1. Need for more flexible and adaptable enterprise resilience strategies

We are seeing a move towards more flexible and adaptable enterprise resilience strategies and associated frameworks incorporating Digital Operational Resilience (DOR), Operational Resilience, ICT Third-Party Risk Management, Cyber, ICT Risk Management etc.

EU financial entities have begun to adjust their compliance programmes to account for the draft regulatory technical standards (RTSs) and implementing technical standards (ITS) in key areas such as:

• ICT Risk Management
• ICT Third Party Risk Management
• ICT Incident Management and Major ICT Incident Management

For entities that operate in several countries within and outside the EU, it may be a bigger challenge to adapt their Operational Resilience frameworks to align with the unique regulatory requirements from different countries. It is likely that we will see that entities may opt for a global Operational Resilience framework that efficiently encompasses all requirements (i.e. Operational Resilience, Digital Resilience, ICT Third Party Risk Management) into the one overall framework and aligned to an associated strategy.

2. End-to-end digital resilience testing programme

A step-up is required by many firms across the entire industry with regards to Digital Operational Resilience testing, particularly the advanced testing elements i.e. Threat-Led Penetration Testing (TLPT).

In order to meet the requirements, firms will be required to build out a single end-to-end programme that incorporates a much broader set of DOR testing capabilities (beyond the traditional scenario testing, testing of Business Continuity plans (BCPs) and testing of IT Disaster Recovery plans) to account for many different types of testing such as, for example, vulnerability assessments and scans, open source analyses, network security assessments, source code reviews (where feasible), compatibility testing and performance testing.

3. Deeper levels of assurance over ICT third-party providers (ICT CTPPs)

DORA’s scope includes ICT third-party providers and this recognises the interconnected nature of the financial industry nowadays – we’ve seen an increase in cloud adoption, for example.  Firms must assess the operational resilience of their ICT third-party providers and ensure that they meet the specified DORA requirements.  Another interesting trend we are already starting to see is some ICT TPPs using DORA as a competitive advantage for business.

ICT CTPPs will soon be formally confirmed, which will naturally bring a level of sensitivity given the prominence and significance of this designation by the European Supervisory Authorities (ESAs), namely, EBA, ESMA and EIOPA.  We can expect to start to see financial entities seeking to leverage this designation to gain deeper levels of assurance over their ICT CTPPs’ actual DOR capabilities, for example in areas such as ICT subcontracting, BCM/DR, data security etc.).

ICT TPPs are now trying to gain competitive advantage by showcasing a better compliance with DORA, essentially aligning with DORA expectations by demonstrating better resilience, testing capabilities and ICT fourth party management.

Overall, we will see an increase in resilience expectations in the European market.  For smaller entities, the cost of DORA compliance may outweigh the value, in which case there will be questions as to whether it’s worth it for such entities to continue operating in the EU financial sector.  It may mean that such entities eventually opt to exit the market to service a less heavily regulated market.

4. Alignment of ICT assets to Critical or Important Business Services

We will also see an extensive effort by entities to align their critical ICT assets and critical information assets to their critical business services (CBSs)/ important business services (IBSs) (from an Operational Resilience perspective).  DORA refers to the concept of “critical or important functions” (or CIFs) and firms are now starting to try to figure out how to best leverage their CBSs/IBSs for the purposes of DORA compliance and CIFs.  We will also see the importance of strengthening ICT Asset Management practices and establishing sound and up-to-date Configuration Management Databases (CMDBs) all the while ensuring clear linkage to CBSs/IBSs/CIFs.

5. Heightened regulatory inspections and supervision

Currently, the ESAs are establishing the Oversight Framework. This will incorporate Joint Examination Teams (JETs), whose role will be to independently assess the level of DOR within ICT CTPPs. The national competent authorities (NCAs) across the EU -here in Ireland this is the Central Bank of Ireland (CBI)) – will also play a pivotal role particularly around overseeing Threat-Led Penetration Testing (TLPT).

In summary, while DORA certainly introduces additional compliance requirements, and could potentially increase operational costs, its long-term benefits in terms of digital operational resilience, customer protection, and alignment with international standards make it a positive step for the financial services sector in Ireland.

It encourages the industry to adopt a forward-looking and proactive approach to digital resilience risk management. To thrive in this new landscape, continuous vigilance, adaptability, and proactive engagement with DORA’s requirements will be essential.

As the financial industry evolves, Ireland remains a key player in maintaining the stability and security of the European financial ecosystem.

At EY, we are continually monitoring developments in this area and will share insights and recommendations with our clients as we move forwards with this regulation.