Skip to main content

Digital Operational Resilience Act (DORA)

What is the current status?

Over the past year or so, the EU Commission has been working on a piece of legislation that is now set to govern the topic of Operational Resilience within the Digital world. DORA will be the first legislation with immense focus on operational resilience within the financial sector. It is primarily driven from the need to have a single rulebook for the financial sector that encompasses and consolidates the requirements around managing effectively ICT risks. It seeks to

  • expand on the current ICT risk management rules
  • create more governance around incident classification and reporting
  • equip organization to get on top of their operational resilience testing to further strength gaps that may exist and
  • bring third party providers into the regulatory perimeter

DORA went live on the 17th January 2023 – this means that organisations have a 24 month window which is already counting down to reach a state of compliance. This 2 year window is but a short time within which organisations need to perform a gap assessment against the regulation and also remediate those gaps. The ultimate deadline is 17th January 2025 before the regulation is fully enforceable.

Pre-empting the release of the final DORA text, Deloitte conducted a survey between November 2022 and January 2023 with the objective of understanding the readiness of financial institutions in complying with the DORA, and the associated challenges that these institutions are facing. The results of the survey highlighted some of the key challenges we anticipated and are currently seeing financial institutions face when embarking on their DORA compliance journey.

What are some of the challenges your organization faces?

Next to the final text of DORA, over the past months, we have seen the release by the European Supervisory Authorities (ESAs - EBA, EIOPA and ESMA) of the discussion paper on the criteria for critical ICT third-party providers (CTTPs) and oversight fees as well as the first batch of draft technical standards which have again created more stir in the market. The paper and standards were released in a bid to collect public feedback before the text becomes finalized.

When reviewing the discussion paper on criteria for CTTP and oversight fees, it was identified that the paper follows a 2 step approach:

Step 1 - focusses on a quantitative analysis that will enable the ESAs to bring the long list of ICT third party providers down to a more workable list of candidate CTPPs.

Step 2 - is a further assessment based on an additional set of criticality indicators. There are four main criteria (and potential thresholds) proposed within the paper with some initial indicators:

  1. Impact on provision of financial services
  2. Importance of financial entities that rely on the service
  3. Impact on delivery of critical or important functions
  4. Degree of substitutability in the market

The paper further goes on to explain how each of the main criteria should be calculated.

Additionally linked to the oversight fees, the paper sets out the following as activities that would require fees to be levied:

  • Designation of CTPPs
  • Conduct of the oversight
  • Follow-up of the recommendations issued by the Lead Overseer
  • Governance of the Oversight

The oversight costs will only be determined once there is more clarity on the oversight framework and also the estimated costs to be incurred by the ESA’s each year. The costs will be the responsibility of the critical party.

The first batch of regulatory technical standards (RTS), were released in June and seeks to clarify the requirements around:

  1. ICT Risk management tools, methods, processes and policies
  2. Criteria for the classification, management and reporting of OCT related incidents
  3. A more detailed view on the Register of Information in relation to contractual arrangements
  4. Better managing ICT third party risk supporting CIF’s

We anticipate the second batch of RTS to be released before the year in out.

How do you see the gap assessment and implementation roadmap for your own organization?

How does the RTS align with your existing policies and procedures?

If you need more information or have specific questions around your own DORA compliance journey, do not hesitate to reach out to us.