ESAs publishes second sets of rules for the application of the Digital Operational Resilience Act (DORA)

• 17 Jul 2024
• Rebecca

• The organisational environment
• 0

  Comment

In order to help organizations implement the Digital Operational Resilience Act (DORA)^[1], the European Supervisory Authorities (ESAs) - the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPSA), and the European Security and Markets Authority (ESMA) - conducted a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA), the results of which have been published today.^[2]

The abovementioned guidance gives clarity around the reporting framework for ICT-related incidents, including reporting clarity and templates, as well as threat-led penetration testing. Additionally, it introduces certain requirements for the design of the oversight framework.

On 28^th June, Gerry Cross, Chair of the Joint ESAs Sub-Committee on Digital Operational Resilience gave a speech entitled “6-Months to DORA”^[3] where he suggested that regulators were hoping to adjust timelines and content on incident reporting to provide more flexibility. He also said that based on feedback from organizations, materiality thresholds have been changed and the approach for recurring incidents was simplified to lower reporting burdens. Furthermore, regulators were looking to reduce reporting data fields to further reduce the burdens.

According to BCI research^[4], practitioners have been raising concerns over the implementation of the DORA regulation since it was launched. A concern expressed by practitioners was the “need for more outreach from regulators”, specifically around the complexity and ambiguity of the text. Frustration was felt around the need to produce processes, frameworks, and analysis, such as demonstrating the ability to stay within impact tolerances. Practitioners felt the definitions provided were not clear, leaving them unable to understand or implement exactly what needed to be done. Some practitioners felt the feedback they’d received was vague and, in some cases, direct questions were answered by merely quoting the legislation. In addition, during webinars, attendees were told specific questions would be answered in the FAQs, but they were omitted. The new technical standards come to remedy this need for further guidance.

The guidance now contains the requirements for the content, timelines and templates for the reporting of major ICT-related incidents. In the past, reporting requirements have raised concerns among practitioners, where some felt DORA's reporting requirements were unrealistic, as they diverted resources away from resolving incidents. Conflicting regulations and multiple reporting templates created inconsistencies, adding complexity instead of streamlining the process. While the newly published standards address some of these concerns, their practical usefulness for entities implementing the guidelines remains to be seen.

Another issue concerning organizations was the relationships with third-party critical suppliers, a further topic covered by the new standards, which delves into the detail behind subcontracting ICT services that support critical or important functions within a financial entity. Research showed that respondents felt that third-party suppliers were not always aware of the new regulation and, when they became aware that they needed to comply, it added a lot of cost pressure to reach the standards demanded of them. In some cases, this led to smaller organizations choosing not to work with financial services because it wasn’t financially viable for them. At the other end of the scale, practitioners reported larger suppliers could be slow or reluctant to provide information proving compliance. In this instance, the Chair of the Joint ESAs Sub-Committee on Digital Operational Resilience stated that regulators were looking to reduce and rationalise the quantity of information on third party arrangements.

To address the abovementioned gaps, practitioners expressed their eagerness to see more testing and sharing of results. The new technical standards now also address the requirements for conducting a thread-led penetration test. Also, Cross suggested that regulators were hoping to add clarity to the selection criteria for insurance and reinsurance undertakings on threat-led penetration testing (TLPT).

Cross’s speech may give practitioners high hopes for the near future. He indicated that the ESAs and authorities were looking at completing a dry run exercise so that financial entities can become familiar with the operation of the new templates.

Finally, the Chair of the Joint ESAs Sub-Committee on Digital Operational Resilience emphasised the need for continuing momentum, so entities could hit the deadline. Although he recognised that the co-legislators had set a tight end date for implementation, he explained that the regulations represented legal reality and that it was “outside the power of any ESA or competent authority to alter this fact.”

BCI research shows that practitioners have reservations over their state of readiness and what still needs to be accomplished by January. Fewer than half of respondents (44.4%) to the BCI Operational Resilience Report 2024^[5] felt confident they would meet the deadline, and although regulations were considered a positive step, a number of issues were raised, most notably the short timeline highlighted in Cross’s speech.

The new technical standards may help to address practitioners’ concerns, but with only six months until the January deadline the pressure is on to comply. As Mr Cross concluded in his speech “We have come a long way. We are largely on time. But there remains much to do.”

More on

• Resilience/ Organizational Resilience
• Information technology and Cyber Security
• Regulations, standards and guidelines

About the author

Rebecca Mathews

The BCI