DORA implementation is fast approaching, a reminder from European Central Banks

Gerry Cross, holding the position of Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland, also serves as the Chair of the European Supervisory Authority’s Joint Sub-Committee on DORA Implementation.

In March 2023, Mr. Cross participated in an event jointly organised by Amazon Web Services, the European Fintech Association, and Insurance Ireland. During this event, he discussed DORA in his speech titled “Implementing DORA – Achieving enhanced digital operational resilience in European financial services.”

The Central Bank of Ireland has released the complete transcript of Mr. Cross’s remarks, from which the five key insights below are summarised:

The five key insights of complying with DORA

1. The Importance of Timely Compliance:
The DORA regulation takes effect from 17 January 2025. Mr. Cross emphasised that these tight deadlines are not arbitrary; they are a response to the urgency of addressing technology and cyber risks, which are among the top risks faced by the financial system. Waiting until January 2025 to comply would be missing the point, as these risks already exist today.

2. Proportionality in Compliance:
DORA is a cross-sector regulation applicable to all regulated financial firms. It aims to enhance technology and cyber risk management and resilience. Given the diverse range of firms it applies to, Mr. Cross stressed the importance of proportionality in complying with DORA, recognizing that different firms may have varying compliance requirements.

3. Progress on Regulatory Technical Standards:
Mr. Cross mentioned that the European Supervisory Authorities (ESAs) are working on more detailed “Regulatory Technical Standards,” which will undergo a consultation phase in the coming months. Firms need to stay updated on these standards and comply with their detailed requirements within timelines potentially as narrow as six months. These standards will cover areas such as: 

  • Risk management framework
  • The criteria for the classification of ICT-related incidents
  • The information register on outsourcing that firms must keep
  • Rules on outsourcing policies.

4. Familiarity with ICT Risk Management Principles:
Mr. Cross highlighted that many key ICT risk management principles and expectations on senior management have been in existence for about 20 years. The Technical Standards will build upon established frameworks like the NIST Cybersecurity Framework, which can guide compliance efforts to ensure the implementation of agreed-upon security measures.

5. Oversight of Critical Third Party Providers (CTPPs):
Under DORA, a new oversight regime for Critical Third Party Providers (CTPPs) has been established. CTPPs will not be directly regulated or supervised but overseen by regulators. The responsibility for outsourcing activities remains with the regulated financial entities, who must maintain a register of outsourced services.

These takeaways shed light on the significance of DORA, the need for prompt compliance, the importance of proportionate approaches, and the forthcoming regulatory standards that financial firms should prepare for.

Read the original post by Sam Glynn here or find more of our latest news posts here.

Talk to an expert

Have questions about this topic? We’ll convert them into answers. Open a chat or book a call with our experts.

Further articles