Implementation deadline

Regulations implementing the requirements of the Digital Operational Resilience Act (DORA)¹ are set to become effective from 17 January 2025, now just weeks away. DORA will seek to address information and communication technology (ICT) risk management within the financial services sector and to harmonise existing ICT risk management regulations across individual EU member states. It also aims to facilitate the oversight of ICT service providers.

These regulations, which were published in the Official Journal of the European Union on 27 December 2022, are supported by two sets of “technical standards,” namely Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These technical standards were subject to public consultation, split into two batches, the first of which was finalised for submission to the European Commission (for adoption and subsequent publication in the Official Journal) on 17 January 2024 and the second of which was finalised on 17 July 2024. This has squeezed the available timeframe over which firms have been able to fully prepare for the new requirements, although some would argue that most of the broad brushstrokes of the requirements have been known for some time now. However, the detail is very important, and it is only when all of the requirements have been finalised that firms are able to fully assess their readiness.

Final elements

There are still a number of key regulatory components which remain pending or under review. For instance, the ITS on the information register was recently rejected by the European Commission, and both the RTS on subcontracting and Threat-Led Penetration Testing (TLPT) are still under scrutiny, with further delays expected in the case of the RTS on subcontracting.

The regulations set out criteria which firms need to use in order to determine whether or not they are subject to TLPT. For the avoidance of doubt, though, firms required to conduct TLPT will be notified by the Central Bank of Ireland (CBI) in the coming weeks. It is anticipated that approximately 30 financial entities in Ireland will be subject to TLPT.

The CBI has taken a pragmatic approach to implementation, encouraging firms to take what it considers to be reasonable steps as regards day-1 compliance with the new requirements, and placing a firm focus on understanding the gaps that will remain by 17 January next year. Not only will firms need to fully understand these gaps but they will also need to have well thought-out and realistic plans in place to address these gaps in a timely manner.

Depending on the severity of any issues identified, the CBI may take action, including enforcement action. However, its primary focus during 2025 will be on ensuring a high-quality implementation of DORA, prioritising thorough compliance over rushed or incomplete implementation.

The regulator has also been clear that compliance is not a one-and-done exercise. Instead, continuous review and improvement will be expected in order to further enhance digital operational resilience over time.

While helping to alleviate the immediate strain associated with day-1 compliance, this approach potentially poses heightened compliance and reputational risks for firms. What happens if there is a major ICT incident, for instance a cyberattack which disables key systems and compromises the firm’s ability to continue to service its customers, and that it occurs between 17 January 2025 and the time at which full compliance is achieved? Worse still, what happens if the event in question arose as a result of one of the gaps that firms had identified prior to the implementation deadline? This is where it becomes critically important to have the right governance and risk management processes in place, and that all key stakeholders are fully aware of the risks being accepted in the event that significant gaps exist.

The CBI has confirmed that proportionality may be applied at the local entity level, allowing smaller entities within larger groups to be subject to more tailored, less stringent requirements based on their size and scale.

Mind the gap

Many of the remaining gaps at this stage are firm-specific. However, some common challenges are starting to emerge. One of them is the ability to implement network partitions, as required by the regulations, in order to appropriately segment a firm’s ICT network. With network partitioning in place, even if an attacker successfully breaches the firm’s cyberdefences, segmentation will restrict their access to isolated parts of the network, thereby limiting the potential damage they can inflict. DORA also requires certain specific contractual provisions to form part of third-party ICT outsourcing relationships. The process involved in identifying these contracts and the gaps in their wording, relative to the required contractual provisions, is a task not to be underestimated. Many firms with significant numbers of outsourcing relationships are struggling with the volume of work involved here, and already recognise that this work will continue well past the 17 January implementation deadline.

From our work with clients, there are several further challenges that firms are grappling with at present. Being crystal clear on their critical functions and the ICT systems and processes that support them is one key area. In cases where there is outsourcing of such ICT systems and processes, the extent of the look-through that needs to be applied (as regards sub-outsourcing) may also be unclear. This is true of both intragroup and external third-party relationships. In an Irish context, and against the backdrop of the Senior Executive Accountability Regime (SEAR),² evidencing that reasonable steps have actually been taken in relation to DORA compliance—especially where full compliance has not been achieved by the formal implementation deadline—may also be a significant challenge.

What next?

A clear next step for all firms in their DORA implementation journey is to perform a thorough stock-take at this stage, to assess where exactly they are relative to the requirements. Identifying and recording the remaining gaps in a systematic way, along with ensuring that there is a detailed and well-documented implementation plan in place to address them in a timely manner, is of critical importance. In general, many firms are in a good position, but unless it is already clear that there is full compliance it will still be necessary to carry out such an assessment.

The clock is ticking!

¹ The full text of Regulation (EU) 2022/2554 is available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=EN.

² The full text of the SEAR regulations is available at https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp153/sear-regulations.pdf?sfvrsn=c4f0631a_1.