What can we expect from the Digital Operational Resilience Act? has been saved
What can we expect from the Digital Operational Resilience Act?
A summary of main implications and our recommendations
The EU’s Digital Operational Resilience Act (DORA) is nearing the finish line. It will have significant implications for financial services firms. We elaborate on the main aspects of the regulation (e.g., incident response, cyber risk management, etc.) and provide no-regret actions.
By Hugo Atzema and Noah Brandwijk
Go directly to
- At a glance
- When will firms have to implement the DORA?
- What is the state of play in key components of the DORA?
- Technical Standards will be an important part of new requirements
- Early implementation actions need to be identified
At a glance:
- The finalisation of the EU’s Digital Operational Resilience Act (DORA) is a significant regulatory development for financial services (FS) firms expected later this year.
- The DORA will seek to harmonise digital resilience in the European Union through the introduction of requirements on ICT risk management and ICT-related incident reporting.
- With the negotiations on the DORA in late stages, the final shape of the legislation is becoming clearer. EU-based firms should take note of the state of the talks to gain a better understanding of the requirements they will soon have to implement.
- The DORA will likely have a 24-month implementation period, but important technical standards will take longer to finalise, leaving firms with less time for preparation to comply with the new requirements they will face.
- Firms cannot afford to wait for the political process to conclude but should already be considering what successful implementation requires. We identify several “no regret” actions on the DORA’s key initiatives that firms should begin to reflect on now.
The DORA sets the requirements for FS firms in the EU for cyber/ICT risk management, incident reporting, resilience testing, and third-party outsourcing. Additionally, it allows FS supervisors to oversee Critical ICT Third Party Providers (CTTPs).
As part of Europe’s Fit for a Digital Age programme, the DORA is set to contribute to Europe’s digital transformation by harmonising regulations for the above-mentioned sectors in the EU. The European Parliament (EP) and European Council have started negotiations (“Trilogues”), the final step before DORA can be passed as a law. These talks, which are supposed to align the positions of the institutions, are expected to conclude by mid-2022.
When will firms have to implement the DORA?
EP and Council seek to grant a general implementation period of 24 months. However, there is disagreement on the implementation timeline for resilience testing requirements, (EP asks for 36-month period, Council in favour of 24 months). We believe that firms should use a working assumption of a 24-month implementation period for all the DORA’s requirements, running from H2 2022 to H2 2024.
What is the state of play in key components of the DORA?
We see several important takeaways from our analysis of where the Council and EP are aligned on the DORA, and where they differ. These are:
- ICT risk management requirements: Positions on ICT risk management and governance are mostly aligned. Both delegate much of the rulemaking for ICT risk management to the European Supervisory Authorities[i] (ESAs) to produce in Regulatory Technical Standards (RTS). Differ in the EP wanting firms to disclose records of all ICT-related incidents annually. Council simply requires firms to conduct business impact analyses of their exposure to severe disruptions.
- ICT incident reporting requirements: Both favour harmonised reporting requirement for major ICT-related disruptions (including reporting of near-misses). ESAs will develop RTSs to further specify materiality thresholds to report disruptions in a timely and concise manner. Firms may be asked to report significant cyber threats, EP on a voluntary basis, while the Council wants it to be mandatory. Outcome will likely be aligned with requirements in the reviewed NISD, which is also in legislative negotiations due to conclude this year.
- Resilience testing requirements: Firms will have to regularly test their operational resilience, certain firms being subject to “advanced” testing, including TLPTs. Both agree on this, needing to align on scope of firms included and frequency of TLPTs (EP wants it every three years, Council to delegate decision to authorities). The ESAs will elaborate advanced testing methodologies in an RTS. In the meantime, firms can use the ECB’s Threat Intelligence-Based Ethical Red-Teaming framework as a guide.
- ICT third-party risk management: Both maintain most of the DORA’s proposed requirements for firms that use third party providers (TPPs) to support critical or important functions. EP also wants to add additional requirements, such as ensuring that third-country TPPs are governed by the law of an EU Member State. These are new requirements for firms and will require significant work, both in terms of mapping and negotiating contractual provisions.
- CTTP oversight: Both agree that certain ICT TPPs that are designated as “critical” should come under the direct oversight of EU financial authorities. Both also seek to require a CTTP to have a legal subsidiary in the EU if it is to offer services to FS firms. For the oversight mechanism, the EP proposes a “Joint Oversight Forum” to assist the Lead Overseer. This requirement will bring new non-FS firms/TPPs into the FS regulatory perimeter, placing them under the FS supervisory oversight and scrutiny. It is very likely that cloud service providers will fall under the scope of this oversight.
Technical Standards will be an important part of new requirements
The DORA package delegates significant decision-making authority to the ESAs. RTSs will be crucial to understand the full spectrum of requirements firms will face from the DORA.
The ESAs will only begin to draft these RTSs once the DORA is finalised later this year, and timelines for secondary rulemaking vary. Clarity of firms will be limited as they prepare for DORA implementation and RTSs to be finished. Thus, firms need to assess and identify no-regret actions they can begin to take to prepare for the new rules. This is important as some technical rules on incident reporting and ICT risk management will be introduced later by ESAs.
Early implementation actions need to be identified
In our experience, preparing for the initial implementation of the new rules has taken more time and resources than many firms anticipated; thus actions to be taken now must be identified.
In our view, several “no regret” actions that firms should be considering include:
- On ICT risk management: conducting a gap analysis of existing ICT risk management and governance practices. Additionally, increasing resources dedicated to threat and incident detection and improving firm-wide ICT security awareness training programmes with a special focus on awareness of management bodies such as the board is crucial. We believe that special attention must be focused on clarifying what exactly are your critical assets, where they are hosted, what they host and what processes they support. This will be input for resilience testing later on.
- On incident reporting: running an incident management and reporting maturity evaluation to understand the firm’s current-state capabilities and evaluate the firm’s awareness of the multiple ICT incident reporting requirements that apply in the FS sector. Also see if you have the capabilities to detect near-miss incidents. Questions to ask yourself here is if you are capable of always reporting significant incidents within 48 hours and if you are able to provide information such as determining geographical spread and the number of users affected.
- On resilience testing: understanding the skills and capabilities required to shape and run resilience testing, including training sessions for board members on resilience testing methods (including TLPTs if likely to be in scope of advanced testing requirements), and the implications for remediation. If familiar with the TIBER framework then also consider a potential increase in frequency and scope of testing as DORA may mandate increased testing.
- On TPP risk management: focusing on improving mapping of TPP contracts and connections, documenting and reviewing third party vulnerabilities to help inform the development of a risk containment strategy. Truly understand what service providers are critical to the hosting of core business processes. Is there an exit strategy, or fault-tolerant architecture in place for mitigating a loss of certain critical vendors?
DORA moves towards finalisation. Firms need to aware of the implementation challenges that will arise for the two-year window. Firms can stay on the front foot by taking a proactive approach to develop a realistic and achievable implementation plan.
[ii] As the DORA is cross-sectoral, Level 2 rulemaking will be done jointly by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), often working in their Joint Forum composition.
[iii] European Supervisory Authorities, Public statement, ESAs welcome ESRB Recommendation on a pan-European systemic cyber incident coordination framework for relevant authorities.
[iiii] European Central Bank, Banking Supervision, Statement regarding supervisory cooperation on operational resilience.