DORA Industry Briefing- Remarks by Gerry Cross, Director of Financial Regulation, Policy and Risk
06 November 2024
Speech
These remark were delivered at a DORA Industry Briefing hosted by the Central Bank of Ireland, in the River Suites, North Wall Quay, on 6 November 2024.
Good morning,
First off, let me start by welcoming you all here today to the Central Bank for our DORA Industry event. It is good to see so many representatives of the Irish financial sector here this morning in person and also on-line. I think we have over 1100 participants all told, reflecting the strong interest in DORA and its implementation.
With operational resilience in mind, we will record the event and should anyone joining us on-line experiences connectivity issues the recording will be made available after the event.
Introduction
DORA was adopted in November 2022. Following this, the European Supervisory Authorities or ESAs together with 40 plus National Competent Authorities and other authorities have been working to develop the mandated technical standards or DORA Level-2 texts. This was done by the establishment of a cross-sectoral committee – the so-called Joint Committee Sub-Committee on Digital Operational Resilience (JCSCDOR) – which I have had the privilege to chair. About 10 months ago in January 2024, the ESAs submitted the first batch of proposed Level-2 technical standards to the European Commission. The second batch of technical standards was delivered by the ESAs to the Commission just three months ago in July.
To guide our work in the Sub-Committee, we adopted five principles. These principles have served us well. Indeed, I would say that in the current context of uncertainty, rapid change and challenge, they could be adopted for use in other areas of regulatory work.
Momentum. Recognising the urgency of our task from day-1, we have sought, despite the complexity and challenge of the work, to do it with strong momentum to give ourselves, firms, and the system as a whole every chance of being in the best shape possible for the January 2025 implementation date. I am pleased that we have succeeded in maintaining strong momentum throughout and that all of the draft regulations were submitted on time to the European Commission.
Pragmatism. DORA itself is complex and also applies to a wide range of firms of all shapes, sizes and business models. There is enormous potential to get deeply ensnared in technical detail beyond the capacity of the system to manage given the tight timelines. Therefore from early on we understood the need for a pragmatic approach, which has served us well throughout.
Quality. Momentum and pragmatism will not come at the expense of quality. We have been committed to delivering a high quality DORA framework based on the well negotiated Level 1 text which will strongly deliver enhanced resilience and risk management in a manner which is consistent with manageable implementation by those firms and entities to whom it applies.
Proportionality. Proportionality is key and has been and continues to be at the heart of our regulatory approach. Given the very wide range of firms DORA will apply to, the DORA framework has to be fit for application to firms of all types, sizes, shapes, and levels of complexity. There is already a great deal of proportionality built into the Level 1 text which informs the whole framework. However, we have taken great care to ensure proportionality in all aspects of the Level 2 regulations.
And finally Engagement. High quality and effective engagement has been key for the successful development of an ecosystem resilience framework such as this. And will continue to be critical to the success of implementing DORA. Our regulatory development process is strongly adapted to this fact. At the Central Bank, we have had numerous engagements with stakeholders as the framework has been being developed and will continue to do so.
The DORA regulatory development work is almost complete. The European Commission has adopted or is close to adopting the final regulatory products. With one or two there have been or are likely to be short delays in finalising as the European Commission looks again at a couple of discrete aspects.
Overall, 2024 saw the policy drafting steadily moved towards completion, while at the same time the emphasis and focus of both financial entities and national competent authorities has shifted to the implementation of DORA which comes into effect on Jan 17. The main topic of today’s event.
A bit of DORA background
DORA of course is a fully cross-sectoral and wide-scope piece of regulation. This represents significant ambition – to introduce a single, far-reaching framework of regulation that can be applied to every financial firm whatever their size, whatever their complexity, whatever their business model. This aspect combined with its multi-faceted approach, including the oversight regime for critical third party providers as well as its focus on fast information flows, makes it a true form of smart ecosystem regulation.
Furthermore, while DORA is based on existing ICT best practices and guidance, it is a complex regulation placing important ICT requirements on regulated firms. Implementing such a complex Regulation is challenging for both, regulated firms as well as us regulators, and I will touch on some of these challenges in a moment.
Given DORA’s complexity, we will provide you today with an overview of DORA and its key areas as well as two focus sessions in the areas of ICT risk and outsourcing management and on ICT incident reporting.
For firms subject to DORA’s advanced threat-led penetration testing, in short TLPT, the Central Bank will hold dedicated workshops for those entities we are identifying as being in scope. These invites should issue in the coming weeks.
As we all know DORA is ambitious in its aim, so I like to remind us all on what DORA was set out to achieve.
The European Commission when it put forward its DORA proposal noted that 'the absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives….This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.’1
DORA was developed to address these concerns. As Billy Kelleher MEP, rapporteur on the DORA file, said correctly that: ‘DORA, along with its sister files, the Network and Information Security Directive (NIS2) and the Critical Entities Resilience Directive (CER), will provide the Union with a strong and legal framework for managing Information and Communication Technology (ICT) risk, preventing cyber-attacks against entities and combatting other incidents.’2
Both these comments are consistent with an understanding of DORA as a regulation targeting the EU-wide ecosystem designed to enhance digital operational resilience both at the entity and system wide level.
Frank Elderson3, Member of the Executive Board of the ECB, coined a rather nice phrase regarding banking and operational resilience: The art of bending without breaking.
It is also important to understand that operational risk management and operational resilience are different concepts. Operational risk management seeks to identify risks and aims to minimise the likelihood and the impact of a given risk event. On the other hand, operational resilience assumes that an event will occur and financial entities must consider steps to allow their critical systems to bend but not to break.
The DORA toolkit will help to further boost operational resilience by setting out requirements about how firms must approach their own operational risk, resilience and recovery. Furthermore, and given the ever increasing reliance on third-party providers, DORA puts in place requirements as to how financial entities must approach the management of their relationships with third party service providers. This is a crucial aspect given the way in which digitalisation is a phenomenon which has relied to an unprecedented extent on outsourcing and subcontracting as the means to harness change.
As I mentioned, DORA is the evolution of existing ICT best practices and in many respects represents what any well managed firm should be doing already. While the timelines between finalisation of the regulatory products and implementation are short, many firms can be expected to have already been laying much of the groundwork for implementation over the recent years. Moreover, for some sectors many of the requirements under DORA are already in place under sectoral legislation.
Implementation
With this let me share some thoughts on the implementation and supervision of DORA.
And the first thing to say of course is that as of the 17 January the DORA framework will be the legally binding digital operational resilience framework for financial firms across the EU.
Secondly, DORA itself and the overall regulatory framework has been under development for quite a while now. Moreover it represents in many respects what any well managed firm should be doing. So while it may be recognised that there are aspects that are only becoming finally clear now, at the same time firms can be expected to have already been laying much of the groundwork for implementation over the recent years.
Moreover, for some sectors many of the requirements under DORA are already in place under sectoral legislation. For these firm the gap to implementation is smaller. There must be no slowing of the momentum to closing this gap.
Beyond this, I believe that there is merit in the idea that when new regulations are introduced there is often benefit in taking a “high quality implementation” perspective when it comes to the supervisory approach to implementation. In other words, while legal requirements remain legal requirements, there is merit in seeing the value in a committed journey by firms and supervisors from initial implementation and compliance to a richer, more fully achieved implementation over time.
I believe that this is a valuable consideration also in the context of DORA. To be clear, our expectations will be demanding. We will expect firms to have clearly identified gaps to compliance and to be moving strongly to close those gaps. We will assess firms’ performance including by having regard to their appropriate starting point, the quality of their approach, and their timely closing of any gaps.
And of course key aspects, such as incident identification and reporting, will be expected to be in place without delay.
Another very important focus for us at the Central Bank is to contribute to promoting continuing strong convergence in how competent authorities across the Union implement and supervise the new DORA framework. I am pleased that the structures that we have put in place in Europe to develop the Level 2 regulation will be maintained in place to support supervisory convergence and consistency of implementation of the new framework and as we move to more permanent arrangements into the future. And I am pleased that this work is delivering a convergent approach to implementation broadly in line with what I am describing here.
As many of you will be aware, here at the Central Bank we are also in transformation. We are further developing our supervisory approach. Being outcomes focused, as I have said, we have to continually improve how we do things. We operate in an environment that is evolving and changing rapidly. We need to continuously evolve to be continuously successful.
Building on the strong foundations of our current approach to supervision, we are moving to an integrated supervisory framework where directorates with oversight of banks, insurance companies and capital markets will be responsible for the supervision of all the aspects in their respective sectors. That means that we will have a more integrated approach to our supervision of soundness, consumer, and financial crime aspects. Our approach will continue to be risk-based; and the new framework will ensure we are more efficient and effective in our supervisory work.
Importantly this will be buttressed by enhanced horizontal, cross-sectoral, supervision. This will include an enhanced team dedicated to operational resilience which will work with sectoral supervisors to ensure our own high quality approach to DORA implementation. From January 2025, the Central Bank’s ICT supervision will be conducted in-line with DORA.
Finally, let me say a few words to DORA’s oversight regime of critical ICT third-party service providers, or CTPPs. For the first time the EU will have an oversight regime for critical third party services – including cloud service providers – that provide ICT services to financial firms and thereby to the financial system. This is both ground-breaking and sophisticated. DORA does not mean that such third parties, including many of the Big Tech companies, are to be regulated firms. Rather it means that given their increasingly important and integrated role in the financial system, financial regulators shall collectively led by the European Supervisory Authorities have oversight of such providers, including of course the right of inspection. The ESAs are currently working towards operationalising this oversight framework and have appointed last month a new director on oversight, who will jointly report to the three ESAs.
A key aspect of this new oversight regime will be the initial designation of CTPPs. This means that there will be urgency in the completion of the registers of information by financial firms by the end of the first few months of next year once the relevant specifications are finalised by the European Commission in the coming period.
Conclusion
In conclusion, let me thank you for your attention here this morning.
I hope you have found my opening remarks helpful in framing both the further discussions this morning and the task underway and ahead for implementing the new digital operational resilience framework.
With this, I hand you over to my colleagues to provide you with an overview of DORA and share with you our thoughts on DORA’s incident, risk and third-party risk management requirements.
We will complete the event with a panel session to answer questions we received prior to the event as well as directly from you here today.
Thank you.
1https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0595
2https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-cross-sectoral-financial-services-act-1