Central Bank of Ireland (CBI) DORA Industry Event

6 November 2024

On 6 November, CBI held an “Industry Briefing” on the Digital Operational Resilience Act (DORA). The briefing was highly informative and included speeches from key figures such as Gerry Cross (Director of Financial Regulation – Policy and Risk, CBI and Chair of the European Supervisory Authorities (ESAs) joint committee on the implementation of DORA). Below is a high-level summary of the key themes from the event.

Pan-European approach

The CBI opened the event by providing a short synopsis of the work done to date at a pan-European level and the uniqueness of a joint mandate which DORA created between the three ESAs, with the input of over 30 national competent authorities (NCAs). The framework’s development was guided by five key principles: Momentum, Pragmatism, Quality, Proportionality and Engagement. These principles emphasised the importance of moving with the momentum of the fast-paced world, focusing on pragmatic and high-quality work, ensuring proportionality across all financial sectors and firms, and engaging closely with the whole financial services ecosystem.

CBI expectations ahead of DORA compliance deadline

The CBI emphasised that DORA will be legally binding from 17 January 2025 for all financial entities in scope. While there was an acknowledgement that some elements of DORA are still in progress and that specific requirements from the Technical Standards are only becoming clearer now, there is an expectation from the CBI that financial entities have made significant progress in relation to DORA remediation already and laying much of the groundwork for implementation. This expectation is largely because, in CBI’s view, the core requirements of DORA have been an expectation of financial entities for several years now originating from other EU regulations/guidelines. The CBI will expect financial entities to have completed a comprehensive gap analysis, identified gaps and have plans to address these gaps. The quality of the approach to DORA and the financial entities approach to gap analysis, along with the timely closure of gaps will be the initial focus of the CBI’s assessment of financial entities.

A key point stated in relation to “Day 1 priorities” for financial entities is that the CBI will expect that key elements of DORA, such as ICT-related incident identification and reporting are implemented and in place ahead of 17 January 2025. Where compliance remediation efforts cannot be completed ahead of the deadline, the CBI expects that financial entities should have a prioritised remediation roadmap, focused on addressing these key elements of DORA ahead of the compliance deadline.

In relation to the Register of Information (RoI), the CBI noted that this should be in place and fully populated in line with the compliance deadline, noting that the collection of each organisation’s RoI will be done on an annual basis and through the CBI portal. The CBI expects that the initial RoI collection will take place in the first week of April 2025 and in early March annually thereafter. A number of validation checks will be performed upon submission with “warning” and “blocking” rules in place. For those submissions which receive a blocking type error, re-submission of the RoI will be required.

Threat-Led Penetration Testing

As part of the ESA’s engagement with organisations across the EU, concerns have been raised about the introduction and evolution required to comply with the advanced TLPT requirements under DORA. The CBI intends to run a number of workshops on the topic over the coming months with invitations to be extended in the coming weeks to organisations which have been identified by the CBI as in scope for TLPT. As previously noted, this is expected to be approximately thirty (30) financial entities on the island of Ireland.

Transformation within the CBI

As well as financial entities making changes to their organisation as a result of DORA, the CBI provided an update its own internal transformation ongoing and its approach to supervision going forward. The CBI acknowledged that the environment is evolving and rapidly changing and that they must continue to evolve to be successful.  Building on the strong foundations of the existing supervisory approach, the CBI will move to an integrated supervisory framework. The approach will work directly with supervisors of the banks, insurance companies and capital markets and continue to be risk-based to ensure efficient and effective supervision. The framework will be supported by enhanced horizontal, cross-sectional supervision, with enhanced teams dedicated to operational resilience. From January 2025, the CBI’s ICT supervision will be conducted in line with DORA.

Oversight Framework

The CBI provided a brief update on the “ground-breaking and sophisticated” oversight regime over the to-be-designated critical ICT third-party service providers (CTPPs). The intention of the Oversight Framework is not that these CTPPs are themselves regulated firms or that the CBI will supervise these firms, but that the ESAs collectively will have oversight of them due to their “increasingly important and integrated role in the financial system”. Key progress on this front came last month with the appointment of a new Director, Marc Andries, on oversight with a joint reporting mandate to all three ESAs.

Current status of DORA Technical Standards

An update was provided on the current state of DORA and its relevant Technical Standards as well as key scoping elements. As part of the two prescribed batch dates from the European Commission, 4 of the 5 Technical Standards from Batch 1 have been published in the Official Journal with the remaining ITS on the Register of Information (RoI) being rejected by the EC on 3 September 2024, as confirmed by the ESAs on 15 October 2024. The three ESAs provided a report of rejection to the EC and continuous work is being done between both parties to get this ITS across the line. It is expected that this ITS will be re-released in early December 2024, including an updated Excel template for the RoI aligned to the new draft ITS.

With regard to Batch 2 of the technical standards, the potential for delays, specifically with the RTS on subcontracting and TLPT, has been raised. It was noted by the CBI that these standards may not be finalised and published to the Official Journal ahead of 17 January 2025, but financial entities are expected to progress gap assessments and remediation activities in line with the draft versions of these Technical Standards.

National Competent Authorities in Ireland

DORA has a wide-reaching scope and affects 21 distinct entity types, of which the CBI will be responsible for supervision of 12 such entity types who are in-scope for DORA. A further 5 entity types (1. Central Securities Depositories 2. Central Counterparties 3. Securitisation Repositories 4. Administrators of Critical Benchmarks and 5. Trade Repositories) are also in-scope for DORA but none of which have active authorised organisations in Ireland currently. Further clarity was also given on the subject of Institutions of Occupational Retirement Provision, who are in scope for DORA but separately supervised by the Pensions Authority in Ireland.  The ESAs will oversee Credit Rating Agencies and Data Reporting Service Providers.

CBI Inspection team’s expectations and approach

An overview was provided of the CBI Inspection team’s expectations in relation to ICT Risk Management and ICT Third Party Risk Management, highlighting that it is key for financial entities to comply with both the Level 1 and Level 2 DORA texts to form a holistic view on the expectations and requirements given the complementary nature of Level 1 to Level 2 (and vice-versa).

With regards to ICT Risk Management, the CBI expects that comprehensive gap analysis has been completed by all organisations and that the fundamentals (such as a Digital Operational Resilience Strategy and ICT Risk Management Framework) are in place as well as provisions for their annual review. The DOR Strategy should be clear in setting out a “bend but don’t break” approach, with clear procedures in place and, in particular, around disclosure procedures. Financial entities will be expected to have comprehensive testing programmes in place which take a risk-based approach to the evolving risk landscape and internal criticality of assets.

ICT Third Party Risk Management (TPRM) is another area of key focus for the regulator and aids in the “bend but don’t break” strategy which was re-iterated throughout the briefing event. Financial entities will again be expected to have a specific ICT TPRM Strategy in place, which will state the inclusion of intra-group arrangements to be treated as ICT third parties for the purposes of DORA and its requirements. This strategy should fully cover the ICT third-party lifecycle including from pre-contractual arrangements to exit / termination. Financial entities should also ensure that they are meeting the requirement to have a designated member of Senior Management responsible for the monitoring of relevant contracts.

ESA RoI dry run update

The ESA’s RoI dry run exercise was of particular interest, with the CBI confirming that 31 Irish financial entities took part with equal participation across the 3 main sectors (Banking, Insurance, Wealth and Asset Management). It was noted that European-wide issues with data quality were a concern of the ESAs, with only 5% of submissions meeting the requirements expected. Irish firms have all been provided with feedback on their submissions as well as a list of general validation issues noted across the exercise. The ESAs themselves will hold a workshop in December 2024 to go through and discuss the observed issues from the dry run.

Major ICT-related incident reporting

An update was provided to the requirements in relation to major ICT-related incident reporting and how the CBI will manage this reporting and act based on incidents reported. The CBI understands that these requirements are new to many in-scope organisations but for others are merely an evolution of existing requirements. The CBI has looked to reduce operational burden for entities who will have to submit major ICT-related incident reports, acknowledging the time-sensitive nature and work required to respond to the incident itself.

The CBI Portal will again be the reporting mechanism and will have two new return types one for major ICT-related incident reports and one for significant cyber threats. The ESA templates will be the expected return format for the CBI, keeping with the regulatory convergence theme that DORA aims to achieve. The template will be an Excel template with dropdown boxes and validation built into the file itself.  The final RTS and ITS were adopted on 23 October 2024.

Guidelines and “how to” guides will be made available by the CBI on how to complete these return types. Under the major ICT-related incident return, users will have the option to select an initial notification (within 4 hours of classification), intermediate report (within 72 hours of initial notification), final report (within 1 month) or a de-classification report if, upon further review, the incident does not meet the criteria of a major ICT-related incident.

Internally, the CBI Supervisory teams and horizontal support teams will be notified of the submission and act accordingly to assess and engage with the organisation as required. The CBI noted that supervisory actions may be taken as a result depending on the interactions with organisations post incident, highlighting the importance of having major ICT-related incident procedures in place and operating effectively ahead of 17 January 2025.  CBI clearly stated 4 specific expectations of financial entities by 17 January 2025:

1. Implement an ICT incident management process to detect, manage and to notify stakeholders of ICT incidents including identifying their root causes.
2. Report major incidents within the timelines and in line with the expectations in the RTS/ITS
3. Engage with CBI on major incidents in a proactive and transparent manner thereby allowing CBI to assess if wider systemic risks are present.
4. Implement a system of continuous improvement with respect to incident management, incorporating lessons learned into Business Continuity Plans and wider risk management plans.

Supervisory Expectations

From a CBI supervisory perspective, the CBI will continue to apply a risk-based approach which takes proportionality into the frequency and type of engagement. The full range of on-site and off-site tools will be applied with a specific DORA lens, including at the point of authorisation for new and existing organisations. DORA may also form part of wider thematic reviews across organisations and sectors. The 2025 CBI supervisory expectation is that high quality work has been completed and that organisations are proactive and open in their communications with CBI.

Scope

The CBI has received a number of queries relating to scoping and whether certain entities such as Fund Administrators or Pension Administrators are in scope. CBI pointed to Articles 2 and 3 of DORA, stating that organisations must consider their specific authorisations to really decide whether, for their specific circumstances, they are in scope. It was, however, specified that those organisations who are supervised in Ireland by the Pensions Authority are indeed in scope for DORA.

ICT service definition

The definition of ICT service and the types in Annex III of the ITS were referenced. In short, for ICT services where there is an ongoing service provision element as opposed to a “once off”, it was stated that these should be in scope.

For services provided by other financial entities, it was discussed that these are out of scope assuming the provider is an EU financial entity already under the scope of DORA. However, if provided by a service provider from a non-EU / third country (and who are not in scope for DORA), it was discussed that these could be in scope for the RoI. It is understood that further clarification is to be published via the ESAs on this in due course and so, as always, it is best for financial entities to await this official information and then react accordingly.

ICT Third Party Risk Management

The CBI expects organisations to have clear methodologies in place for the identification and definition of Critical or Important Functions (CIFs) for their specific business. Organisations must identify, classify, document their reliance on external ICT providers and review this annually. Following this, the ICT risks arising with regard to CIFs must be monitored with strong oversight over ICT third parties on which ICT systems are reliant.

Pre-approval Controlled Function (PCF) Roles and Individual Accountability Framework (IAF)

The CBI in response to a question from the audience stated that it does not at this point envisage a review of the current PCF roles, in particular with any regard for DORA or the roles within. This comes on the back of a review exercise completed by CBI this summer as part of the Individual Accountability Framework (IAF) and its implementation.

Group and Local Firms

Questions arose on the implications for local and smaller entities and their relationship with larger and more mature Group entities. The CBI stated that proportionality will still apply in these such cases and that it envisages local entities gaining efficiency and merit in the use of Group resources and centralised capabilities to cover DORA requirements at a local level.

Designation of CTPPs

The panel envisioned that the designation of CTPPs would take place sometime in the second half of 2025. Given the reliance on the collection and assessment of the RoI from each financial entity, which will only take place in April 2025, there will be a knock-on effect in terms of when the ESAs can complete this exercise.

Summary

In summary, the event was extremely informative and provides financial entities with an understanding of the current state of DORA, the expectations of the CBI in relation to financial entities approach to DORA and expectations of what remediation must be prioritised ahead of 17 January 2025.

At this stage, the CBI expects that a comprehensive gap assessment is complete, with gaps in compliance documented and robust remediation plans in place. Financial entities should be focusing on ensuring that documentation such as the ICT Risk Management Framework, Digital Operational Resilience Strategy and the relevant policies are in place and approved by the Board ahead of January 2025. Financial entities should ensure that they have implemented and sufficiently populated the Register of Information and are in a position to share the register with the CBI by early April 2025. Financial entities should also have implemented requirements in relation to ICT Incident Management and Reporting of major ICT-related incidents ahead of the deadline.