The DORA establishes a unified set of requirements for a broad scope of FS firms in the EU in the areas of cyber and ICT risk management, incident reporting, resilience testing and third-party outsourcing. It also introduces a framework that allows FS supervisors to oversee Critical ICT Third Party Providers (CTTPs) including Cloud Service Providers (CSPs).
The European Parliament (EP) and European Council have reached their respective positions on the DORA package and have begun inter-institutional negotiations called “trilogues,” which are the final stage of talks necessary before the file can become law. This aims to align the positions of the EP and Council where they currently differ. We expect these talks to conclude by mid-2022.
When will firms have to implement the DORA?
The European Commission’s original proposal was for a 12-month implementation period for most of the DORA’s requirements and a 36-month period for resilience testing requirements. Both the EP and the Council want to extend the general implementation period to 24 months. However, the EP and Council disagree on the implementation timeline for resilience testing requirements. The EP wants to keep the original 36-month implementation period, while the Council wants it reduced to 24 months. A shorter timeframe here could be difficult for mid-size firms that have not run tests such as Threat-Led-Penetration-Testing (TLPTs) before. While timeframes can still change, the Council’s text is likely to strongly influence the outcome. As a result, we believe that firms should use a working assumption of a 24 month implementation period for all the DORA’s requirements, running from H2 2022 to H2 2024.
What is the state of play in key components of the DORA?
We see several important takeaways from our analysis of where the Council and EP are aligned on the DORA, and where they differ. These are:
Level 2 rulemaking will be an important part of new requirements
The DORA package delegates significant decision-making authority to the ESAs to write technical standards specifying the rules that firms will have to follow. The RTS on ICT risk management will set out more detailed rules for the governance, security policies and event detection procedures firms will need to put in place as well as more detail on the required content of their business continuity plans. Further RTSs on reporting major ICT-related incidents, the approach and methodology for TLPT testing and on third party risk management and registers will all be crucial for firms to understand the full spectrum of requirements they will face from the DORA.
The ESAs will only begin to draft these RTSs once the DORA is finalised later this year, and timelines for secondary rulemaking vary. The Council is asking for all RTSs to be produced by 18 months after the entry-into-force of the DORA, while the EP sets different timelines for each. All RTS, however, are due to be finished before the likely 24-month implementation period ends. This will nevertheless limit the clarity firms have as they prepare for the DORA’s implementation, and any delays in producing the RTSs (which are not uncommon) will exacerbate this. This underlines the need for firms to assess and identify no-regret actions they can begin to take to prepare for the new rules, including when implementing technological/ infrastructure upgrades or negotiating new TPP contracts.
The ESAs will also have to conduct a feasibility study on the establishment of a centralised solution for EU ICT incident reporting. This will become part of important preparatory work for the introduction of a pan-European Systemic Cyber Incident Coordination Framework (EU-SCICF) which the ESAs publicly committed to working towards in a January statement.[ii] This initiative will primarily drive supervisory efficiency across the EU. However, any indirect benefit for firms will only become apparent over time.
International regulatory alignment cannot be ignored
Firms operating cross-border business models – e.g., operating in both the EU and UK – will need to consider how the DORA’s requirements will fit in with work they are doing in other jurisdictions. One notable difference is that the DORA addresses operational resilience as a detailed set of legislative requirements whereas operational resilience is being handled as a principles-and-outcomes-based initiative by supervisors in the UK and elsewhere. The DORA also focuses on digital and ICT risks, whereas the UK and other frameworks consider operational resilience more broadly. This may contribute to a greater emphasis in the EU on cyber threat and other technology-related risk scenarios.
There are, however, a set of outcomes in the DORA’s requirements that are common with the UK supervisory framework and, for banks, the Basel Committee’s 2021 Principles on Operational Resilience. Both frameworks require the identification of critical parts of the business (i.e., important business services in the UK, critical or important functions in the DORA), and the alignment between jurisdictions here will be a key area for supervisors to determine. The Council’s amendment requiring firms to conduct business impact analyses of their exposure to severe disruptions also brings the DORA closer to the UK and BCBS’s introduction of testing resilience against “severe but plausible scenarios.”
Our view is that cross-border firms will gain efficiencies when they adopt a consistent approach to operational resilience group-wide and modify it in each jurisdiction as far as necessary to meet specific requirements. There are clear opportunities for the DORA to be compatible with such an approach, but much will depend on the Level 2 work done by the ESAs and the supervisory approach taken by authorities, the ECB chief among them. The 2020 ECB, US, and UKauthorities’ statements committing to deliver a joined-up approach to the supervision of operational resilience demonstrates encouraging cooperation.[iii]
Early implementation actions need to be identified
It is important for firms to identify actions they can take now, before the primary legislation is finalised and Level 2 standards from the ESAs are available. In our experience of working with UK firms, where the regulatory initiative on FS operational resilience is at a more advanced stage, preparing for the initial implementation of the new rules has taken more time and resources than many firms anticipated.
In a recent executive survey we conducted for our 2022 Regulatory Outlook, UK firms highlighted the identification and management of TPP vulnerabilities as the most important challenge they faced in implementing operational resilience requirements.[iv] EU firms will likely face a similar challenge with the DORA as well.
In our view, several “no regret” actions firms should be considering include:
As the DORA moves towards finalisation, firms need to be mindful of the scale of the challenge that implementation will bring. A two-year implementation period will be a short window of time to get things right. Firms can stay on the front foot by taking a proactive approach to assessing the impact of the requirements to develop a realistic and achievable implementation plan.
This article was written by Deloitte’s EMEA Centre for Regulatory Strategy in collaboration with Deloitte Belgium, Italy and Netherlands. It was originally published here .