The Digital Operational Resilience Act (DORA) comes into effect in less than a year, as firms try to get their heads around the EU’s mammoth IT regulation.
In Brussels, one payments expert recently referred to 2024 as “the year of implementation”, as new proposals are unlikely to come out in an election year.
Rather, firms will be preparing for regulation such as DORA, and the EU’s Markets in Crypto-Assets regulation (MiCA) to enter into force.
Work on DORA has been moving forward, both at EU-level and in the member states, with the Netherlands and Malta among those that have recently published consultations on implementation.
On January 17, the European supervisory authorities (ESAs) released the first collection of final draft regulatory technical standards (RTS), which will now need to be approved by the European Commission.
“The regulatory framework is further taking shape now,” commented Simone Giordano, a partner at De Matteis Law, noting that these technical standards revolve around:
- ICT risk management and simplified ICT risk management.
- Classification of ICT incidents.
- Policies on ICT services supporting critical or important functions.
- Templates for financial entities’ registers of contracts with ICT third-party providers.
“Although the first set of draft final RTS were only published last week, the previous iterations of those standards have been very helpful for firms in understanding how their DORA obligations should be understood and operationalised,” said Edward Machin, counsel at Ropes & Gray.
In particular, Manchin said that the technical standards on ICT risk management frameworks and the register of information give organisations detailed guidance and template documentation that will form an important part of their compliance strategies in the coming months.
“Of the RTS that are still out for consultation, firms should watch closely for the final guidance on determining time limits for reporting major incidents, which, if the position under the consultation remains, will involve timelines that are shorter and more involved than under the GDPR,” he said.
This followed the publication of the second batch of DORA RTS on December 8, which are being consulted on until March 4.
- RTS and ITS on content, timelines and templates on incident reporting.
- Guidelines on aggregated costs and losses from major incidents.
- RTS on sub-contracting of critical or important functions.
- RTS on oversight harmonisation.
- Guidelines on oversight cooperation between ESAs and competent authorities.
- RTS on threat-led penetration testing (TLPT).
“The release of the consultations is very good news as this way, financial entities can have a holistic and complete view of the RTS,” he said.
“EU authorities have managed to make sure that notification requirements are very much aligned with the central reporting requirements under the NIS2 Directive,” said Giordano. “This already very good alignment could result in less work for financial entities.”
Tight deadlines will spark compliance issues
However, Simon Treacy, senior associate at Linklaters, pointed out that the finalisation of the legal requirements will be challenging for firms to process.
"You can see how there is a significant number of RTS that will only be finalised six months before DORA starts to apply,” said Treacy. “That has the potential to complicate firms’ implementation of the framework.”
Treacy, whose focus includes payments and fintech firms, said that the reality of the ESAs' work so far is that the requirements are very prescriptive.
“The Level 1 prescriptiveness has extended into the technical standards. This could be daunting for firms to implement given the level of detail that these standards are going to,” he said.
Treacy pointed out that although there is a lot of information in the Level 1 text, day-to-day compliance will be dictated by technical standards that are in some cases still being developed.
"You have to work based on the consultations, but be flexible enough to recognise that you are looking at a draft text that could change to either become more or less onerous,” said Treacy.
“My view is that these are open opportunities for the industry to cooperate with ESAs, and provide industry feedback."
Preparing to comply
At member state and EU level, this sort of cooperation is happening, whether via regulators or through trade associations.
“Regulators and trade associations are holding industry roundtables and meetings,” said Giordano. “This means that there is much more awareness and more banks and other entities are taking it seriously.”
Giordano explained that, as a very impactful piece of legislation, it is likely to require a lot of requirements from financial entities’ compliance and policy staff.
“The rules currently set out in DORA are quite high level and there are different mandates in the RTS. This depends on the operational resilience that banks already have,” he said.
“Many larger banks may already have a lot of investment in this space, whereas smaller institutions, like payment and e-money institutions, could have to make more effort to comply.”
Manchin agreed, stating that the extent to which organisations will find DORA challenging to comply with depends in part on the strength of their existing compliance programme.
The London-based lawyer said that the “core DORA obligations” — ICT risk management, operational resilience, breach reporting and third-party contracting — are similar in places to those under the General Data Protection Regulation (GDPR).
“Organisations can leverage their GDPR compliance programme to avoid starting from scratch on DORA,” he said. “However, there are a number of important differences between the laws which mean that DORA preparation should not be underestimated.”
For example, in-scope entities’ contracts with third-party suppliers will need to be amended to reflect DORA requirements. “Banking and payments firms should map their vendors and then conduct what is likely to amount to a significant contractual re-papering exercise.”
In addition, unlike the GDPR, DORA explicitly requires management to have responsibility for overseeing their organisation’s compliance, and imposes civil, and potentially criminal, liability for board members’ failure to do so.
“For that reason, firms should put DORA on the board’s radar as soon as possible, which we also need to involve board training and ensuring active engagement by management in understanding their organisation’s ICT risk profile and reviewing and approving policies and procedures on an initial and rolling basis,” he said.