“Implementing DORA” - Remarks by Gerry Cross, Director of Financial Regulation – Policy and Risk

23 November 2023 Speech

Gerry Cross

Good morning. It is a pleasure to be here today to talk about the EU’s new Digital Operational Resilience Act (DORA) and its implementation. Many thanks indeed to AL Goodbody for organising this event.

I am happy to be here both in my role as Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland and as Chair of the Joint European Supervisory Authorities (“the ESAs”) Sub-Committee on Digital Operational Resilience.

Maybe the first thing to say as we come to the end of 2023 is that the work to implement DORA by the deadline of January 2025 remains firmly on track. DORA requires the ESAs to develop the implementing regulations in two phases. The first phase – including regulations on risk management and simplified risk management; “major incident” classification; and outsourcing, including the register of outsourced services to be maintained by firms - is on track for submission to the Commission in early 2024. The second phase – including the major incident reporting template; Threat Led Penetration Testing; and managing chains of subcontracting – is on track for public consultation to start in the coming weeks so that they can be submitted by the middle of the year.

So that is the headline: DORA implementation on track. Now let me delve into some of the details.

DORA is a really interesting piece of regulation.

The digitalisation of society and of the economy is happening at rapid pace. Nowhere more so than in the financial sector. It is important that we put in place the measures to facilitate the realisation of the benefits of digitalisation while managing the risks.

But, let’s think for a moment about the challenges that we face when we try to design and implement a framework to address digital operational resilience in the financial sector.

The challenges include the following:

- The cross sectoral nature of the issue. Digital operational resilience needs to be addressed as a cross sectoral phenomenon – traditional sector based approaches will not do;

- The broad plain of incidence that needs to be covered. IT and cyber risks and threats arise and crystallise in individual firms of all shapes and sizes, amongst cohorts of firms, and from system-wide events – with high levels of interconnection between them. This means that the scope of action of our approach needs to be wide.

- The highly dynamic context. The risk and threat landscape morphs and changes rapidly, so that there is always a race to keep up with the shape of the next emerging threat;

- The fragmentation of the overall landscape is a major feature, which while bringing benefits, also represents a challenge. In particular the extent to which services are outsourced and subcontracted – including of course – to cloud providers and “Big Tech” generally; and

- The deeply technical and dematerialised nature of the context means not only that there is a need to deploy significant levels of expertise to address the issue but we need to be able to “translate” technical perspectives into policy, practice, and strategy and vice versa in a very fluent manner.

What is notable about DORA is that it is delivering a regulatory approach which provides a sophisticated, integrated, comprehensive, and pragmatic approach to this multifaceted set of challenges.

Let’s take a moment to look at the overall approach of DORA and what it is trying to do.

Firstly, it is a fully cross-sectoral and wide-scope piece of regulation. This represents significant ambition – to introduce a single, far-reaching framework of regulation that can be applied to every financial firm whatever their size, whatever their complexity, whatever their business model.

Secondly, it aims to encompass the multifaceted and interconnected nature of the digital operational resilience challenge. As well as setting out requirements about how firms must approach their own operational risk, resilience and recovery, it also very importantly puts in place requirements as to how they must approach the management of their relationships with third party service providers. This is a crucial aspect given the way in which digitalisation is a phenomenon which has relied to an unprecedented extent on outsourcing and subcontracting as the means to harness change. Beyond this it requires financial firms to have in place frameworks to identify, assess, and report to regulators, IT incidents as they occur, and for competent authorities to report these to the European Supervisory Authorities – and to each other.

A third significant feature of DORA is that it establishes for the first an oversight regime for third party services – including cloud service providers – that provide IT services to financial firms and the financial system. This is both ground-breaking and sophisticated. DORA does not mean that such third parties, including many of the Big Tech companies, are to be regulated firms. Rather it means that given their increasingly important and integrated role in the financial system, regulators shall as part of their oversight of the financial system have oversight of such providers, including of course the right of inspection. Regulators should then build their oversight assessments and outcomes into their decision making around financial firms’ resilience and the need for enhancement in that. This is, as I say, a sophisticated and nuanced, but still likely to be highly effective, approach.

Fourthly, and finally, DORA has rightly built in a material degree of urgency. This is simple to explain – if still pretty demanding to implement. It has provided a very short timeline for implementation. It has given the European Supervisory Authorities, and National Competent Authorities, an even shorter timeline to develop and the “Level 2” regulations which will provide the crucial details of the new framework. And of course for those to whom regulation will apply this means that the need for readiness is pressing. The new regime has to be in place by the start of 2025 – just two years after the legislation was adopted. While the regulations have to be submitted by  the regulators within just 12 months for many of them, or 18 months for others. That means that you will see the first proposed regulations from the European Supervisory Authorities going to the Commission for approval within the next few weeks.

Implementing the new framework

This brings me to the question of the work that is being done by the European Supervisory Authorities (the ESAs) on the implementation of the new framework.

The ESAs are, as I have mentioned, tasked with jointly delivering the regulatory standards implementing the new framework. The Joint Committee of the three ESAs has established the Sub-Committee on DORA to deliver these standards. It is a continuing pleasure for me to have the fortune to chair this committee.

More than 40 competent authorities from across Europe, representing different sectors, participate in this Committee ensuring a wide range of technical and sectorial expertise. Furthermore, the ESAs and other EU bodies such as the ECB, the European Union Agency for Cyber Security (ENISA), the Single Resolution Board (SRB), the European Systemic Risk Board (ESRB), and the European Commission are observers and provide input from a European perspective.

It is worth mentioning again the guiding principles that we have adopted in our work to develop the regulatory standards for implementing DORA. Worth mentioning because, they represent the implementing approach which we have adopted to reflect the unique and distinctive features of DORA as a regulatory framework that I have been discussing just now.

Momentum. In our regulatory implementation work we have from the start recognised the urgency of our task. Regulation is always pressed to keep up with practices – and this is even more the case with digitalisation. Accordingly, we have sought, despite the complexity and challenge of the work, to do it with strong momentum to give ourselves, firms, and the system as a whole every chance of being in the best shape possible for the January 2025 implementation date.

Pragmatism. This is a complicated field, made more so by the very wide range of firms of all shapes, sizes and business models to whom it applies. There is enormous potential to get deeply ensnared in technical detail beyond the capacity of the system to manage given the tight timelines.

With this in mind, a pragmatic approach is essential. This involves a number of aspects. These include adopting a long-term, multi-year perspective. We won’t achieve perfection in year one. We won’t be able to satisfy all of our regulatory inclinations to dot every “I” and cross every “t”. What we will be able to do is to deliver on time a well-specified, strongly coherent and consistent, and comprehensive package of regulation.

We recognise the fact that in the coming years there will be a strong need for supervisory coordination and collaboration so that as the framework is implemented we learn together, come to common solutions, and iteratively deepen the consistent implementation of the framework across all of its dimensions.

Quality. Momentum and pragmatism will not come at the expense of quality. We are committed to delivering a high quality framework based on the well negotiated Level 1 text which will strongly deliver enhanced resilience and risk management in a manner which is consistent with manageable implementation by those firms and entities to whom it applies.

Proportionality. Proportionality is key and has been and continues to be at the heart of our regulatory approach. Given the very wide range of firms that fall within the scope of the new framework, that framework has to be fit for application to firms of all types, sizes, shapes, and levels of complexity. There is already a great deal of proportionality built into the Level 1 text. Much of this is inherent proportionality – that is requirements and approaches that quite simply have a different meaning depending on the nature, scale and complexity of the firm.

In other places there are distinctive treatments made available depending upon the scale and complexity of a firm. For example in designing the level 2 framework we are tasked with producing both regulation for a general risk management framework and also for a simplified risk management framework which will apply to less complex firms.

Beyond this we are seeking to ensure that all the regulations are developed and written in such a way that they will apply appropriately to all of the different sizes and types of firms and their different business models. At every step of the process we have been having, and will continue to have, close regard to the principle of proportionality. The proportionality advisory committees of the ESAs have been providing valuable input and advice.

Engagement. High quality and effective engagement has been and will continue to be critical to the success of this effort. Our regulatory development process is strongly adapted to this fact.

In general terms engagement is always key to high quality regulation and its effective delivery of its objectives. In the case of DORA this principle holds completely. This is a challenging, complex and rich area of work. We have made it our aim to receive and understand as many of the views and insights of interested parties as we possibly can - so that we can make the regulations as good as they can be. During the course of this year we have carried out two consultation exercises – one on the criticality criteria for recognising critical third party providers, and one on the first batch of draft implementing regulations. We were very pleased to have received so many high quality and constructive responses to these consultations. We are about to launch in the coming weeks another consultation, this time on the second and final batch of draft implementing regulations.

Beyond this, and hugely importantly, we have held a range of events, large and small, formal and informal, to ensure that we provide every opportunity to hear the views and insights of all stakeholders.

Let me turn now to some of the different aspects of DORA and our work to implement it.

ICT Risk Management, including ICT outsourcing risk

DORA builds on twenty years of work in the area of ICT risk management. For many firms, many of the DORA requirements will be familiar to them from existing standards and guidelines.

Firms are required to identify, classify and document their ICT assets. Once firms know what ICT assets they have, DORA sets expectations on firms to identify the potential risks related to these ICT assets. Then, firms are expected to protect against these risks and to have tools in place to detect unusual ICT system behaviour. Should firms detect any unusual or unexpected system behaviours DORA provides expectations for response to and, as needed, recovery from such incidents.

It is important to note that the DORA Level-1 Regulation and the Level-2 Regulatory Technical Standard (henceforth “RTS”) need to be read in tandem because the RTS does not repeat Level-1 requirements but rather adds to them. The RTS on Risk Management itself, which was in public consultation for three month earlier this year and is currently been finalised, is structured into five Chapters, detailing requirements on

(1)  the ICT security policies, procedures, protocol and tools expected

(2)  the interaction of Human Resource policies and access controls

(3)  ICT-related incident detection and response, mainly referring to the incident RTS

(4)  ICT business continuity management

(5)  The firms report on their ICT risk management framework review

As well as the general RTS on ICT risk management, a second RTS provides a simplified version of ICT risk management expectations in line with proportionality aimed at prescribed smaller entities.

DORA contains a significant focus on ICT outsourcing, with a range of important requirements. Third-party risk management is required to be an integral component of the of a firm’s overall ICT risk management. Firms cannot delegate their accountability in this regard. Financial firm, other than microenterprises or those falling under the simplified requirements, will have to have a strategy on ICT third-party risk, which must include a policy on the use of external ICT services supporting critical or important functions. More specific guidance and requirements on the content of this policy is set out in the dedicated RTS which went for public consultation earlier this year and is currently been finalised. 

Furthermore, DORA puts obligations on firms to establish a register of information for all contractual arrangements on the use of ICT services provided by third-party service providers. An Implementation Technical Standard (henceforth “ITS”) containing standardised templates for such register of information is currently been finalised. The ITS, which also underwent public consultation earlier this year, will ensure a harmonised recording of contractual ICT outsource arrangements and while the initial implementation by firms may be challenging it should become a major part of the ICT risk assessment toolkit at a firms disposal.

From an Irish perspective, we at the Central Bank of Ireland already issued general outsourcing guidance, including ICT outsourcing, which also contained templates for an outsourcing register. Alignment between our national outsourcing register and the new DORA ICT outsourcing register is strong and should have helped future-proof financial sectors in Ireland in this regard.   

Other key ICT outsourcing elements include requirements to perform assessments of concentration risk, taking into consideration how a firm’s business need and its objectives fit into a digital resilience strategy. DORA contains requirements on contractual provisions that must be included in ICT outsourcing agreements as well as considerations on ICT risk stemming from sub-outsourcing risk.

A dedicated RTS on sub-outsourcing requirements is currently been developed and is expected to enter three months public consultation later this year. Here it will be important to deliver a materiality-based proportionate approach.

Moving on now to Digital Operational Resilience testing, covered in Chapter four of the DORA Regulation.

Operational Resilience testing & Threat-led penetration testing (TLPT)

DORA sets clear expectations on operational resilience testing. Firms are expected to establish a sound and comprehensive digital operational resilience-testing program as part of their ICT risk management framework.

For larger financial entities, DORA introduces advanced testing requirements based on threat-led penetration testing, in short “TLPT”. These TLPT requirements are been developed having regard to and in accordance with the s called “TIBER-EU” TLPT framework that has been developed by the ECB / Single Supervisory Mechanism.  A RTS is being developed and will be published for public consultation later this year, providing further detail on these requirements.

Importantly, TLPT will only apply to the largest financial firms and many EU member states, including Ireland, have already adopted the TIBER-EU framework for this cohort. DORA will introduce a regular frequency to such tests and put them on a firmer regulatory footing. This will be a step-up for firms who currently participate in TIBER test on a voluntary basis. Having the TIBER experience in Ireland since 2020, I believe we are in a good position to implement DORA’s advanced testing requirements by leveraging on our expertise and on our relationships already formed with industry. 

Turning now to ICT incident reporting

ICT related incident reporting

DORA covers ICT-related incident management in Chapter III, aiming to harmonise the reporting of major ICT-related incidents and on a voluntary basis the reporting of significant cyber threats.

At its core, the regulation expects firms to implement an ICT incident management process to detect, manage and to notify ICT incidents including identifying their root causes.

An RTS is being finalised, following consultation, on classifying “major” ICT incidents. This RTS sets out seven classification criteria as well as thresholds for identifying major ICT-related incidents.    

On the basis of this classification reporting to competent authorities is required using a template which is being finalised for public consultation in the coming weeks.

Of course the incident reporting requirements of DORA sit within a range of other such reporting requirements, most of which DORA will supersede. For example DORA will be lex specialist for the financial sector for the NISD2 framework but DORA is also cognisant of national reporting requirements to NISD2 authorities, such as Ireland’s Computer Security Incident Response Team, (CSIRT-IE). It will be important that these regimes fit and work well together to realise DORA’s aim of harmonisation.

The impact of DORA’s ICT incident management requirements will vary. Many regulated financial entities already have numerous incident reporting requirements, in this case DORA will lessen the burden by having to report one incident under just one obligation. For firms that currently have limited incident reporting DORA will have an initial impact but will also raise the ICT incident reporting maturity. The onward reporting of these incidents by competent authorities to the respective sector ESAs will allow further cross-EU incident analysis to get a better EU wide understanding on the nature of ICT incidents.

Third Party Oversight Regime

Turning now to the new oversight regime for Critical Third Party Providers (CTPPs) established under Section II of Chapter V in DORA. This is of course an enormously important aspect of the new Digital Operational Resilience framework reflecting the major role that such CTPPs have come to play in the functioning of the financial system.

A key initial task will be the designation of critical TPPs by the ESAs. The ESAs together with National Competent Authorities have already finalised the work on a Call for Advice for the CTPP’s criticality criteria. The EU Commission has received this advice and in turn is now working on the Delegated Acts which were published last week for a one-month consultation, alongside the CTPPs’ fees proposal.

This work to designate those CTPPs which will fall within the new oversight regime, will draw upon firms’ registers of outsourcing information that I discussed earlier. Once a CTPP is designated, the ESAs will assume an oversight role through Joint Examination Teams. Which will give us a brand new acronym: “JETs”.

Joint in this case means that JETs will be composed of staff from the ESAs and from national competent authorities. The important distinction here is oversight and not supervision, because CTPPs are rather the providers of outsourced activities. As such not only do they not fall directly within the regulatory framework but equally importantly, it remains the responsibility of regulated financial entities to continue to take full responsibility for their outsourcing activities and to comply with the very significant principles and rules that have been built up in this area over recent years, including now in DORA and its implementing regulation.

An RTS on aspects of the conduct of oversight is being finalised for public consultation in the coming weeks. However, much of the operational functioning of this new framework will not be contained in the formal legal text of an RTS but rather in the arrangements that are being developed to govern the functioning of the regime, including cooperation and coordination between the three ESAs and National Competent Authorities in this area. This work is also underway.

Next Steps

Finally, next steps.

The first batch of four RTS and 1 ITS has already been in public consultation for 3 months, ending 11 September, and the ESAs, together with NCAs, have been working through the more than 400 responses received. Of these about 120 responses have been on ICT Risk Management, about 100 on ICT incident management and about 200 on Third-Party management, including the Register of Information. The work to finalise this first phase is progressing well and remains on track to meet the submission deadline to the EU Commission in January 2024.

The second batch of four RTS and one ITS is currently been prepared for a 3 month public consultation, expected to launch towards the end of the year – once again on time.

Meanwhile, in the context of putting in place the working arrangements for the new Third Party Oversight Regime, including the design and establishment of the new Joint Examination Teams, discussions amongst ESAs and National Competent Authorities are underway.

I thank you again for your participation today. And I look forward now to our panel discussion.