We’ve pulled together the latest updates from the Central Bank of Ireland (CBI) in relation to the Digital Operational Resilience Act (DORA). The focus areas include the supervision of expectations on regulated financial entities, the collection and reporting of ICT incidents and cyber-threats, and the management of the Register of Information on ICT outsourcing.

Engagement and Stakeholder Involvement

As part of their strategic approach, CBI places a strong emphasis on engagement. The first step involves promoting awareness of DORA, followed by a meticulous understanding of stakeholder concerns. This inclusive approach helps shape CBI’s policy decisions and ensures a collaborative effort in implementing DORA effectively.

Technical Standards and Progress

At a recent EY round table event on 22 February, CBI explained that there was a delay in finalising technical standards due to European elections and summer recess. This is now expected in September 2024.  Despite the setback, CBI acknowledges the remarkable progress made by the European Supervisory Authorities (ESAs) and the Joint Committee Sub-Committee on DORA, attributing their success to key principles such as Momentum, Pragmatism, Quality, Proportionality and Engagement.

Reviewing 2016 Guidance

CBI is currently re-evaluating its 2016 guidance on ICT and Cyber Risk Management in light of DORA. While identifying affected texts, the decision to retain or remove this guidance remains pending. CBI underscores the priority of DORA compliance for entities falling under its purview, emphasizing its “lex specialis” nature for certain firms.

Critical ICT Third Parties

The discussion extended to the engagement with critical ICT third parties, including major players like Amazon and Microsoft. While the list is yet to be confirmed, CBI noted that an extremely large number of ICT third parties were being identified (in the region of 5,000 from a sample of 4% of EU institutions from past information gathering exercises conducted by the ESAs).  Amongst European Regulators, further consultation initiatives continue around the criteria for designation as a CTPP, however, it not yet known what the final number of CTPPs will be (and whether this will be greater than or less than 50).

Outsourcing

CBI stated that they are generally happy with the work undertaken on Outsourcing across Irish financial entities and that Ireland is ahead of the curve in this area in comparison to other EU countries.  From a DORA perspective, it was reiterated that CBI Outsourcing guidance is closely aligned with existing DORA requirements and this should means less uplift for Irish financial entities in scope for DORA.

As CBI navigates the intricate terrain of DORA implementation, stakeholders are encouraged to stay informed and actively engage with the ongoing developments. The commitment to awareness, stakeholder involvement, and alignment with evolving technical standards positions CBI at the forefront of preparing Irish financial entities for the imminent application of DORA from January 17, 2025.