This article is based on a publication from Deloitte’s EMEA Centre for Regulatory Strategy and has been adapted for the Maltese market incorporating the recent updates.
The EU’s DORA recently entered its final implementation year, which will end on 17 January 2025. Firms in scope include almost all regulated firms within the FS sector that operate legal entities in the EU, as well as ICT third-party providers designated as ‘critical’.
The DORA presents a high level of prescriptiveness and a particularly challenging timeline. Although firms in scope were officially granted a two year-long implementation period, a good portion of the technical detail required to build effective compliance was not available right after entry into force of the DORA text.
As a matter of fact, the DORA delegates a significant set of key methodologies, thresholds and templates to secondary legislation. More specifically, the European Supervisory Authorities (ESAs) and the European Commission were mandated to draw up regulatory technical standards (RTSs), implementing technical standards (ITSs) and delegated acts (DAs) as follows:
Picture 1: pillar-by-pillar view of the DORA’s secondary legislation
The final text of the DORA divides secondary standards into two main batches respectively with the first batch submitted by the ESAs to the European Commission on 17 January 2024 and the second batch submitted on 17 July 2024. If satisfied with the final drafts, the Commission has the power to adopt the standards, thus making them legally binding (if the Parliament and the Council raise no objections).
Despite allowing the ESAs to contribute to the regulation with their technical expertise, the secondary standards process is taking place throughout the implementation period of the DORA. This adds a further layer of complexity around implementation for firms in scope. On the one hand, they will not have complete certainty on what is required from them until secondary legislation gets fully adopted. On the other, waiting until finalisation of the standards may not leave enough time to complete implementation before the January 2025 compliance deadline. The ESAs – despite understanding the challenges implied by the DORA’s timeline – have made it clear that they do not have the official mandate to extend the implementation period any further, as it is already set out in law.
Being able to navigate the secondary legislation will therefore be of paramount importance for firms this year.
The DORA imposes a set of legally binding requirements but does not clearly specify a sequence to implement them. Firms therefore enjoy relative freedom in deciding the starting point for developing their resilience framework.
Nevertheless, this does not mean that each pillar is completely independent and self-standing in relation to the rest of the DORA.
For instance, activities like mapping ICT systems, or defining critical or important functions (CIFs) are key pre-requisites that need to be fully completed before proceeding to other specific requirements. Much of the DORA’s obligations depend on these activities and yet only limited direction has been provided on them so far. For these reasons, identifying CIFs and mapping not only constitute the backbone to broader implementation but is also likely to be time-consuming.
The interdependency between the DORA’s pillars (as set out in Table 1) will also inform the sequence of implementation activity – for instance – Pillar I forms a foundation for all other pillars. It would be hard to consistently and accurately classify, manage and report incidents without having an ICT risk management framework in place. Evaluation of new contractual requirements for ICT third parties – and their implementation in both new contracts and the current repository – also constitutes a vital piece of the puzzle that needs to be in place to ensure inclusion of relevant third parties in FS firms’ own resilience testing activities. Those standards also detail the requirements for implementing the core DORA ICT risk management pillar which is key to informing the other pillars such as incident reporting.
Firms have the option to tailor their implementation plans to their capabilities and resources (e.g., starting from areas where they already possess sufficient resources/expertise) but should still consider inter-dependencies between pillars and build in flexibility for areas where secondary legislation is still far from finalisation.
Sequencing should be combined with effective prioritisation, especially when considering the DORA’s extensive remit and the limited amount of time and resources firms have at their disposal. Keeping this in mind, firms should start working on the most time-consuming areas as soon as possible. Third-party risk management rules will require each firm to carry out extensive work on renegotiating a significant number of contracts for instance. Additionally, some of the largest third parties may also get caught up in scope of the DORA themselves as critical ICT third-party providers, adding a further layer of complexity to the equation. Inadequate prioritisation (and related resourcing and effort) of this area now may present firms with higher costs at a later stage.
Different FS firms also find themselves at different levels of maturity. For instance, there is little doubt that a well-established regulated bank can more easily comply with the DORA’s resilience requirements (due to compliance with broader cyber resilience and third-party requirements) than newly regulated firms like crypto-asset-providers. Additionally, firms will face different levels of proportionality in the supervision applied to them depending on their size and systemic relevance. All these factors will influence the way firms prioritise implementation resources and effort.
Finally, firms should keep in mind that – even if the compliance deadline is less than a year away for DORA in its entirety – there is still a subtle distinction between requirements strictly due by January 2025 and those which will start applying from January 2025.
The critical third-party provider oversight regime is the prime example of the latter case. Active supervision will only begin after the compliance deadline, namely once the designations will actually begin to occur. All FS firms in scope of the DORA however will need to have their ICT risk management and third-party risk frameworks in place by the end of the implementation period.
Lastly, other obligations – such as incident reporting and advanced testing – will probably follow in the prioritisation. These will undoubtedly require implementation work in advance but will only begin to be effectively tested in practice after the compliance deadline, once ICT-related incidents will actually begin to occur and national threat-led penetration testing (TLPT) authorities will begin to send advanced testing notifications to FS firms in scope.
Secondary legislation provides much needed detail on key practicalities required to comply with the DORA and firms should leverage it as much as possible. Nevertheless, they should also be conscious that level 2 only partially covers their DORA duties.
For instance, the RTS on TLPT only focuses on one method of testing mandated by the DORA. It is therefore not sufficient on its own to be fully compliant with the pillar on resilience testing, as this encompasses a broader set of activities that need to be carried out by all firms in scope of the DORA. In a similar fashion, the RTS on ICT risk management does not address all areas due to be developed under the framework mandated in the level 1 text.
In order to be fully compliant by January 2025, firms will therefore need to develop an approach that looks at both level 1 and 2 requirements holistically. This will allow them to better identify the areas they can start working on now, as well as request further supervisory guidance where it is still needed in a timely manner (e.g., level 1 areas not covered by the standards that are not sufficiently clear/detailed).
Many firms already possess the capabilities necessary to comply with several of the DORA’s requirements. For instance, most regulated firms already have functions to manage outsourcing, report to regulators, etc. When building compliance with the DORA they should fully leverage their existing practices and capabilities, ensuring that no unnecessary duplication occurs.
In this context, it will be particularly important to build efficient internal reporting lines and leverage synergies as much as possible, especially around complex/time-consuming activities like renegotiating outsourcing contracts.
The DORA requires firms to combine new and existing capabilities under a shared resilience umbrella (e.g., ensuring coordination between practices like business continuity, third-party risk management, cybersecurity, etc.). All these related capabilities and functions should therefore not operate in silos whilst considering the design and implementation of DORA requirements.
Relevant standards: RTSs on ICT risk management framework and simplified framework (1st batch)
Key considerations: ICT risk management rules virtually lay a foundation for all other pillars, binding FS firms to introduce policies, procedures and security controls of a technical, organisational and physical nature. Getting this pillar right will therefore represent a key prerequisite for effective compliance with the rest of the DORA. The relevant RTSs are broadly aligned with other information security standards, such as NIST and ISO 27001:2022. The standards introduce an additional layer of obligations on top of the level 1 text and will be especially challenging for FS firms which were previously not subject to high levels of regulatory scrutiny.
No regret actions for FS firms:
Relevant standards: RTS on classification of major incidents and significant cyber threats (1st batch); RTS and ITS on content, timelines and templates on incident reporting (2nd batch); and Guidelines on aggregated costs and losses from major incidents (2nd batch)
Key considerations: this pillar presents itself as potentially less challenging than Pillars I & IV and will not be effectively tested until the actual occurrence of incidents and threats in the post-January 2025 period. Nevertheless, the standards will still likely require a significant portion of firms to adopt new technological tools (i.e., automated detection tools), recruit staff, and update/create new internal processes where necessary. The RTSs prescribe a higher degree of detail than comparable guidelines (e.g., EBA’s PSD2 reporting guidelines) and introduce additional prescriptive requirements in new areas, such as the voluntary cyber-threat reporting. Firms will have to engage in ongoing activities requiring the establishment of formalised processes for monitoring, remediation and post-incident analysis and learning.
No regret actions for FS firms:
Relevant standards: RTS on threat-led penetration testing (2nd batch)
Key considerations: resilience testing requirements apply to virtually all firms in scope of the DORA. However, existing TLPT obligations have a narrower scope and notifications will only be sent in the post-January 2025 period, making advanced testing not as pressing as Pillars I & IV. The RTS on TLPT closely resembles the TIBER-EU framework, simplifying compliance for firms that are already taking part of the framework. However, the secondary standard still has some notable differences (e.g., allowing the use of internal testers, introducing mandatory purple-team testing, etc.) and presents a ‘flexible’ scope that can be amended by each member state according to a variety of criteria. The active testing phase, which is expected to last at least 12 weeks, will make advanced testing a substantial effort for smaller firms.
No regret actions for FS firms:
Relevant standards: RTS to specify the policy on ICT services supporting critical or important functions (1st batch); ITS on Register of Information (1st batch); and RTS on subcontracting of critical or important functions (2nd batch).
Key considerations: together with Pillar I, Pillar IV poses the greatest compliance challenge for FS firms due to the limited timeframe available and the complexity and scale of implementation activities required. Even for firms that are fully compliant with existing guidelines (e.g., EBA’s guidelines on outsourcing arrangements), the secondary standards still introduce new compliance demands. For instance, secondary legislation introduces a broader scope for reviewing contracts that goes beyond outsourcing. This could capture a significant number of third-party arrangements per firm and affect global third-party arrangements agreed at the group level. Contracts will also be the main mechanism through which FS firms manage subcontracting obligations and firms will need to gather significantly more data for the register of information than under the existing EBA register. Supervisors are well aware of the challenges Pillar IV presents but still expect to see good progress on a best-efforts basis before January 2025.
No regret actions for FS firms:
Relevant standards: Delegated Act on designation criteria for critical third-party providers (CTPP); Delegated Act on oversight fees; RTS on oversight harmonisation (2nd batch); and Guidelines on oversight cooperation between ESAs and competent authorities (2nd batch)
Key considerations: Pillar V assigns new powers to supervisors, but the actual framework will only begin to be set in motion after January 2025. Although not necessarily new to resilience, designated CTPPs will still need to familiarise themselves with FS regulation and oversight. In this context, the secondary standards mostly focus on providing detail on how the supervisors’ new powers will be exercised in practice. This does not mean that they do not contain useful information for potential CTPPs though. For instance, the quantitative designation criteria form the baseline requirements but meeting them will not necessarily be enough to guarantee designation. The final decision will be based on a more holistic assessment of criticality, leaving a margin of discretion to the ESAs.
No regret actions for FS firms and potential CTPPs:
Despite nearing the finish line, the last year of DORA implementation still holds plenty of regulatory developments in sight. For what concerns secondary legislation:
Picture 2: DORA’s timeline
Additionally, some key questions still remain open, including:
The relatively short implementation timeline and the uncertainty around secondary legislation will make 2024 a challenging year for full implementation of the DORA. However, there are steps that firms can now take to ease the pressure around the implementation deadline. Navigating the secondary standards in a strategic manner is the key to start solving the DORA puzzle and – where gaps are still present – direct engagement with regulators and peers can help reduce uncertainty. In an environment where time and resources are limited, optimising the compliance effort will ensure that firms successfully hit the January 2025 deadline.
Deloitte can provide an overview of the regulation to the Board of Directors and other relevant teams/individuals including the introduction to the regulation, timeline, overview of the DORA’s five core pillars and key implications, upcoming important technical standards and next steps.
Deloitte can provide an overview of the regulation to the Board of Directors and other relevant teams/individuals including the introduction to the regulation, timeline, overview of the DORA’s five core pillars and key implications, upcoming important technical standards and next steps.
Deloitte can assess your current readiness and propose measures to meet the regulatory requirements while customising the remediation plan to your specific environment.
Deloitte can support you in the implementation of any remediation activities identified to ensure compliance with DORA regulations in line with the regulatory deadlines.
Deloitte can help you to stay on top of the regulatory agenda with its regulatory watch service and keep you up to date on the evolution of DORA and its related regulatory and implementing technical standards.