DORA RTS: Requirements for Digital Operational Resilience for Financial Entities
As the January 17, 2025 implementation deadline approaches, organisations are gearing up for significant changes. By now, firms should have completed most of the preparatory and foundational work and be in the final stages of fine-tuning and testing their compliance measures. Any gaps identified should be addressed promptly to ensure full compliance by January 2025 as failure to comply by this date can lead firms to receiving sanctions, penalties and potential operational bans.
Contributor
Liam is a part of the Dublin consulting team with 6+ years’ experience in financial services across regulatory transformation, process improvement management and solution implementation.
Liam Pardoe
Managing Consultant
In this article, we will spotlight the crucial areas firms need to focus on as they progress towards DORA compliance. Governance and senior management accountability are central to DORA, and we'll explore the significance of these elements. We'll also provide an overview of the Phase 1 Regulatory Technical Standards (RTS), consider the Irish perspective, and reflect on the Central Bank of Ireland's (CBI) most recent opinions. Finally, we'll look ahead to what’s next, particularly with the successful submission of Phase 2 RTS in July 2024, as firms prepare for the imminent January implementation.
Consequences for senior management
Financial entities should be fully engaged in their DORA preparations. However, alongside ongoing stakeholder engagement across all affected areas of the business, firms must also increase their focus on senior management accountability, as governance is central to the new DORA regulation. Effective oversight should be established through informed and timely escalation at both the board and C-suite levels. Regular discussions at board and board risk committee meetings, as well as the appointment of board champions, are crucial tools in this regard. It is essential for senior management to embed DORA principles and focus on key outcomes. Given the substantial governance requirements under DORA, achieving compliance will require heightened awareness, a robust knowledge base, and comprehensive training for senior management.
Looking back at the Phase 1 RTS and their main components
Phase I of DORA regulatory technical standards, which were published in the EU Official Journal end of June 2024, provide financial entities with detailed guidance on:
Information and communication technology (ICT) risk management framework and tools.
Criteria for the classification of ICT-related incidents.
Policies for outsourcing and ICT services supporting critical or important functions.
We have provided an overview of the first phase of technical standards below. It is important for all participating firms to note that these technical standards are complementary to the requirements outlined in DORA.
1. The simplified ICT risk management framework and management tools
DORA mandates financial entities to establish a robust ICT risk management framework, ensuring swift and efficient digital operational resilience. Entities must annually review their risk management processes, with microenterprises doing so periodically. The framework should encompass compliance consequences, ICT security roles, incident management, vulnerability remediation, and governance.
The RTS consolidates policies into a single Information Security Policy covering data protection, network security, and safeguards against intrusions. Required elements should include:
ICT asset management, encryption, operational policies, and vulnerability management.
Network security, incident logging, secure information transit, project management, system acquisition, security training, and environmental protection.
Business continuity is also critical and a key area of focus for all firms. Entities must have ICT continuity policies with recovery plans that:
Identify disruption scenarios.
Define activation/deactivation conditions.
Ensure availability, integrity, continuity, and recovery of ICT systems.
2. The criteria for the classification of ICT-related incidents
DORA's ICT incident policy demands reporting of all identified "Major Incidents" to authorities. Classification criteria includes:
Number of clients and transactions affected.
Data loss from critical services.
Reputation consequences.
Incident duration and downtime.
Geographical spread and economic impacts.
An incident is deemed major if it impacts critical services and involves:
Unauthorised network access resulting in data loss.
Meeting two or more materiality thresholds from the above criteria.
3. The policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
DORA requires rigorous management of third-party ICT risks. The RTS outlines requirements for subcontracting ICT services critical to financial operations. Key phases include:
Pre-Onboarding: Contract planning, governance, due diligence, approvals, and risk assessment.
Monitoring Phase: Ongoing governance and management of ICT service agreements.
Termination Phase: Detailed termination processes and exit strategies.
Financial entities must retain responsibility for risk management despite outsourcing. Requirements align with existing guidelines like CBI’s outsourcing standards, ensuring:
Equivalent audit, information, and access rights for financial entities and authorities.
An Irish perspective
At an event held towards the end of June this year, Gerry Cross, The Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland (CBI), gave his opinion on the ongoing implementation of DORA. He identified five working principles guiding DORA’s implementation namely momentum, pragmatism, quality, proportionality, and engagement. Below are some of the key takeaways we identified;
Momentum: Strong momentum is essential due to the tight deadline for DORA’s implementation, 17 January 2025, and the urgency of addressing digital operational resilience
Pragmatism: Emphasis on timely solutions over perfection, recognising that digital operational resilience requires a multi-year perspective. There is a need for practical implementation, highlighting concerns about short timelines and ensuring a pragmatic approach to supervisory expectations.
Quality: Ensuring a high-quality regulatory framework with balanced and proportionate provisions. The framework encompasses risk management, third-party outsourcing, incident reporting. Stakeholder engagement is a crucial element in contributing to the quality of the framework.
Extensive stakeholder engagement must continue to be a vital part of the process through all consultations and where firms focus should remain alongside improved senior awareness and accountability. Lastly the topic of oversight was touched on and the establishment of a High-Level Group on Oversight to develop the operational aspects of overseeing critical third-party ICT service providers (CTPPs). Work is under way in the development of Joint Examination Teams (JETs) under the coordination of Lead Overseers to carry out this oversight.
What’s next…
Phase II of DORA regulatory technical standards were published on 17 July 2024, these cover the following areas:
Estimation of aggregated annual costs and losses caused by major ICT-related incidents.
Elements related to Threat Led Penetration Testing (TLPT).
Subcontracting ICT services supporting critical or important functions.
Criteria for determining the composition of the joint examination team (JET).
Harmonisation of conditions enabling the conduct of the oversight activities.
Watch this space for more information on the impacts and crucial focus areas for consideration that come out of the second phase RTS, as we drive towards enhanced operational resilience and full compliance come early 2025.
In summary
As firms advance in their own compliance journeys, it is clear that robust governance will be key to successfully navigating the final stages of DORA implementation. The RTS provide a critical framework for firms to follow ensuring digital operational resilience. The CBI continues to emphasise the importance of momentum, quality, and pragmatic solutions in meeting the tight deadlines. For firms, the benefits of compliance extend beyond regulatory adherence; a resilient operational environment is crucial in our increasingly interconnected world. Ensuring strong governance, accountability, and preparedness will position firms to thrive in this new regulatory landscape.
How Delta Capita Can Help?
Delta Capita offers strategy consulting to support financial sector actors in designing, implementing, or assessing ICT risk programs and compliance positions.
Delta Capita’s comprehensive offering spans the entire lifecycle of DORA Regulatory compliance, from design & implementation, gap analysis based on recently published RTS’s, and readiness assessment.
Our services ensure effective and efficient risk management, enhancing digital operational resilience.
For more information, please contact Delta Capita.
Caroline O’Sullivan, COO Delta Capita, Ireland
Martin Hillier, Global Head of Project & Programme Delivery
Nick Wilcock, Risk SMF, Operational Resilience & DORA
.jpg)
.jpg)
