Introduction
With under four months until the Digital Operational Resilience Act (DORA) applies, many questions remain unanswered. EY, along with the Central Bank of Ireland (CBI), Technology Leaders and Financial Services industry leaders, convened to discuss the challenges organisations face in meeting these regulatory requirements. Below is a brief overview of the key updates, challenges, and opportunities that emerged during the discussion.
Challenges Around Remaining Technical Standards
A major concern for the industry is the delay in finalising the remaining Technical Standards, which await European Commission (EC) approval. To date, only 3 out of 9 standards have been fully approved. With the January deadline looming, organisations find themselves in a challenging position. Most are moving forward with draft standards, but any significant changes in the final versions could have a major impact on their ability to comply with DORA on time.
“Minimum Mandatory Compliance”
A recurring theme was the concept of “minimum mandatory compliance.” This means ensuring all necessary artefacts, both Level 1 and Level 2, are drafted, reviewed, and approved by Boards before the 17 January 2024 deadline. Some artefacts, like the establishment of an ICT Risk Management Framework, will need prioritisation, as they are critical to embedding compliance into everyday business processes.
A key focus was the identification and mapping of Critical or Important Functions (CIFs), which will have a knock-on effect on efforts to remediate areas like ICT third-party service provider contracts and ICT-related incident management.
Day 1 Priorities and Supervisory Convergence
While no official “day 1 priorities” have been set by National Competent Authorities (NCAs) or European Supervisory Authorities (ESAs), the CBI indicated that communications could be expected soon. Some NCAs may require full compliance from 17 January 2025, while others may offer flexibility. It’s crucial that organisations engage closely with their NCA to understand specific expectations.
There has been some relaxation around certain requirements, such as ICT subcontracting. Article 4.2 now calls for changes to contractual agreements to be implemented “in a timely manner.” The CBI recognises that full compliance with this by January may be challenging, but organisations must at least have Board-approved plans for addressing these issues.
Industry Insights
EY shared insights from a recent survey of 50 financial entities (FEs), revealing some startling statistics:
- Only 25% of organisations believe they will be DORA-compliant by the deadline.
- 67% expect ICT contract remediation efforts to extend beyond 12 months.
- 50% are currently non-compliant with ICT Incident Management requirements.
- 53% have identified their CIFs.
These figures highlight the significant work still needed as the deadline approaches.
Register of Information (RoI) Delay
The EC has rejected the Implementing Technical Standard (ITS) on the Register of Information (RoI), mainly due to issues around the use of legal entity identifiers (LEIs). This adds further pressure on organisations, as they cannot design and implement the RoI until final approval is granted. Without this, the CBI’s ability to supervise ICT third-party arrangements will also be impacted.
Moreover, the delay could affect the identification of critical ICT third-party providers (CTPPs). It is expected that between 5 to 10 CTPPs will be designated in Ireland, with notifications likely delayed until mid-to-late 2025.
ICT Subcontracting RTS
Delays are also expected in the approval of the Regulatory Technical Standards (RTS) on ICT subcontracting as it appears EC has some further concerns. While there is strong support from NCAs and ESAs for the current draft, any further delays in the legal process could push timelines beyond feasibility for compliance by January 2025.
ICT Contract Remediation
Remediation of ICT third-party contracts remains a significant challenge. Many organisations acknowledge that full remediation by January 2025 is unachievable. A risk-based approach is being adopted, focusing on high-risk third parties first, with longer-term plans for lower-risk contracts.
One solution gaining traction is the use of a DORA addendum to update existing contracts, rather than re-opening and renegotiating them entirely. This allows for more efficient remediation while ensuring compliance.
Threat-Led Penetration Testing (TLPT)
TLPT is another area of uncertainty. The CBI expects roughly 600 financial entities in Ireland to be within the scope of DORA, with only around 30 required to conduct TLPT. Organisations already participating in TIBER-EU or TIBER-IE testing will meet compliance requirements for TLPT, reducing their immediate priority.
SREP IT Risk Questionnaire (ITRQ)
Moving forward, the SREP IT Risk Questionnaire will be updated to reflect DORA’s requirements, moving away from a pure focus on the EBA’s ICT and Security Risk Management Guidelines.
Oversight Framework
The Joint Committee of the European Supervisory Authorities (ESAs) has appointed Marc Andries to lead oversight activities for Critical Third-Party Providers (CTTPs) under DORA. Andries’ role will focus on creating a pan-European oversight framework for these key providers, an essential part of DORA’s broader strategy.
Conclusion
The dominant theme from the event was uncertainty—both in terms of financial entities being ready for January 2025, and whether the EC, ESAs, and NCAs will have a fully approved and consistent approach to compliance by then. Financial entities must identify gaps and secure Board-approved remediation plans, even if full compliance by January is unlikely.
In the months ahead, collaboration with regulators, clarity around final requirements, and prioritisation of critical tasks will be key to navigating this complex regulatory landscape.
If you’d like to discuss anything related to DORA or its implementation, please reach out to our team of experts today.
Contact Us
Reach out to the team today for more information.