With exactly 8 months to go until DORA applies on 17 January 2025, the level of DORA readiness remains very varied across Irish financial entities at present. It is essential, therefore, that firms have defined their own critical path to achieving compliance, that this path is clearly understood within the organisation and underpinned by a robust DORA programme.
Many Irish financial entities have completed their gap assessment and have refined them into implementation plans currently being executed. However, with 8 months left to go, there are still firms who have not yet commenced or concluded on their gap analysis, or have it approved internally. Considering the Level 1 text is set in stone, in-scope entities should conclude their L1 gap analysis as soon as possible. With 8 months left to go, this may leave minimal time available for sufficient remediation to be undertaken.
The technical standards (RTS and ITS) are still a major topic of discussion. Although we have seen near final drafts of the first batch of technical standards and drafts of the second batch, neither are fully official. With the European elections imminent, it is expected that the Level 2 standards will not be fully finalised until September 2024 at the earliest. This leaves financial entities in a precarious position, particularly if they have not commenced a Level 2 gap analysis of the latest draft standards.
What are the some of the major lessons learned to date and what can firms do to address these before January 2025?
- Critical or Important Functions (CIFs), the Register of Information (RoI) and ICT third party contracts remain the number 1 challenge. Firms are still struggling to identify their CIFs, have not given sufficient time to the RoI and are grappling with their approach to contract remediation. As these are cornerstone aspects of DORA compliance, they require early and robust completion.
- Another major lesson learned relates to the build-out of a comprehensive ICT Risk Management Framework (ICTRMF), as required by DORA. Several firms have not realised or accepted the need to define a robust ICTRMF. However, the ICTRMF as part of best practice should also align to other core frameworks (e.g. Operational Risk Management, Individual Accountability Framework, Operational Resilience and Third-Party Risk Management).
- With respect to the timing and effectiveness of DORA programme itself, we have seen some entities not focussed enough on minimum mandatory compliance, which can lead to a misalignment with their overarching Digital Operational Resilience Strategy (a specific requirement in its own right under DORA).
What can firms expect in the coming months?
There are further regulatory developments to come. The technical standards will finalise in September 2024 necessitating a final assessment of these by firms (or a “top-up” assessment in the case of others). The European Supervisory Authorities’ (ESA) dry run on the Register of Information will help participants to identify their ICT services, contracts and CIFs. The ESAs will conduct further data benchmarking over financial entities (akin to the ICT third party contractual exercise previously conducted via national competent authorities) and the “Oversight Framework” of critical ICT third parties (CTPPs) will become clarified with the eventual list of CTPPs becoming publicised.
Some firms are already starting to talk about potential non-compliance (or partial compliance) given the scale of work to be done and expected to be not completed ahead of the January deadline. Although non-compliance may well be a reality for some entities, the consequences are potentially severe and, therefore, to be avoided. Entities found to be in violation of DORA’s requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity’s cooperation with authorities.
For those in a healthier position, we will no doubt see more independent DORA programme reviews commissioned. Coupled with this, CBI continues to strengthen its own capabilities and is planning ahead for DORA local supervision, the plans relating to which we can expect to hear more about across the second half of 2024.
For more information on DORA, please reach out to David Spollen.
Contact Us
If you would like more information on how EY's team of experts can help, please reach out today.