As the clock ticks down to the January deadline, Bob Currie assesses the financial sector’s state of readiness for DORA implementation and potential obstacles to achieving its regulatory objectives
With less than three months until the Digital Operations Resilience Act (DORA) becomes active, financial entities need to be moving into their final phase of preparations to be compliant by the 17 January implementation date.
Many larger firms appear to be well on track, initiating their preparatory work in good time and, in some cases, rolling this alongside their transition programmes for NIS2, the EU’s directive for network and information security which went live on October 17 2024.
However, some smaller financial entities still have a lot of work to do to be compliant. Moreover, some final details of the Act are still subject to negotiation or clarification. For example, the European Supervisory Authorities (ESAs) have asked the European Commission to review its recent decision to reject draft implementing technical standards (ITS) put forward by the ESAs. This difference of opinion has arisen over the choice of legal identifier used to identify third-party providers of information and communication technology (ICT) services.
Perhaps more significantly, a group of five industry associations issued a joint statement on October 1 questioning whether regulated financial services should be treated as ICT services under DORA and asking the European Commission and the ESAs to review their guidance in this area.
Understanding DORA
The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on January 16 2023 and will apply from January 17 2025. Its high-level objective is to strengthen the IT security of financial entities – including banks, insurance firms, asset managers and market infrastructure – and to ensure that the financial sector in Europe remains resilient in the event of severe operational disruption.
DORA also seeks to harmonise the rules relating to operational resilience for the financial sector applicable to around 20 different types of financial entities and ICT third-party service providers.
At its heart, DORA will require financial entities to meet required standards in five core areas. They must have an ICT risk management framework in place, providing the tools to identify, assess and monitor sources of ICT risk, enabling prompt detection of anomalous activities and supporting dedicated business continuity and disaster recovery plans.
A financial entity must have systems in place to detect and report ICT-related incidents to the relevant financial authorities. In case of an ICT event, it must submit initial, intermediate and final reports providing information on the incident’s severity and building a picture of the threat faced and remedial actions taken.
Third, it must conduct regular testing of its ICT-related systems and resilience measures. This Digital Operational Resilience Testing should be proportionate to the financial entity’s size, business and risk profile. This may include Threat-led Penetration Testing to address higher levels of risk exposure.
The regulation requires in-scope firms to manage risks associated with their use of third-party ICT service providers. In doing so, the firm must conduct due diligence on service providers, have contractual agreements in place, and it must monitor performance standards on an ongoing basis across all third-party and subcontracted relationships.
Finally, DORA encourages information sharing and collaboration between financial entities relating to ICT-related threats and preventative or remedial measures.
Technical standards
In Q2 2024, the European Supervisory Authorities launched a public consultation on the draft Regulatory Technical Standards (RTS). This consultation ran from April 18, with respondents asked to submit their comments by May 18.
The European Banking Authority – one of the three ESAs, alongside the European Securities and Markets Authority (ESMA) and the European Investment and Occupational Pensions Authority (EIOPA) – has now submitted its final draft on these joint technical standards to the European Commission for adoption.
Shreeji Doshi, director of Cyber Risk at global risk, due diligence and cybersecurity consultants Thomas Murray, indicates that he does not anticipate extensive changes to these joint standards prior to the regulation becoming active in January 2025.
Referring back to the first round of RTS and implementing technical standards (ITS), Doshi notes that no major changes were integrated into the final regulatory text on the basis of the consultation process. “There are still one or two points that are subject to clarification from policymakers, but we are working on the assumption that the regulation is now close to the final design that will be adopted,” he said.
DORA aims to strengthen the IT security of financial entities, to enhance resilience in the face of severe operational disruption, and it aims to harmonise rules relating to operational resilience for the financial sector. But is the design of the regulation appropriate to meet these stated outcomes?
“In general terms, DORA provides an effective regulatory framework for achieving these objectives,” responds Doshi. “This aims to deliver a consistent regulatory approach to promoting operational resilience across the financial services industry, eliminating differences in application that applied in previous regulation to different types of financial entities.”
A second fundamental pillar is DORA’s incident reporting requirement. This applies relatively stringent timelines on financial entities, in the event of an ICT-related incident, to report the details of this event to the competent authority. Policymakers are optimistic that by reporting this danger at an early stage, this will reduce risk of escalation or contagion by enabling regulators to take early action and to share key information with competent authorities in other jurisdictions, as well as other financial entities.
A third element relates to consistent oversight and regulation of ICT third parties. With the rise of outsourcing and subcontracting in financial services, these provisions are designed to ensure effective monitoring of the risks emanating from the use of third-party service providers. This will promote a harmonised framework for monitoring ICT third-party risk, ensuring that contracts with third parties contain key information such as a full service level description and information on data storage and data transfer.
Eva van Emmerik, group manager finance at cyber resilience specialist Secura, notes that lawmakers and financial supervisors have stepped up their focus in recent years on cybersecurity requirements, and particularly on resilience and recovery. “In 2016 we had the NIS directive, aimed at securing network and information systems. But DORA is the first European standard for the financial sector that explicitly says: you must map your digital ICT risks.”
All financial organisations will have to meet largely the same requirements, Van Emmerik explains: “This regulation doesn’t only apply to the major banks, which are often well regulated anyway and which really prioritise cybersecurity. The biggest advantage of DORA is that the entire sector will become more resilient to threats. And we expect international cooperation to become easier, because we’re all required to work in the same way.”
Incident reporting
The RTS lay out general reporting requirements, detailing what should be included in incident reports. The ITS provide standard forms and templates for reporting incidents, ensuring consistent data collection and reporting processes.
The timeframe is tight for initial reporting, requiring that a firm reports its initial observations on an ICT-related event within four hours to the competent authorities. This preliminary submission may be predominantly qualitative in nature, informing the financial authorities that an ICT-related incident has taken place and sharing the major information that it has to hand at that point.
The 72-hourly reporting, the intermediate reporting phase, does require additional data and additional analysis relating not just to the facts of the incident, but preliminary interpretation of the incident severity, its potential consequences, its reputational impact and impact on counterparties.
Many financial entities will draw on the support of an external specialist to help them to meet these reporting commitments. However, this will require that it has clear and well-structured communication channels between the external provider and internal risk managers charged with coordinating the firm’s response to this ICT-related event.
In consultation feedback on the DORA Level 2 rules, circulated for comment in Q2 2023, some respondents voiced fears that the regulation would catch a wide range of ICT-related incidents, both severe and less severe, and place a heavy burden on financial entities falling into scope of the regulation.
While that is partly DORA’s strength – in providing early warning of ICT-related stress, including lower-severity incidents that could escalate into something more serious – respondents warned against potential “reporting fatigue” and a danger of “over reporting”.
Reflecting on Amazon Web Services’ (AWS’) response to ESA consultation on the DORA technical standards, submitted in September 2023, AWS head of Financial Services Public Policy for EMEA Maria E. Tsani suggests that there is a need to future proof DORA by ensuring that the reporting framework is effective without over-burdening financing entities.
“While we support the ESAs’ focus on identifying and reporting ‘major incidents’, our view is that the ESAs’ proposals could be improved further so that financial entities don’t over-report,” she said. Under these proposals, financial entities will be required to report costs and losses incurred from a major incident if the economic impact exceeds, or is likely to exceed, €100,000. “This threshold may be either too low in the context of a large financial entity, she suggested, or too high for a small fintech,” she said.
In providing feedback on draft RTS relating to the subcontracting of ICT services, the Futures Industry Association (FIA) suggests that the RTS will potentially impose “expansive and exhaustive risk management and contractual requirements” across the entire subcontracting chain and are not in keeping with a proportionate and risk-based approach. “Without the explicit application of a materiality threshold, the RTS risks capturing an unworkably broad supply chain scope that would not necessarily add value to risk management,” said the FIA, the global trade association for futures, options and centrally-cleared derivatives.
This situation, it suggests, would divert financial entities from managing the relationships that present greatest risk from an ICT perspective, instead requiring them to divert resources to managing subcontractors that “do not pose a material resilience impact.”
On October 1 2024, the FIA issued a joint statement with four other industry associations, requesting that the ESAs provide further clarification regarding how ‘ICT services’ should be defined and questioning whether regulated financial services entities should be classified as ICT services under the regulation.
“To capture regulated financial activities as ICT services and subject them to further regulatory uplift could have a detrimental impact on the smooth provision of financial services in the EU and would impose a significant operational challenge on industry with no value-add in terms of risk management,” said these industry associations.
Regulated financial services, such as those provided by financial market infrastructure (FMI) entities, credit institutions and investment firms, are already subject to separate financial services legislation and regulation, as well as supervision by financial services regulators, say the joint associations. Consequently, in keeping with a “proportionate and risk-based approach”, the associations advise that these regulated financial entities should not be categorised as ICT services under the scope of DORA.
Reputational and counterparty impact
More broadly, DORA may present headaches for some firms in requiring them to evaluate and report potential reputational impact and counterparty impact as an ICT-related incident gathers momentum. Many smaller financial entities will have little experience in collating and analysing this data under stress conditions and in completing what is typically a multidisciplinary assessment and reporting exercise while managing their own response programmes.
“The task of evaluating reputational impact, in providing a view on the number of counterparties impacted, and in estimating losses, are a few of the primary challenges that we identified in ensuring DORA compliance,” explained Thomas Murray’s Doshi.
He believes that it is hard for financial entities to be certain at this stage about the optimal methodology for conducting reputational impact assessment under stress conditions. Consequently, the industry is waiting for further guidance from policymakers in this area. “This will involve a learning process,” he said. “Not all financial entities are likely to get this right in the first instance.”
In evaluating counterparty impact, financial entities will need to identify affected counterparties, to quantify impact on each counterparty and to populate the required data in line with the reporting schedule. “This cannot be finalised just through one or two meetings,” comments Doshi. “This will require input from multiple divisions across the organisation and financial entities may take several months to get this right.”
Some financial entities have already conducted scenario analysis to walk through their ICT event responses in a simulated environment. Through these table-top exercises, many large banks and financial market infrastructure (FMI) providers are confident that they will be compliant with the main provisions of DORA when this becomes active.
However, some smaller banks and buy-side financial entities have reported concerns about whether they can meet DORA reporting requirements within this timeframe – and Doshi notes that some emerging market FMIs, for example some CSDs and CCPs in smaller markets in the Central and Eastern Europe (CEE and CIS) region, still appear to be at an early stage in moving to DORA readiness.