The DORA’s incident reporting and cyber threat notification rules could become significant compliance challenges, and therefore the technical details from the regulatory technical standards (RTS) that are due to be consulted on in H2 of 2023 will be important. Firms should equally pay close attention to resilience testing RTSs, particularly if they do not currently carry out a threat led penetration testing programme but are at risk of being considered sufficiently significant under the forthcoming technical standards and thereby being scoped into the “advanced testing” requirement.
Running in parallel to the DORA implementation, EU supervisors, such as the European Central Bank, will continue to expand their capabilities in cyber and IT risk and carry out further targeted investigations into firms’ cyber resilience in 2023. For any domestically significant firms or larger, these may be substantial exercises that will require an organisation-wide response. The regulatory expectation around the close involvement of senior management and the Board will put even greater pressure on firms to build knowledge of cyber, IT risk, and operational resilience issues among senior leadership.