Preparing for DORA: Key Developments in the EU’s Digital Operational Resilience Act
As the countdown to the implementation of the EU Digital Operational Resilience Act (DORA) intensifies, with less than three months remaining until the January 17, 2025 deadline, financial entities (FEs) across Europe are gearing up for compliance. This article highlights recent developments in the EU’s efforts to facilitate firms’ transition to DORA compliance, focusing on standardization in threat-led penetration testing, leadership appointments, and the European Supervisory Authorities’ (ESAs) work program.
Potential Standardization of Threat-led Penetration Testing
In September 2024, the European Central Bank (ECB) released a pivotal paper outlining the TIBER-EU framework, which is designed to support national competent authorities (NCAs) and FEs in meeting the threat-led penetration testing (TLPT) requirements mandated by DORA. The TIBER-EU framework is a well-established model for conducting controlled, bespoke, and intelligence-led red team tests on critical live production systems of financial entities.
The ECB’s paper emphasizes the advantages of adopting the TIBER-EU framework as a common solution for FEs to comply with DORA’s TLPT requirements. With 16 EU Member States already implementing this framework and others expressing interest, the ECB argues that it can serve as a comprehensive guide for NCAs and FEs. The framework not only outlines the testing process but also fosters collaboration among NCAs, FEs, threat intelligence providers, and red team testers to enhance cyber resilience through controlled cyber attack simulations.
Importantly, the ECB clarifies that the existing TIBER-EU testing process aligns seamlessly with the upcoming TLPT process outlined in DORA, thereby streamlining compliance efforts for financial entities.
Director Appointed to Lead Joint Oversight under DORA
On October 1, 2024, the European Insurance and Occupational Pensions Authority announced the appointment of Marc Andries as the Director responsible for leading the joint oversight activities under DORA. This new role within the Joint Committee of the ESAs is crucial for overseeing critical information and communication technology (ICT) third-party providers (CTPPs) across Europe.
Mr. Andries will spearhead the implementation of an oversight framework for CTPPs, ensuring that these providers meet the stringent requirements set forth by DORA. His leadership is expected to enhance the coordination and effectiveness of oversight activities, which are vital for maintaining the integrity and resilience of the financial sector’s digital infrastructure.
ESAs’ 2025 Work Programme
On October 4, 2024, the ESAs published their joint work program for 2025, outlining their priorities, which prominently feature digital operational resilience. The work program indicates that the ESAs will maintain a strong focus on DORA-related initiatives and will coordinate the implementation of the act.
By mid-January 2025, the ESAs aim to fulfill all DORA policy mandates outlined in Level 1 measures, after which they will shift their focus to supervisory convergence regarding the application of the DORA framework. Notably, certain policy mandates, such as incident reporting and TLPT, will necessitate joint governance processes among authorities, which will be further defined in 2025.
The ESAs will also initiate the oversight framework for CTPPs and develop a major ICT-related incident coordination framework as required by DORA. In the early months of 2025, they will establish oversight procedures and methodologies, including the creation of the Oversight Forum and Joint Oversight Network, to assess the criticality of ICT third-party service providers. This groundwork will pave the way for the designation of the first group of CTPPs and the establishment of Joint Examination Teams to commence core oversight activities.
ESAs’ Opinion on the Register of Information
On October 15, 2024, the ESAs issued an opinion regarding the European Commission’s amendments to the draft implementing technical standards (ITS) concerning registers of information under DORA. As stipulated in Article 28(3) of DORA, FEs are required to maintain and regularly update a register of information related to all contractual arrangements involving ICT services provided by TPPs.
The Commission’s recent rejection of the draft ITS, which proposed that FEs should have the option to use European unique identifiers (EUIDs) alongside legal entity identifiers for EU TPPs, prompted the ESAs to express their concerns. They highlighted that introducing EUIDs could lead to unexpected implementation challenges and increased costs for FEs due to necessary changes in the register templates and additional data collection requirements.
In response, the ESAs proposed amendments to the draft ITS to accommodate the EUID if the Commission proceeds with its policy. They also suggested further technical adjustments based on feedback from a voluntary dry run exercise conducted throughout 2024.
Conclusion
As the implementation date for DORA approaches, the EU is actively working to ensure that financial entities are well-prepared to meet the new regulatory requirements. The recent developments, including the standardization of threat-led penetration testing through the TIBER-EU framework, the appointment of a dedicated director for oversight, and the ESAs’ comprehensive work program, are all critical steps in facilitating a smooth transition to DORA compliance. Financial entities must stay informed and engaged with these developments to enhance their digital operational resilience and safeguard against emerging cyber threats.