The Final Countdown to DORA Compliance
Whether they’re ready or not, financial entities operating in the EU will be required to fully comply with the extensive provisions of the EU Digital Operational Resilience Act (DORA) by 17 January 2025.
With less than six month to go until the deadline, this blog will focus primarily on the regulatory reporting requirements under DORA, while drawing on recent information collected at conferences and through publications from European regulators.
Background
DORA is a cross-sectoral regulation that introduces an EU wide regulatory framework on digital operational resilience where firms will need to ensure they can withstand and recover from Information and Communication Technology (ICT) related disruptions and threats. DORA also introduces an oversight framework for ICT third-party service providers regarded as “critical” (CTPPs).
The financial sector has grown increasingly dependent on ICT systems, resulting in vulnerabilities, such as targeted cyber-attacks. With that in mind, DORA is designed to build on existing laws, including the General Data Protection Regulation (GDPR)and the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), to strengthen IT security of financial entities and enhance their resilience to cyber events and technical failures. The Act is a complex piece of legislation with very prescriptive requirements. It outlines a specific set of criteria, templates and instructions that will shape how financial firms manage ICT and cyber risks.
The legislative text is supplemented by a set of technical standards and guidelines known as “Level 2” standards which were released in two batches. The first batch was published on 17 January 2024 and composed of 3 regulatory technical standards (RTS) and 1 implementing technical standard (ITS). The second batch was published on 17 July 2024 and is composed of 4 RTS, 1 ITS and accompanying guidelines. It is now up to the European Commission (EC) to review and adopt the Level 2 rules although it is not expected that significant revisions will be made.
Who is Affected?
It is estimated that DORAs reach will extend to over 22,000 EU financial entities including banks, credit institutions, central securities depositories (CSDs), insurance undertakings, crowdfunding service providers, crypto-asset service providers and managers of alternative investment funds as well as ICT service providers deemed critical to in scope entities. DORA’s framework is built around five key pillars:
- ICT risk management;
- management, classification and reporting of ICT related incidents;
- digital operational resilience testing;
- third party risk management; and
- information and intelligence sharing
DORA will require financial entities to establish and implement a specific ICT-related incident management process to detect, manage and report ICT-related incidents and draw up a comprehensive plan for digital operational resilience testing. Some entities will also be obliged to conduct Threat Led Penetrations Tests (TLPTs). Among other things, firms will need to implement measures establishing backup policies and recovery methods.
Registers of Information
Financial entities will need to maintain and update details regarding their contractual arrangements with ICT third-party providers in a register of information. The ITS published in January 2024 set out 15 mandated reporting templates totalling more than 100 required attributes and include relational keys outlining the end-to-end structure of ICT systems supporting the in-scope entity’s business model. It is envisaged that the registers will be used by competent authorities and the European Supervisory Authorities (ESAs) to designate critical ICT third-party providers. At the meet-the-market Eurofilings Conference hosted in June 2024, representatives from the ESAs did not confirm exactly when the registers of information will need to be submitted but highlighted that these reports are to be submitted in ‘plain CSV’ format. This will likely mean XBRL-CSV considering the wider context of the European Banking Authority’s (EBA) implementation of a new data point model (DPM) 2.0 at the end of 2024 and transition from the XBRL-XML reporting format to XBRL-CSV.
Preliminary reporting templates for the register were released in July 2024 as part of the EBA’s 3.5 taxonomy reporting framework, however they are based on the draft ITS published in January 2024 which has not yet been adopted by the EC. Potential amendments to the technical package during the EC review will be reflected by the EBA in subsequent releases. Meanwhile, the ESAs published templates for a dry run exercise on the submission of registers of information which will run until 30 August 2024 with feedback on the data collected and a ‘lessons learnt’ workshops envisaged for later in the year.
Incident Reporting
DORA also requires entities to report major incidents to their competent authority by submitting initial, intermediate and final reports using a pre-defined template. The ESAs published a final report containing draft technical standards on 17 July 2024 proposing:
- initial notification should be made 4 hours from determining the incident is major but no later than 24 hours from when the financial entity becomes aware of the incident
- intermediate reporting should be made within 72 hours from submission of the initial notification
- a final report should be made no later than 1 month from submission of the intermediate report with details about the root causes of the incident
Adjustments to these reporting timelines were made following feedback to the initial draft where several practitioners raised concerns around diverting attention away from actually resolving incidents. As part of its final report, the ESAs also published an ITS containing reporting templates which included 59 reporting fields (down from 84 proposed in the initial draft) as well as 10 reporting fields (with 7 mandatory) for the initial notification.
Cost of Non-Compliance
DORA establishes substantial financial penalties for non-compliance. Firms could face up to 1% of their average daily worldwide turnover in the preceding fiscal year accruing for each day of non-compliance for up to 6 months.
International Outlook
Several national supervisory authorities are gearing up towards DORA’s looming implementation. The German regulator, BaFin, recently published guidance on incident reporting and announced that it will scrap previous requirements on IT security outlined in its Circular on Supervisory Requirements for IT in Insurance Undertakings (VAIT), in favour of DORA. BaFin’s actions may point towards a likely trend among local regulators to outline at a granular level what is expected to comply with the EU regulation.
Whilst DORA is not a UK regulation, it will apply to many UK firms either because they are financial entities who offer their services in the EU or because they are ICT providers who provide services in the EU. To complicate matters, the UK is developing a new regime for critical third-party providers (CTP). Whilst DORA arguably goes further in some respects, for example by setting out explicit requirements for contractual agreements that financial entities need to establish with their third-party providers, it is expected that financial institutions operating across the UK and EU will need to navigate two regulatory regimes simultaneously.
Next Steps
It is important to note that changes to the level 2 rules are still possible before they become binding, but it is unlikely that significant changes from the final draft will be introduced at this stage. The publication of the second batch of technical standards in July 2024 marks an important stage in the DORA roadmap as it provides clarity to in-scope financial entities who are in the process of implementing the required changes.
We would encourage financial entities to intensify their efforts to comply with the necessary provisions by the 17 January 2025 deadline. This includes, among other things, establishing processes and systems to collect, validate, update and report the information required in the templates for the register of information on a regular basis.
ARKK is a specialist XBRL software and service provider with extensive experience in helping financial services firms meet their regulatory reporting requirements. ARKK has attended workshops and industry events to keep up-to-speed with the latest developments regarding the DORA implementation. Our team is eager to address your concerns around the new requirements and discuss how we can help to simplify the complexities of your regulatory reporting process.