Digital Operational Resilience Act (DORA) technical standards, due to come into force in January 2025 have been released to a quick retort from industry.
AFME and EACB warn of missing data, confused risk controls to implement tough new data and reporting requirements.
Firms and their suppliers now have a little over 400 working days to revamp hundreds of thousands of contracts. If your programme has not already started, you will struggle to hit the implementation deadlines.
Background
To address the challenges and opportunities presented by this digital transformation, the European Supervisory Authorities (ESAs) have introduced several consultation papers outlining draft regulatory technical standards (RTS) and implementing technical standards (ITS). This follows on from the ESAs discussion paper on the criteria for critical ICT third-party providers.
However, trade associations push back has already started and data hurdles are top of the list. According to AFME’s perspective, the process of collecting data from third-party providers and other suppliers may place additional strain on available resources. Moreover, incorporating data attributes specific to DORA into existing operational resilience frameworks could consume time and resources. Additionally, third-party providers and other suppliers are seeking clarity regarding the information requirements for subcontractors. The EACB’s perspective also fears that the are elements of the new framework which could lead to increases in cost for ICT TPPs.
DORA standards overview
The four consultations on policies suggest rigorous new Information Communications Technology (ICT) risk controls – including a new EU risk register.
Draft RTS on ICT Risk Management, Tools, Methods, Processes, and Policies:
The ESAs’ consultation paper on ICT risk management sheds light on the draft RTS, which aims to establish a standardised framework for managing ICT risks across financial entities. The proposed standards encompass various aspects, including risk identification and assessment, incident response, business continuity planning, and third-party risk management. By promoting consistency in risk management practices, the RTS seeks to enhance the sector’s ability to identify, mitigate, and recover from ICT-related disruptions.
Draft RTS on the Classification of ICT Incidents:
Efficient and consistent classification of ICT incidents is critical for effective incident management and response. The ESAs’ consultation paper on ICT incident classification introduces the draft RTS, which proposes a classification system of IT incidents for firms to apply. The aim is to enable organisations to categorise and assess the impact of ICT incidents consistently. This standardised approach facilitates better incident reporting, analysis, and ultimately, more effective incident response strategies.
Draft ITS on the Register of Information:
Recognising the need for improved transparency and oversight, the ESAs have proposed the establishment of a register of information related to ICT risk management. This register, as outlined in the draft ITS, will serve as a centralised repository for financial entities to record essential information about their ICT systems, providers, and associated risks. The register aims to enhance regulatory supervision, facilitate information sharing, and enable a more comprehensive understanding of the operational resilience landscape across the financial sector.
Draft RTS on the Use of ICT Services Regarding CI Functions:
The ESAs’ consultation paper on the use of ICT services regarding critical infrastructure (CI) functions addresses the unique challenges and risks associated with these vital components of the financial sector. The draft RTS proposes guidelines to ensure the secure and reliable operation of CI functions, including risk assessment, resilience measures, and considerations for outsourcing and the use of cloud services. By providing clear guidance and requirements, the RTS aims to enhance the resilience and stability of CI functions.
Impact assessment
JWG’s analysis, The dawn of compliant financial services infrastructure, showed how the planned importance of building a solid foundation was set out. It discussed how DORA looks at a firm’s ability to weather turbulence across its supply chain, with its holistic approach going further than other Jurisdictions. The risk management consultation’s focus on third-party risk management and in the ITS on the register of information with information about ICT providers puts both firms and their suppliers on notice of the detailed regulatory supervision of the risks to ‘the how’.
Furthermore, as discussed in JWG’s analysis, technology contracts in the age of DORA, it demanded greater attention to contract design, focusing on accountability, resilience, and compliance. Financial entities needed to carefully review and update hundreds of thousands of technology contracts to align with the requirements set forth by DORA and the ESAs. This is also covered by the risk management consultation and the ITS on the register of information both would improve the consistency in risk management practices and improve the transparency and oversight on third-party providers.
JWG’s research on managing digital infrastructure risks showed the significance of DORA’s approach to risk management. This involves control over third-party services and improved technology governance, requiring transparency and assurance from third-party technology providers. Proactive identification and mitigation of digital infrastructure risks will help financial entities maintain operational resilience. All the consultations are represented here with the risk management consultation looking at all forms of risk management and business continuity, the classification of ICT incidents consultation provides a uniform identification system to categorise and assess incidents, the register of information consultation for improved information from providers and information sharing, and the use of ICT services regarding CI functions with guidance on risk assessments for critical infrastructures.
Association feedback
There has also been feedback on a DORA (Criticality Criteria for CTPPs) discussion paper by the Joint European Supervisory Authority from AFME and the EACB. In their response they say that the collection and evaluation of supply data has emerged as a challenge. They highlight the difficulties associated with obtaining this crucial information, expressing concerns that the issue may be underestimated.
AFME believes a key hurdle lies in the availability of data, particularly when it comes to subcontractors and other providers further down the supply chain, often referred to as fourth parties. To effectively address this, authorities may need to engage directly with third-party providers. However, the information needed to be gathered from Third-Party providers introduces additional complexities and resourcing pressures, particularly given the potential for concurrent information gathering exercises by the European Supervisory Authorities.
Furthermore, the introduction of specific data attributes unique to DORA is likely to create divergence from existing operational resilience frameworks, requiring time to implement.
There is also some uncertainty within the market regarding the inclusion of subcontractors in Third-Party providers information, as certain sections suggest their inclusion while others propose separate treatment. These challenges underscore the need for careful consideration and effective coordination to ensure a comprehensive understanding of supply data for enhanced operational resilience in the financial sector.
There are also warnings against cost hikes for ICT TPPs that could be derive from the elements of the new framework, with the EACB recommending to carefully balance costs and benefits of new requirements/financial overheads and that any increase without objective justification or leading to improved resilience should be avoided.
Conclusions
As the European financial sector navigates the digital era, ensuring digital operational resilience is crucial to maintaining stability, security, and customer trust.
These consultations expose just how disruptive technology risk management at the level demanded by EU regulators will be to the industry. It also shows just how little time the sector has left. If you haven’t mobilised you programme yet, you are starting well back in the pack.
Stay tuned for the results of the consultations to be published after the comments close on 11 September 2023 for the first batch of DORA policies and the results of the criteria for critical ICT third-party providers to be published in the coming months.
The comments will then be submitted by the 30 September 2023 for the critical ICT third-party providers and by the 17 January 2024 for the DORA policies to the European Commission to be finalised leaving about 1 year to implement the changes from the first batch of policies.
The second batch of consultations are due in either November or December of 2023 with the aim to finalise those by July 2024, leaving roughly 6 months for firms to get them put into place once finalised.
However you look at it, 400 workdays is not a lot of time to get ready and firms and their suppliers are advised to get ready for 2024. Expect skyrocketing SME rate cards through 2024.