Introduction
In this note, we take a look at some of the key aspects of the Digital Operational Resilience Act (DORA)1 as firms begin to ramp up their preparations for the implementation of the new requirements. In particular, we consider the key pillars of the regulations, how DORA links in with the recently implemented (and more general) operational resilience requirements of the Central Bank of Ireland (Central Bank), what steps firms should already be taking towards implementation and what challenges are likely to arise as they navigate this journey.
What is DORA?
In the words of Gerry Cross, chair of the of the Joint European Supervisory Authorities Sub-Committee on digital operational resilience, “DORA is a cross-sector regulation, applying to all regulated financial firms. It aims to mitigate technology and cyber risk by enhancing firms’ technology and cyber risk management and resilience. It creates a regulatory framework whereby all firms need to make sure they can withstand, respond to and recover from ICT-related disruptions and threats, including of course cyber attacks.”
The primary objective of DORA is to address Information and Communication Technology (ICT) risk management within the financial services sector and to harmonise existing ICT risk management regulations across individual EU member states. It also aims to facilitate the oversight of ICT service providers. Published in the Official Journal of the EU on 27 December 2022, the DORA regulations2 are expected to be fully applicable from 17 January 2025. These regulations specifically focus on areas such as ICT risk management, ICT-related incident reporting and third-party risk management, and are supported by a number of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These technical standards are being released in two phases, with the first having been released on 17 January 2024, and the second scheduled for release on 17 July.
How does it apply to (re)insurers?
The provisions of DORA are applicable to insurance and reinsurance undertakings, with the exception of those outlined in Article 4 of Directive 2009/138/EC3 (i.e., (re)insurers that do not fall within the scope of the Solvency II Directive). Under DORA, these undertakings must create an ICT risk management framework, keep a detailed record of information on all ICT-related contracts, report significant ICT issues and carry out digital operational resilience testing, among other responsibilities. Certain exemptions exist within the regulations. For instance, some (re)insurers may only need to establish a simplified ICT risk management framework, if it is proportionate to do so. Microenterprises may benefit from further simplifications specified in the regulations.
What are the key pillars of the new requirements?
Figure 1: Key pillars of DORA
The DORA requirements can be broadly categorised into five key pillars: ICT risk management, managing ICT third-party risks, reporting of ICT-related incidents, testing of digital operational resilience and information sharing.
ICT risk management
This pillar of the regulation details specific requirements for the ICT risk management framework, including the strategies, policies, procedures, ICT protocols and tools that must be incorporated. Responsibility for the framework is assigned to the undertaking’s management body (i.e., its board of directors). While most of the DORA requirements sit with (re)insurers IT teams, the risk function will need to be involved in integrating ICT risk management into companies’ existing risk management frameworks.
ICT third-party risk management
Integrating third-party risk management into the company's ICT risk management framework is crucial. Financial entities are required to conduct a comprehensive assessment before entering into contractual arrangements for ICT services. This involves evaluating whether the contract covers the use of ICT systems or processes linked to the delivery of critical or important functions, ensuring compliance with supervisory conditions and identifying and addressing potential risks, amongst other considerations. Firms must also complete a register of information in relation to all contractual agreements.
ICT incident management and reporting
ICT incident management and reporting forms an integral part of a firm’s ICT risk management framework. Firms must classify incidents and report all “major” incidents to their relevant supervisory authority. A “major” incident is defined by the regulations as “an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.” In the case of a “major” ICT-related incident, firms will be required to provide an initial notification to the authorities, an interim report detailing progress in resolving the incident and a final report that analyses the root causes of the incident. Many (re)insurers already have incident management and reporting processes in place for ICT incidents, but a common definition of a “major” incident is something new and the definition may be wider than current individual risk reporting requirements set out in companies’ risk appetite statements.
Operational resilience testing
Similar to ICT risk management and reporting, digital operational resilience testing is a crucial part of the company's overall ICT risk management framework. Financial entities are required to conduct testing on their ICT systems once a year to assess the effectiveness of their digital operational resilience. These assessments should encompass suitable tests, including gap analyses and vulnerability assessments. Larger firms are also required to conduct Threat-Led Penetrating Testing (TLPT) every three years. Many companies may already be carrying out some form of regular testing on digital operational resilience, though changes may be required to meet the exact requirements of DORA.
Information sharing
DORA promotes information sharing, although it is not obligatory. For example, exchanging cyber threat information and intelligence is promoted particularly when directed towards enhancing the digital operational resilience of a firm. This exchange should occur within trusted communities and be formalised through structured information-sharing arrangements. However, any sharing of such information amongst firms necessitates notification to the relevant supervisory authorities.
How does DORA link into operational resilience?
The Central Bank’s cross-industry guidance on operational resilience4 (the “operational resilience guidance”) came into effect in December 2023. The aim of this guidance was to “enhance operational resilience and recognise the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which firms operate” and to complement and support existing sectoral legislation, regulations and guidance in this area.
It is clear from the Central Bank’s commentary within its operational resilience guidance that it was developed with DORA in mind, explicitly calling out that “the operational resilience landscape is evolving with new standards and consultations being proposed and/or published across multiple jurisdictions” and stating, specifically, that the operational resilience guidance “is in line with international best practice and compatible with/complementary to DORA.”
Guideline 9 of the operational resilience guidance calls out that “a firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.” Amongst other requirements, this particular guideline states that “a firm should ensure that its information and communication technology is robust and resilient and is subject to protection, detection, response and recovery programmes in line with industry best practice.” This is where DORA and the more general operational resilience requirements overlap, as DORA will come to represent industry best practice in relation to digital operational resilience once it has been fully implemented.
What steps can firms take at this time?
With under a year now remaining before the DORA regulations come into effect, it is expected that many firms will already have plans in place for achieving compliance with the new requirements. Although the second batch of ITS has yet to be published, there is certainly sufficient clarity on the vast majority of requirements at this stage to allow preparatory work to continue apace. Any changes between the draft and final versions of the second batch of ITS can be factored into implementation programmes during the second half of the year.
In addition to having formulated implementation plans, firms should ideally have started working through these plans by now—for example, completion of an analysis of existing policies, strategies, test plans and any other relevant documentation relating to ICT—in order to create an inventory of what is already in place. This is because much of what is formally required under DORA should be, at least to some extent, already in existence. DORA does not aim to reinvent the wheel, so to speak, but to formalise and augment what firms already do.
Comparing this inventory with the detailed requirements set out under DORA will facilitate identification of the gaps, both in terms of the component parts of this inventory as well as the specific details included within each element of it. So, for example, firms need to ensure that any specific risk management policy that is required under DORA exists, and, for each such policy, that it contains all of the specific items of detail required by DORA. Gap analyses will also identify any new requirements, e.g., processes concerning the reporting of major ICT incidents, which have now been introduced. This can happen concurrently with the drafting of an overarching “sound, comprehensive and well-documented ICT risk management framework.”
For those firms that are already at a stage where they are addressing gaps, attention can begin to turn to the development of test plans (where applicable) and towards implementation of the new reporting requirements that have been specified under DORA.
What challenges are likely to arise?
Starting early should help to mitigate the challenges that are likely to arise in connection with DORA implementation. Resource requirements, in particular, may be quite significant, depending on the extent of the gaps that are identified relative to the new requirements. Clearly, starting sooner rather than later will help to alleviate any such strain. Implementation projects are also likely to be cross-functional, despite the obvious focus on teams involved in supporting information and communications technology. Legal teams, operations teams, the risk team and internal audit as well as other stakeholders will need to collaborate in order to satisfy the new requirements and to give boards of directors the necessary assurance that everything has been satisfactorily addressed. For some, this will represent a significant workload against the backdrop of quite a tight timeframe.
As noted earlier, the second batch of ITS/RTS has not yet been finalised, so this will mean a choice between pushing ahead now based on the draft text (with the potential for at least some rework later in the year) or waiting until the relevant text has been finalised (with the consequential shortening of the remaining implementation timeframe). Clearly, either approach is possible, though each will bring its own challenges, so it is important to decide on a course of action now and, accordingly, factor this into project plans.
1 Official Journal of the EU (14 December 2022). Directive (EU) 2022/2556. Retrieved 7 February 2024 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2556&from=EN.
2 Official Journal of the EU (14 December 2022). Regulation (EU) 2022/2554. Retrieved 7 February 2024 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=EN.
3 Official Journal of the EU (25 November 2009). Directive 2009/138/EC. Retrieved 7 February 2024 from https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:335:0001:0155:EN:PDF/.
4 Central Bank of Ireland (December 2021). Cross Industry Guidance on Operational Resilience. Retrieved 7 February 2024 from https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp140/cross-industry-guidance-on-operational-resilience.pdf.