The European Commission published its draft Digital Operational Resilience Act (DORA) on 24th September 2020. This proposal is seeking
to enhance and update the existing information and communications technology (ICT) risk management requirements already developed by other EU institutions
to harmonise several recent EU initiatives into one Regulation
to establish more robust frameworks for EU financial regulators and supervisors to monitor that firms are financially while remaining operationally resilient
According to Deloitte's assessment of this act's core aspects include:
Bringing ‘critical ICT third party providers’ (CTPPs), including cloud service providers (CSPs), within the regulatory perimeter. These would be supervised by one of the European Supervisory Authorities (ESAs), who would have the power to request information, conduct off-site and on-site inspections, issue recommendations and requests, and impose fines in certain circumstances.
With a view to harmonising local rules across the EU, setting EU-wide standards for digital operational resilience testing, but leaving out automatic cross-border recognition of threat-led penetration testing (TLPT) for the time being.
Harmonising ICT risk management rules across financial services sectors, based on existing guidelines.
Harmonising ICT incident classification and reporting, and opening the door for the establishment of a single EU-hub for major ICT-related incident reporting by financial institutions.
Deloitte expects the DORA will be negotiated across the next 12 to 18 months and further legitalitve updates will follow. In the meantime, here are their practical recommendations for firms to follow:
ICT TPPs will need to evaluate whether they will deemed ‘critical’. Those who are may need to establish new regulatory teams and analyse how they can best comply with the oversight framework being developed.
Larger firms should closely follow the ESAs as they flesh out the criteria requiring firms to carry out TLPTs. Those newly in scope will need to develop a strategy to make the best use of these advanced tests.
While large firms will already be applying many of the DORA’s ICT risk management requirements, they should assess whether their response and recovery strategies and plans respond appropriately to the expanded rules in these areas.
All firms will need to develop or amend their incident reporting processes in line with the new rules. Firms may want to consider aligning these to their internal reporting processes to optimise resource allocation.
Acronyms:
ICT = information and communications technology
CCTPs = critical ICT third party providers
TLPT =threat-led penetration testing
TPPs = third party providers
Further reading:
The European Commision Digital Operational Resilience Act