the information and timing required of these reports. These reporting requirements will supersede equivalent ones in other EU regulations such as the Network Information Security Directive (NISD) and are likely to broaden the reporting requirements most firms will face. Firms also may be asked to report significant cyber threats to competent authorities, but the EP has set this on a voluntary basis whereas the Council is seeking for it to be mandatory. However, the outcome here is likely to be aligned with requirements in the reviewed NISD, which is also in legislative negotiations due to conclude this year.
- Resilience testing requirements: The DORA will introduce a requirement for firms to regularly carry out several different tests of their operational resilience, with certain firms being subject to “advanced” testing, including TLPTs. The TLPT requirement will more consistently roll-out a “red-team” testing framework that has so far only been adopted for FS firms in some EU countries. The EP and Council are agreed on this but need to align on the scope of firms included and the required frequency of TLPTs. The EP is seeking a three year frequency, while the Council wants to delegate the decision to authorities. The ESAs will elaborate advanced testing methodologies in an RTS, but we believe firms can use the ECB’s Threat Intelligence-Based Ethical Red-Teaming (TIBER-EU) framework as a guide before the RTS is available.
- ICT third party risk management: Both the EP and Council maintain most of the DORA’s proposed requirements for firms that use third party providers (TPPs) to support critical or important functions, including the introduction of key contractual provisions. However, the EP also wants to add some additional requirements, namely: contractual provisions requiring TPPs to agree to provide FS firms with higher levels of assurance, through allowing audits and ongoing monitoring of their performance. The EP is also seeking to ensure that contracts with third country TPPs are governed by the law of an EU Member State. Overall these are new requirements for firms and will require significant work both in terms of mapping but also negotiating contractual provisions and gathering the necessary assurance required from TPPs.
- CTTP oversight: the EP and Council agree that certain ICT TPPs that are designated as “critical” should come under the direct oversight of EU financial authorities. Both have maintained the Commission’s initial proposal designating one of the ESAs to act as a “Lead Overseer” of the CTTP and to have powers to inspect and require changes to the CTTPs practices. The EP and Council have also both made similar amendments requiring a CTTP to have a legal subsidiary in the EU if it is to offer services to FS firms. There are differences between the EP and Council on the institutional design of the oversight mechanism, with the EP proposing a more complex “Joint Oversight Forum” of authorities that would assist the Lead Overseer. This requirement will bring new non-FS firms/ TPPs into the FS regulatory perimeter. This will be a significant step change for in-scope non-FS TPPs whose risk and resilience frameworks have not historically been subject to FS supervisory oversight and scrutiny.
- Cryptoassets: The DORA makes a series of amendments to existing EU Directives to align them with the new operational resilience framework that is being proposed. One of these is an amendment to include DLT-enabled products in the MiFID2 definition of a financial instrument. This will help to reduce scope for arbitrage in the regulatory treatment of certain cryptoassets (security tokens) across Member States. The EP and Council’s positions are aligned on this.
Level 2 rulemaking will be an important part of new requirements
The DORA package delegates significant decision-making authority to the ESAs to write technical standards specifying the rules that firms will have to follow. The RTS on ICT risk management will set out more detailed rules for the governance, security policies and event detection procedures firms will need to put in place as well as more detail on the required content of their business continuity plans. Further RTSs on reporting major ICT-related incidents, the approach and methodology for TLPT testing and on third party risk management and registers will all be crucial for firms to understand the full spectrum of requirements they will face from the DORA.
The ESAs will only begin to draft these RTSs once the DORA is finalised later this year, and timelines for secondary rulemaking vary. The Council is asking for all RTSs to be produced by 18 months after the entry-into-force of the DORA, while the EP sets different timelines for each. All RTS, however, are due to be finished before the likely 24-month implementation period ends. This will nevertheless limit the clarity firms have as they prepare for the DORA’s implementation, and any delays in producing the RTSs (which are not uncommon) will exacerbate this. This underlines the need for firms to assess and identify no-regret actions they can begin to take to prepare for the new rules, including when implementing technological/ infrastructure upgrades or negotiating new TPP contracts.
The ESAs will also have to conduct a feasibility study on the establishment of a centralised solution for EU ICT incident reporting. This will become part of important preparatory work for the introduction of a pan-European Systemic Cyber Incident Coordination Framework (EU-SCICF) which the ESAs publicly committed to working towards in a January statement.[ii] This initiative will primarily drive supervisory efficiency across the EU. However, any indirect benefit for firms will only become apparent over time.
International regulatory alignment cannot be ignored
Firms operating cross-border business models – e.g., operating in both the EU and UK – will need to consider how the DORA’s requirements will fit in with work they are doing in other jurisdictions. One notable difference is that the DORA addresses operational resilience as a detailed set of legislative requirements whereas operational resilience is being handled as a principles-and-outcomes-based initiative by supervisors in the UK and elsewhere. The DORA also focuses on digital and ICT risks, whereas the UK and other frameworks consider operational resilience more broadly. This may contribute to a greater emphasis in the EU on cyber threat and other technology-related risk scenarios.
There are, however, a set of outcomes in the DORA’s requirements that are common with the UK supervisory framework and, for banks, the Basel Committee’s 2021 Principles on Operational Resilience. Both frameworks require the identification of critical parts of the business (i.e., important business services in the UK, critical or important functions in the DORA), and the alignment between jurisdictions here will be a key area for supervisors to determine. The Council’s amendment requiring firms to conduct business impact analyses of their exposure to severe disruptions also brings the DORA closer to the UK and BCBS’s introduction of testing resilience against “severe but plausible scenarios.”
Our view is that cross-border firms will gain efficiencies when they adopt a consistent approach to operational resilience group-wide and modify it in each jurisdiction as far as necessary to meet specific requirements. There are clear opportunities for the DORA to be compatible with such an approach, but much will depend on the Level 2 work done by the ESAs and the supervisory approach taken by authorities, the ECB chief among them. The 2020 ECB, US, and UK authorities’ statements committing to deliver a joined-up approach to the supervision of operational resilience demonstrates encouraging cooperation.[iii]
Critical Infrastructure Security
Early implementation actions need to be identified
It is important for firms to identify actions they can take now, before the primary legislation is finalised and Level 2 standards from the ESAs are available. In our experience of working with UK firms, where the regulatory initiative on FS operational resilience is at a more advanced stage, preparing for the initial implementation of the new rules has taken more time and resources than many firms anticipated.
In a recent executive survey we conducted for our 2022 Regulatory Outlook, UK firms highlighted the identification and management of TPP vulnerabilities as the most important challenge they faced in implementing operational resilience requirements.[iv] EU firms will likely face a similar challenge with the DORA as well.
In our view, several “no regret” actions firms should be considering include:
On ICT risk management: conducting a gap analysis of existing ICT risk management and governance practices, specifically through a critical function lens, will be a worthwhile exercise. Additionally, increasing resources dedicated to threat and incident detection and improving firm-wide ICT security awareness training programmes with a special focus on awareness of management bodies will be beneficial.
On incident reporting: running an incident management and reporting maturity evaluation to understand the firm’s current-state capabilities and evaluate the firm’s awareness of the multiple ICT incident reporting requirements that apply in the FS sector.
On resilience testing: understanding the skills and capabilities required to shape and run resilience testing, including training sessions for board members on resilience testing methods (including TLPTs if likely to be in scope of advanced testing requirements), and the implications for remediation.
On TPP risk management: focusing on improving mapping of TPP contracts and connections, documenting and reviewing third party vulnerabilities to help inform the development of a risk containment strategy.
As the DORA moves towards finalisation, firms need to be mindful of the scale of the challenge that implementation will bring. A two-year implementation period will be a short window of time to get things right. Firms can stay on the front foot by taking a proactive approach to assessing the impact of the requirements to develop a realistic and achievable implementation plan.
The Digital Operational Resilience Act