The EU’s Digital Operational Resilience Act (DORA) is nearing the finish line. It will have significant implications for financial services firms. We elaborate on the main aspects of the regulation (e.g., incident response, cyber risk management, etc.) and provide no-regret actions.
By Hugo Atzema and Noah Brandwijk
This article was written in collaboration with Deloitte’s EMEA Centre for Regulatory Strategy and their exhaustive analysis is published here.
The DORA sets the requirements for FS firms in the EU for cyber/ICT risk management, incident reporting, resilience testing, and third-party outsourcing. Additionally, it allows FS supervisors to oversee Critical ICT Third Party Providers (CTTPs).
As part of Europe’s Fit for a Digital Age programme, the DORA is set to contribute to Europe’s digital transformation by harmonising regulations for the above-mentioned sectors in the EU. The European Parliament (EP) and European Council have started negotiations (“Trilogues”), the final step before DORA can be passed as a law. These talks, which are supposed to align the positions of the institutions, are expected to conclude by mid-2022.
EP and Council seek to grant a general implementation period of 24 months. However, there is disagreement on the implementation timeline for resilience testing requirements, (EP asks for 36-month period, Council in favour of 24 months). We believe that firms should use a working assumption of a 24-month implementation period for all the DORA’s requirements, running from H2 2022 to H2 2024.
We see several important takeaways from our analysis of where the Council and EP are aligned on the DORA, and where they differ. These are:
The DORA package delegates significant decision-making authority to the ESAs. RTSs will be crucial to understand the full spectrum of requirements firms will face from the DORA.
The ESAs will only begin to draft these RTSs once the DORA is finalised later this year, and timelines for secondary rulemaking vary. Clarity of firms will be limited as they prepare for DORA implementation and RTSs to be finished. Thus, firms need to assess and identify no-regret actions they can begin to take to prepare for the new rules. This is important as some technical rules on incident reporting and ICT risk management will be introduced later by ESAs.
In our experience, preparing for the initial implementation of the new rules has taken more time and resources than many firms anticipated; thus actions to be taken now must be identified.
In our view, several “no regret” actions that firms should be considering include:
DORA moves towards finalisation. Firms need to aware of the implementation challenges that will arise for the two-year window. Firms can stay on the front foot by taking a proactive approach to develop a realistic and achievable implementation plan.
[ii] As the DORA is cross-sectoral, Level 2 rulemaking will be done jointly by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), often working in their Joint Forum composition.
[iii] European Supervisory Authorities, Public statement, ESAs welcome ESRB Recommendation on a pan-European systemic cyber incident coordination framework for relevant authorities.
[iiii] European Central Bank, Banking Supervision, Statement regarding supervisory cooperation on operational resilience.