Gerry Cross is the Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland and also Chair of the European Supervisory Authority’s Joint Sub-Committee on DORA Implementation.
At an event organised by Amazon Web Services, the European Fintech Association, and Insurance Ireland in March 2023, Mr Cross discussed DORA in remarks titled “Implementing DORA – Achieving enhanced digital operational resilience in European financial services”.
The Central Bank of Ireland has published the full transcript of his remarks.
Here are my 5 key takeaways.
1. The tight timelines reflect the regulatory concerns
The DORA regulation applies from 17 January 2025.
Mr Cross remarked that “These tight deadlines are not arbitrary ones chosen on a whim. Rather they are a direct function of the importance and urgency of the issue that they are designed to address. Tech- and cyber risk are amongst the top risks that we face in the financial system. They pose risks both to individual firms and, potentially, to systemic stability.”
In other words: If we think that January 2025 is far away and that we can wait a while before you work on complying with DORA, we’re missing the point. DORA will help us address some of the “the top risks that we face in the financial system“. These risks won’t emerge in January 2025. They exist today.
2. Compliance needs to be proportionate
Mr Cross went on to say that “DORA is a cross-sector Regulation, applying to all regulated financial firms. It aims to mitigate technology and cyber risk by enhancing firms’ technology and cyber risk management and resilience. It creates a regulatory framework whereby all firms need to make sure they can withstand, respond to and recover from ICT-related disruptions and threats, including of course cyber attacks.” [..] “This is a complicated field, made more so by the very wide range of firms of all shapes, sizes and business models to whom it applies. [..] Proportionality is therefore essential.”
In other words: Don’t try to boil the ocean. Recognise that DORA compliance could mean very different things for different types of firms.
3. The ESAs are working on more detailed Regulatory Technical Standards
Mr Cross mentions that specific “Regulatory Technical Standards” will enter a consultation phase this summer, including:
- “Risk management framework
- The criteria for the classification of ICT-related incidents
- The register of information on outsourcing that firms’ must keep
- Rules on outsourcing policies”
In other words: DORA requires the ESAs (European Supervisory Authorities) to develop more detailed ‘Regulatory Technical Standards’, with some standards needing to be finalised by January 2024 and others by July 2024. We need to keep an eye out for these standards, as we may only have 6 months to comply with their detailed requirements.
4. The requirements relating to ICT Risk Management should not be a surprise
Mr Cross states that “[m]any of the key ICT risk management principles and the expectations placed on senior management have been around now for about 20 years. [..] More than three years ago the EBA issued [guidelines] on ICT and security risk management for banks (November 2019). EIOPA followed suit and issued [guidelines] on ICT security and governance for the insurance sector in 2020. DORA now of course applies these principles to a wider range of firms.”. He also refers specifically to the NIST Cybersecurity Framework (published in 2014), and suggests that the Technical Standards will elaborate on this framework.
In other words: We need to get better at identifying and protecting our IT assets, and at detecting attacks. The structure of Articles 8 to 11 in DORA reflect the 5 key functions of the NIST Cybersecurity Framework. We
could should use this framework to guide our compliance efforts, to ensure we deliver security measures that experts have already agreed upon. (NOTE: Version 2 of the NIST CSF is currently being worked on. The current version (v1.1) is accessible here.)
5. Critical Third Party Providers will be overseen, not regulated or supervised.
“A new oversight regime for Critical Third Party Providers (CTPPs) [is] established under section II of Chapter V in DORA. [..] CTPPs are subject not to regulation or to formal supervision but to oversight. [..] It remains the case that regulated financial entities must continue to take full responsibility for their outsourcing activities.”
In other words: Many people may believe that Critical Third Party Providers will now be directly regulated. This is not the case. DORA will enable regulators to oversee their activities, but each regulated firm will continue to be responsible for their outsourced partners, including the need to maintain a register of outsourced services.
If you are interested in learning more about DORA, here’s how I can help.