The Digital Operational Resilience Act (DORA)

At a glance

• The EU’s Digital Operational Resilience Act (DORA) recently entered the last year of its implementation period. Firms in scope only have a few months left to meet the challenging January 2025 compliance deadline.
• As we proceed further into the implementation period, secondary legislation containing much needed technical detail is being clarified. However, navigating these emerging and evolving requirements can be challenging.
• In this blog, we set out four key principles that financial services (FS) firms in scope of the DORA can use to navigate the secondary legislation in a way that simplifies their broader compliance work.
• We also provide a pillar-by-pillar view encompassing all secondary legislation made public so far, drawing out key considerations and outlining some no-regret actions firms can start working on right now.

Introduction and background

The EU’s DORA recently entered its final implementation year, which will end in January 2025. Firms in scope include almost all regulated firms within the financial services (FS) sector that operate legal entities in the EU, as well as ICT third-party providers designated as ‘critical’.

Compared to equivalent regimes – such as the UK’s principle-based operational resilience framework – the DORA presents a high level of prescriptiveness and a particularly challenging timeline. Although firms in scope were officially granted a two year-long implementation period, a good portion of the technical detail required to build effective compliance was not available right after entry into force of the DORA text.

As a matter of fact, the DORA delegates a significant set of key methodologies, thresholds and templates to secondary legislation. More specifically, the European Supervisory Authorities (ESAs) and the European Commission were mandated to draw up regulatory technical standards (RTSs), implementing technical standards (ITSs) and delegated acts (DAs) as follows:

Picture 1: pillar-by-pillar view of the DORA’s secondary legislation

The final text of the DORA divides secondary standards into two main batches respectively due to be submitted by the ESAs to the Commission by January 2024 and July 2024. If satisfied by the final drafts, the Commission has the power to adopt the standards, thus making them legally binding (if the Parliament and the Council raise no objections). The delegated acts are also due by July 2024. However, these only concern the pillar on critical ICT third-party providers and the Commission is primarily responsible for drafting and finalising them.

Despite allowing the ESAs to contribute to the regulation with their technical expertise, the secondary standards process is taking place throughout the implementation period of the DORA. This adds a further layer of complexity around implementation for firms in scope. On the one hand, they will not have complete certainty on what is required from them until secondary legislation gets fully adopted. On the other, waiting until finalisation of the standards may not leave enough time to complete implementation before the January 2025 compliance deadline. The ESAs – despite understanding the challenges implied by the DORA’s timeline – have made it clear that they do not have the official mandate to extend the implementation period any further, as it is already set out in law.

Being able to navigate the secondary legislation will therefore be of paramount importance for firms this year.

Four key principles to navigate the DORA’s level 2 (for FS firms)

1) Get the implementation sequencing right

The DORA imposes a set of legally binding requirements but does not clearly specify a sequence to implement them. This differs – for instance – from the UK’s operational resilience regime, which clearly outlines a step-by-step sequence to identifying and managing resilience on an ongoing basis. In the EU, firms therefore enjoy relative freedom in deciding the starting point for developing their resilience framework. Nevertheless, this does not mean that each pillar is completely independent and self-standing in relation to the rest of the DORA.

For instance, activities like mapping ICT systems, or defining critical or important functions (CIFs) are key pre-requisites that need to be fully completed before proceeding to other specific requirements. Much of the DORA’s obligations depend on these activities and yet only limited direction has been provided on them so far. For these reasons, identifying CIFs and mapping not only constitute the backbone to broader implementation but is also likely to be a time-consuming, as we saw from experience of UK firms’ implementation.

The interdependency between the DORA’s pillars (as set out in Table 1) will also inform the sequence of implementation activity – for instance – Pillar I forms a foundation for all other pillars. It would be hard to consistently and accurately classify, manage and report incidents without having an ICT risk management framework in place. Evaluation of new contractual requirements for ICT third parties – and their implementation in both new contracts and the current repository – also constitutes a vital piece of the puzzle that needs to be in place to ensure inclusion of relevant third parties in FS firms’ own resilience testing activities.

Additionally, sequencing should also be considered with the timelines for finalisation of the technical standards in mind. The first batch of secondary standards are closer to finalisation and less likely to change now relative to the second batch. Those standards also detail the requirements for implementing the core DORA ICT risk management pillar which is key to informing the other pillars such as incident reporting.

Firms have the option to tailor their implementation plans to their capabilities and resources (e.g., starting from areas where they already possess sufficient resources/expertise) but should still consider inter-dependencies between pillars and build in flexibility for areas where secondary legislation is still far from finalisation.

2) Prioritise wisely

Sequencing should be combined with effective prioritisation, especially when considering the DORA’s extensive remit and the limited amount of time and resources firms have at their disposal. Keeping this in mind, firms should start working on the most time-consuming areas as soon as possible. Third-party risk management rules will require each firm to carry out extensive work on renegotiating a significant number of contracts for instance. Additionally, some of the largest third parties may also get caught up in scope of the DORA themselves as critical ICT third-party providers, adding a further layer of complexity to the equation. Inadequate prioritisation (and related resourcing and effort) of this area now may present firms with higher costs at a later stage.

Different FS firms also find themselves at different levels of maturity. For instance, there is little doubt that a well-established regulated bank can more easily comply with the DORA’s resilience requirements (due to compliance with broader cyber resilience and third-party requirements) than newly regulated firms like crypto-asset-providers. Additionally, firms will face different levels of proportionality in the supervision applied to them depending on their size and systemic relevance. All these factors will influence the way firms prioritise implementation resources and effort.

Finally, firms should keep in mind that – even if the compliance deadline is less than a year away for DORA in its entirety – there is still a subtle distinction between requirements strictly due by January 2025 and those which will start applying from January 2025.

The critical third-party provider oversight regime is the prime example of the latter case. Active supervision will only begin after the compliance deadline, namely once the designations will actually begin to occur. All FS firms in scope of the DORA however will need to have their ICT risk management and third-party risk frameworks in place by the end of the implementation period.

Lastly, other obligations – such as incident reporting and advanced testing – will probably follow in the prioritisation. These will undoubtedly require implementation work in advance but will only begin to be effectively tested in practice after the compliance deadline, once ICT-related incidents will actually begin to occur and national threat-led penetration testing (TLPT) authorities will begin to send advanced testing notifications to FS firms in scope.

3) Develop a holistic view of level 1 & 2

Secondary legislation provides much needed detail on key practicalities required to comply with the DORA and firms should leverage it as much as possible. Nevertheless, they should also be conscious that level 2 only partially covers their DORA duties.

For instance, the RTS on TLPT only focuses on one method of testing mandated by the DORA. It is therefore not sufficient on its own to be fully compliant with the pillar on resilience testing, as this encompasses a broader set of activities that need to be carried out by all firms in scope of the DORA. In a similar fashion, the RTS on ICT risk management does not address all areas due to be developed under the framework mandated in the level 1 text.

In order to be fully compliant by January 2025, firms will therefore need to develop an approach that looks at both level 1 and 2 requirements holistically. This will allow them to better identify the areas they can start working on now, as well as request further supervisory guidance where it is still needed in a timely manner (e.g., level 1 areas not covered by the standards that are not sufficiently clear/detailed).

4) Avoid duplication and promote synergies

Many firms already possess the capabilities necessary to comply with several of the DORA’s requirements. For instance, most regulated firms already have functions to manage outsourcing, report to regulators, etc. When building compliance with the DORA they should fully leverage their existing practices and capabilities, ensuring that no unnecessary duplication occurs.

In this context, it will be particularly important to build efficient internal reporting lines and leverage synergies as much as possible, especially around complex/time-consuming activities like renegotiating outsourcing contracts. The DORA requires firms to combine new and existing capabilities under a shared resilience umbrella (e.g., ensuring coordination between practices like business continuity, third-party risk management, cybersecurity, etc.). All these related capabilities and functions should therefore not operate in silos whilst considering the design and implementation of DORA requirements.

Pillar-by-pillar overview

Pillar I – ICT risk management

Relevant standards: RTSs on ICT risk management framework and simplified framework (1st batch)

Key considerations: ICT risk management rules virtually lay a foundation for all other pillars, binding FS firms to introduce policies, procedures and security controls of a technical, organisational and physical nature. Getting this pillar right will therefore represent a key prerequisite for effective compliance with the rest of the DORA. The relevant RTSs are broadly aligned with other information security standards, such as NIST and ISO 27001:2022. The standards introduce an additional layer of obligations on top of the level 1 text and will be especially challenging for FS firms which were previously not subject to high levels of regulatory scrutiny.

No regret actions for FS firms:

• Conduct a gap assessment to understand areas which will need to be addressed.
• Establish a clear roadmap of activities and assign them to responsible teams in the organisation.
• Estimate the time required to close gaps identified, deadline, criticality and complexity of each activity and allocate appropriate resources.
• Map dependencies with other risk reduction programmes/initiatives in the organisation to avoid duplication with other ongoing projects which are already addressing some of DORA’s requirements.

Pillar II – incident classification, management and reporting

Relevant standards: RTS on classification of major incidents and significant cyber threats (1st batch); RTS and ITS on content, timelines and templates on incident reporting (2nd batch); and Guidelines on aggregated costs and losses from major incidents (2nd batch)

Key considerations: this pillar presents itself as potentially less challenging than Pillars I & IV and will not be effectively tested until the actual occurrence of incidents and threats in the post-January 2025 period. Nevertheless, the standards will still likely require a significant portion of firms to adopt new technological tools (i.e., automated detection tools), recruit staff, and update/create new internal processes where necessary. The RTSs prescribe a higher degree of detail than comparable guidelines (e.g., EBA’s PSD2 reporting guidelines) and introduce additional prescriptive requirements in new areas, such as the voluntary cyber-threat reporting. Firms will have to engage in ongoing activities requiring the establishment of formalised processes for monitoring, remediation and post-incident analysis and learning.

No regret actions for FS firms:

• Define and implement an ICT incident and cyber threat identification and management process (based on the criteria identified in Article 18 DORA).
• Identify a list of "critical services" and map out interdependencies between these, the underlying processes and related assets. Establish a specific internal taxonomy by January 2025.
• Create an internal process for analysing the root cause of all ICT incidents, including minor ones, and a mechanism for identifying correlation between them (as the sum of them could determine an incident as "major").
• Create a structured incident communication plan, both internal and external.

Pillar III – resilience testing

Relevant standards: RTS on threat-led penetration testing (2nd batch)

Key considerations: resilience testing requirements apply to virtually all firms in scope of the DORA. However, existing TLPT obligations have a narrower scope and notifications will only be sent in the post-January 2025 period, making advanced testing not as pressing as Pillars I & IV. The RTS on TLPT closely resembles the TIBER-EU framework, simplifying compliance for firms that are already taking part of the framework. However, the secondary standard still has some notable differences (e.g., allowing the use of internal testers, introducing mandatory purple-team testing, etc.) and presents a ‘flexible’ scope that can be amended by each member state according to a variety of criteria. The active testing phase, which is expected to last at least 12 weeks, will make advanced testing a substantial effort for smaller firms.

No regret actions for FS firms:

• Analyse designation criteria for TLPT requirements and engage with national authorities to understand the likelihood of getting notified.
• If likely to be captured in scope of the TLPT obligation and if the firm is familiar with penetration testing, conduct a gap analysis with current testing practices and ensure current testers satisfy relevant prerequisites. If unfamiliar with penetration testing, train/hire internal staff to align with DORA requirements and or recruit testers with experience that meets the criterion for DORA-level capability.
• When engaging with third-party providers under Pillars IV and V, ensure their willingness to participate in TLPT where applicable and check with them whether they intend to rely on the pooled testing option.

Pillar IV – third party risk management

Relevant standards: RTS to specify the policy on ICT services supporting critical or important functions (1st batch); ITS on Register of Information (1st batch); and RTS on subcontracting of critical or important functions (2nd batch).

Key considerations: together with Pillar I, Pillar IV poses the greatest compliance challenge for FS firms due to the limited timeframe available and the complexity and scale of implementation activities required. Even for firms that are fully compliant with existing guidelines (e.g., EBA’s guidelines on outsourcing arrangements), the secondary standards still introduce new compliance demands. For instance, secondary legislation introduces a broader scope for reviewing contracts that goes beyond outsourcing. This could capture a significant number of third-party arrangements per firm and affect global third-party arrangements agreed at the group level. Contracts will also be the main mechanism through which FS firms manage subcontracting obligations and firms will need to gather significantly more data for the register of information than under the existing EBA register. Supervisors are well aware of the challenges Pillar IV presents but still expect to see good progress on a best-efforts basis before January 2025.

No regret actions for FS firms:

• Map out all CIFs and then identify all ICT third-party services supporting the business and determine which contracts support CIFs.
• Conduct a gap analysis of existing contracts against the DORA’s subcontracting requirements and develop a remediation plan and related timelines to address any gaps.
• Begin drafting and negotiating addendums to satisfy DORA requirements, prioritising CIFs. Engage third parties to obtain information necessary for the register of information.
• Maintain an ongoing dialogue with supervisors on progress in updating contracts. This will help to form a view on supervisory expectations around what would be deemed as acceptable best efforts, ahead of the January 2025 compliance deadline.

Pillar V – ICT critical third-party oversight

Relevant standards: Delegated Act on designation criteria for critical third-party providers (CTPP); Delegated Act on oversight fees; RTS on oversight harmonisation (2nd batch); and Guidelines on oversight cooperation between ESAs and competent authorities (2nd batch)

Key considerations: Pillar V assigns new powers to supervisors, but the actual framework will only begin to be set in motion after January 2025. Although not necessarily new to resilience, designated CTPPs will still need to familiarise themselves with FS regulation and oversight. In this context, the secondary standards mostly focus on providing detail on how the supervisors’ new powers will be exercised in practice. This does not mean that they do not contain useful information for potential CTPPs though. For instance, the quantitative designation criteria form the baseline requirements but meeting them will not necessarily be enough to guarantee designation. The final decision will be based on a more holistic assessment of criticality, leaving a margin of discretion to the ESAs.

No regret actions for FS firms and potential CTPPs:

• For FS firms, reach out to potential CTPPs before 2025 as part of the information gathering process for the register of information and contract renegotiation effort.
• For potential CTPPs, initiate/leverage existing dialogue to get visibility over the way FS firms employ services in practice and if these concern CIFs.
• For potential CTPPs, be mindful of comparable regimes in other non-EU countries (e.g., UK) and think about a coherent geographical strategy for setting up subsidiaries and providing services across different European jurisdictions.

Next steps and open questions

Despite nearing the finish line, the last year of DORA implementation still holds plenty of regulatory developments in sight. For what concerns secondary legislation:

• First batch: the ESAs’ final drafts were submitted to the Commission for review in January and were adopted on 13 March 2024. The time required before publication in the EU’s Official Journal can vary depending on whether any amendments/objections are raised by the Council and the Parliament or not. The first batch of technical standards is estimated to get published in the EU’s Official Journal by the first half of 2024 in a best-case scenario.
• Second batch: the period for submitting feedback to the ESAs’ consultations on the batch closed on 4 March 2024. The ESAs will now have to review comments and submit a final set of drafts to the Commission by no later than July 2024. These are likely to be finalised by the fourth quarter of 2024. The ESAs also plan to run an additional targeted consultation in April for a missing RTS on the Joint Examination Team for CTPPs.
• Delegated acts: the Commission adopted its draft delegated acts in February 2024. Publication in the EU’s Official Journal is expected to follow soon.

Picture 2: DORA’s timeline

Additionally, some key questions still remain open, including:

• The supervisory approach for the DORA is still not clear. Relevant authorities have still not released any public information on how they intend to manage the post-January 2025 period. This raises a question around any further publications being potentially released over the remainder of the current year (e.g., guidelines or best practices documents).
• The designation criteria for areas of the DORA like CTPPs and TLPT are now clearer. That said, the criteria do leave room for regulatory discretion to capture firms. Firms that find themselves at the limits of these thresholds should look out for further information, either in the form of further publications on the supervisory approach or through direct engagement with the relevant supervisors, both at EU and national level.

Conclusion

The relatively short implementation timeline and the uncertainty around secondary legislation will make 2024 a challenging year for full implementation of the DORA. However, there are steps that firms can now take to ease the pressure around the implementation deadline. Navigating the secondary standards in a strategic manner is the key to start solving the DORA puzzle and – where gaps are still present – direct engagement with regulators and peers can help reduce uncertainty. In an environment where time and resources are limited, optimising the compliance effort will ensure that firms successfully hit the January 2025 deadline.

We would like to thank Georges Gehchan, Lanna Cengic, Gabriele Manganaro, Laura Liotino, Susanna Savarese, Enrico Decataldo, Gavin Simmonite, Dominic Huxford, Simon Moorcroft, Sonia Verbeeck, Anastasia Broder, and Lucy Watson for their contributions.

Andrea Radu Partner, Risk Advisory, Belgium, DeloittePeter BirgerssonPartner, Risk Advisory, Sweden, DeloitteGianfranco TessitorePartner, Risk Advisory, Italy, Deloitte