"Implementing DORA - Achieving enhanced digital operational resilience in European financial services" - Remarks by Gerry Cross, Director of Financial Regulation, Policy & Risk
28 March 2023
Speech
Gerry Cross is Chair of the ESAs’ Joint Sub-Committee on DORA Implementation. The remarks were made at an event organised by Amazon Web Services, Insurance Ireland, and the European Fintech Association in Brussels.
Good morning. It is a pleasure to be here this morning to exchange views on the EU’s new Digital Operational Resilience Framework (DORA) and its implementation. Many thanks to Amazon Web Services, the European Fintech Association, and Insurance Ireland for organising this event.
I am happy to be here both in my role as Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland. The Central Bank of Ireland is of course one of the National Competent Authorities across Europe for whom the implementation of DORA in the coming period is a very important objective. And also as Chair of the Joint European Supervisory Authorities (ESAs) Sub-Committee on Digital Operational Resilience.
The European Supervisory Authorities (“the ESAs”) are tasked with jointly delivering the regulatory standards implementing the new DORA framework. The Joint Committee of the three ESAs has established the Joint Sub-Committee on Digital Operational Resilience to deliver those standards.
DORA is a cross-sector Regulation, applying to all regulated financial firms. It aims to mitigate technology and cyber risk by enhancing firms’ technology and cyber risk management and resilience. It creates a regulatory framework whereby all firms need to make sure they can withstand, respond to and recover from ICT-related disruptions and threats, including of course cyber attacks. And it will bring within a new “oversight” framework critical third party providers of ICT-related services – such as cloud services - to financial firms.
From the perspective of the regulatory community, we see a challenging task ahead of us. The new framework will come into effect on 17 January 2025. That is a mere 21 months from now. We know that it is also challenging for those of you on the industry side for whom the task of adapting your approaches – in some cases to new rules and requirements and in others to a whole new oversight regime – is an important one requiring commitment, resourcing, prioritisation and as much clarity and certainty as possible.
Let me be clear however, these tight deadlines are not arbitrary ones chosen on a whim. Rather they are a direct function of the importance and urgency of the issue that they are designed to address. Tech- and cyber risk are amongst the top risks that we face in the financial system. They pose risks both to individual firms and, potentially, to systemic stability. As such we need to address them in a timely and effective manner.
So the timelines are important and challenging. On all sides, we need to organise ourselves effectively and well if we are to achieve the timely and high quality implementation of the new framework. How we organise ourselves will be important. So let me say a little bit about this.
The Joint Sub-Committee that I chair brings together more than 40 national competent authorities – sectoral and integrated – from across the EU. Relevant EU-level bodies, such as the ESAs themselves, the European Central Bank, ENISA the EU Agency for Cyber Security, the Single Resolution Board (SRB) and the European Commission are observer participants. Beneath the Joint Sub Committee there are a number of Working Groups and Drafting Teams who are working strongly on the specification of the framework.
Working principles
As well as the structures by which we are organising ourselves, very significant is the way in which we are approaching the work. We have set ourselves a number of guiding principles that are underpinning this approach. Three of these are what you might call direct principles and two are enabling principles.
The direct principles are:
Momentum. There has been strong momentum built up through the level 1 negotiations and the immediate passing of the baton to the level 2 actors. This has meant that we have hit the ground running. We are committed to maintaining that forward momentum.
Pragmatism. This is a complicated field, made more so by the very wide range of firms of all shapes, sizes and business models to whom it applies. There is enormous potential to get deeply ensnared in technical detail beyond the capacity of the system to manage given the tight timelines.
With this in mind, we have agreed that a pragmatic approach will be essential. This involves a number of aspects. These include adopting a long-term, multi-year perspective. We won’t achieve perfection in year 1. We won’t be able to resolve all of the detailed technical issues to include them in regulatory requirements by the time the legislation is implemented. And, indeed, nor should we. What we will be seeking to do therefore is to deliver on time a well-specified, strongly coherent and consistent, and comprehensive package of regulation. We recognise, and indeed embrace the fact, that in the coming years there will be a strong need for supervisory coordination and collaboration so that as the framework is implemented we learn together, come to common solutions, and iteratively deepen the consistent implementation of the framework across all of its dimensions.
Quality. Momentum and pragmatism will not come at the expense of quality. We are committed to delivering a high quality framework based on the well negotiated Level 1 text which will strongly deliver enhanced resilience and risk management in a manner which is consistent with manageable implementation by those firms and entities to whom it applies.
These then are what I have described as the direct governing principles of our approach. As well as these there are two other so-called enabling principles.
- The first of these is proportionality. Given the very wide range of firms that fall within the scope of the new framework, that framework has to be fit for application to firms of all types, sizes, shapes, and levels of complexity. Proportionality is therefore essential. There is already a great deal of proportionality built into the Level 1 text. Much of this is inherent proportionality – that is requirements and approaches that quite simply have a different meaning depending on the nature, scale and complexity of the firm.
In other places there are distinctive treatments made available depending upon the scale and complexity of a firm. For example in designing the level 2 framework we are tasked with producing both regulation for a risk management framework and also one for a simplified risk management framework which will apply to less complex firms. At every step of the process we will be having close regard to the principle of proportionality. The proportionality advisory committees of the ESAs will also provide important input and advice.
- The final enabling principle governing our work is engagement. High quality and effective engagement will be important to the success of this effort. Our regulatory development process is strongly adapted to this fact.
In general terms engagement is always key to high quality regulation and its effective delivery of its objectives. Regulators don’t know everything. We need to listen to and understand the perspectives of all of our stakeholders – the firms to whom the regulation applies; the consumers and users of financial services for whom the system is designed to operate; and all other interested parties whose perspectives and insights will be valuable in optimising whatever it is that the regulation in question is designed to achieve.
In the case of DORA this principle holds completely. This is a challenging, complex and rich area of work. We want to receive and understand the views and insights of interested parties so that we can make the regulations as good as they can be. And we want to engage as much as possible with stakeholders also to explain our thinking and approach so that people can understand well what we are doing, why we are doing it, and crucially what to expect as they prepare for their own implementation of the new framework. Events like this today’s are important. In February the joint ESAs organised an online early engagement event. This was attended by more than 2000 interested parties. Importantly, our development timelines are built around the centrepieces of consultation on the emerging proposals for the new framework.
Timelines
So those then are the five principles which we have adopted in taking our work forward. I think it is worth sharing them, because they go beyond just being ways of working to giving you an important sense of what our approach and thinking is and a flavour of the type of regulatory outcomes we are seeking to achieve.
I mentioned just then the timelines for our work. It is worth saying a little bit about this. Now I want to caveat what I say on this. We have, as I have said, an ambitious approach which is seeking to deliver high quality product in a very timely way. But there are uncertainties and real challenges on the way. So we all need to be prepared for things to evolve and change as we progress.
Our timelines are determined by the ultimate goal of the new framework becoming applicable on 17 January 2025. More specifically we have been given by the Level 1 text two key deadlines. For the first package of regulatory measures the deadline for completion is January 2024. For the second, it is July 2024. That is the basis upon which we are organising ourselves.
So for the first package of measures we plan to issue our proposals for consultation over the summer. This includes the risk management framework, the criteria for the classification of ICT-related incidents, the register of information on outsourcing that firms’ must keep, rules on outsourcing policies, amongst others.
The second package of measures includes the remainder of the regulatory products that we have been asked to deliver. These include the criteria for the classification of IT incidents as “major”; the reporting arrangements and requirements for such incidents; the framework around threat led penetration testing; and aspects of the oversight arrangements for Critical Third Party Providers (CTPP); amongst others. These are required to be finalised by July 2024. We aim to consult on our proposals for these aspects towards the latter part of the year.
As well as these mandates given to the ESAs under the Level 1 text, we have also, at the start of this year, received an important Call for Advice from the Commission. This asks for the ESAs’ advice on the criteria that should apply for designating a CTPP as critical and also how fees should be calculated for the oversight of such entities. The deadline for this advice is September this year. Given this, we plan to issue a separate consultation paper on these aspects in the summer, likely a little before the other Summer 24 CP that I have referred to above.
Risk Management
In developing the regulations, we see our outputs as generally falling under three headings: (1) Risk Management; (2) Incident Reporting; and (3) Oversight of Critical Third Party Providers. Let me now say a little bit about each of these.
Let me start with ICT risk management. This is covered in Chapter II of DORA. Many of the key ICT risk management principles and the expectations placed on senior management have been around now for about 20 years. Albeit at that time embedded in best-practise frameworks, such as COBIT, utilised primarily by IT auditors. These principles soon became mainstream and more than three years ago the EBA issued GL on ICT and security risk management for banks (November 2019). EIOPA followed suit and issued GL on ICT security and governance for the insurance sector in 2020.
DORA now of course applies these principles to a wider range of firms. While this will of course bring new regulatory requirements to such firms, for the most part many of them will already have been implementing good practice principles such as these in their business. As I have mentioned, proportionality is a key feature of DORA both at Level 1 and the emerging Level 2. In particular in this regard, DORA’s provision of a simplified ICT risk management expectations for smaller entities is very important.
In essence, risk management is concerned with mitigating inherent risks to acceptable levels. This applies equally to cyber and IT risk management. This requires firms to have a good understanding of their ICT assets. From our supervisory work we know that this is not always the case and while a challenge DORA will require regulated financial firms to identify, classify and adequately document all ICT supported business functions and to identify, classify and adequately document all the information assets and ICT assets supporting these functions. The bottom line remains: You need to know what you have in order to identify the risk it may cause.
Once firms have identified their ICT assets DORA lays down expectations on how to protect these ICT assets, on how to prevent incidents and of course on how to detect unusual ICT system behaviour. Should firms detect any unusual or unexpected system behaviours DORA provides expectation on how to respond and eventually on how to recover from them. While these functions and categories of ICT risk management are new in an EU cross-sector wide regulation, other ICT frameworks such as the Cybersecurity Framework of the National Institute of Standards and Technology (NIST) have described them since 2014. Many ICT professionals, including ICT auditors are well used to them. The Level 2 regulations will provide the important elaboration of the framework based around these key aspects.
A key aspect for the identification of ICT risk is the Testing of ICT resilience and DORA provides clear expectations in Chapter IV. DORA introduces mandatory threat-led penetration testing, in short TLPT, for larger financial firms. The implementation of DORA’s TLPT is required to be in accordance with TIBER-EU framework of the ECB, which is already adopted by 13 countries. Our work on this in the Joint Sub Committee is well under way. This will form part of the consultation to be issued towards the end of the year.
DORA sets clear expectation on how financial firms have to conduct their ICT risk assessment when outsourcing ICT services to third-party providers in the first section of Chapter V. DORA expects the same ICT risk understanding by financial firms regardless if the ICT services is provided by a third-party provider or in-house. I believe that the minimum requirements for contractual arrangements will help both sides of the contract to have mutual benefiting contracts and that the requirement to have service level descriptions with precise quantitative and qualitative performance will strengthen the services delivered.
There is a requirement to have registers of information for all contractual arrangements with regard to ICT services provided by third-party providers. For many firms this may be a new requirement. DORA will provide templates prescribing the data financial firms have to collect and record. I know that financial firms of all sizes can accomplish this because in Ireland we have issued outsourcing templates for all outsourced services, including ICT, across all supervised sectors. The first data collection by the Central Bank of Ireland went well and we are currently analysing the data.
ICT Incident Management and Reporting
DORA aims to harmonise existing incident reporting requirements and is setting expectations for firms to record all their ICT incidents as well as their significant cyber threats. This is a hugely important initiative. In the highly interconnected context in which the financial system and financial firms operate it is essential both that individual firms have a clear view of the incidents they are experiencing but that authorities are well sighted on these and the patterns, trends, risks and threats that are arising on an evolving basis. A key aspect of this will be the criteria that we will consult on over the summer for determining what should be considered “major” incidents. Our approach to this will be informed by an outcomes focus. Those outcomes are both the effective supervision of individual firms and the overall integrity and resilience of the financial system.
Of course the incident reporting requirements of DORA sit within a range of other such reporting requirements. These include those under the NISD2 framework for which DORA is lex specialis. It will be important that these regimes fit and work well together. This is a key aspect for the Joint Sub Committee as we develop our work. And indeed as I have mentioned, ENISA is an observer in our work.
Oversight of Critical Third Party Providers
Turning now to the new oversight regime for Critical Third Party Providers (CTPPs) established under section II of Chapter V in DORA.
This is of course an very important aspect of the new Digital Operational Resilience framework. It reflects the enormously important role that such participants have come to play in the functioning of the financial system. At the same time it recognises that these participants are not, for these purposes, the providers of financial services. They are rather the providers of outsourced activities. As such they do not fall directly within the regulatory framework. Equally importantly, it remains the case that regulated financial entities must continue to take full responsibility for their outsourcing activities and to comply with the very significant principles and rules that have been built up in this area over recent years, including now in DORA and its implementing regulation.
Accordingly, for these purposes, CTPPs are subject not to regulation or to formal supervision but to oversight. And oversight in this context is a new concept with its specific features and components. These are being further elaborated in the work that is underway both in the Joint Sub Committee and also in the ESAs’ secretariats who will be responsible for the operational implementation of this new oversight relationship.
A number of components are being developed that will, together, provide the full content of this oversight framework.
These include the registers of outsourced services that financial entities will be required to maintain. As well as supporting financial firms’ own ICT and cyber risk management and its supervision, these registers will provide the fundamental data upon which assessments can be made as to who are the critical third party ICT service providers to the financial system. As mentioned the proposed template and contents of these registers will be consulted upon in our forthcoming summer CP.
Secondly, it will be necessary to establish the criteria for determining which third party providers are in fact critical. As I have said the European Commission has sought the ESAs’ advice on this question and our proposed response will be consulted on separately with a CP likely to be launched in early summer.
Finally, it will be necessary to put in place the operational arrangements that will be needed to implement the new oversight arrangements. In the Joint Sub Committee we are already working on a draft Regulatory Technical Standard to specify a range of factors relevant to and enabling the conduct of oversight activities. We are also working on guidelines on cooperation between ESAs and CAs regarding the structure of the oversight. Both of these proposals have July 2024 deadlines for completion and will be consulted on towards the latter part of the year.
In parallel the ESAs’ secretariats are working on a range of operational aspects that will be necessary to specify as we move towards implementation of the new regime.
Conclusion
In conclusion, we all have an important challenge ahead of us as we move to implementation of the new digital operational resilience framework.
Our work in this regard – the work of all of us – is of the highest importance.
On the regulatory side we are moving forward with momentum, pragmatism and quality. Proportionality is one of our key enablers. As is engagement.
And in respect of this last, I thank you again for your participation today. And I look forward now to our panel discussion.
Thank you.