Implementing DORA - Achieving enhanced digital operational resilience in European financial services - Remarks by Director Gerry Cross
01 July 2024
Speech
These remarks were delivered at "6-Months to DORA” organised by the Institute of International Finance and Amazon Web Services on 28 June 2024
Good morning. It is a pleasure to be here this morning to exchange views on the EU’s new Digital Operational Resilience Framework (DORA) and its implementation. Many thanks indeed to the Institute of International Finance and Amazon Web Services for organising this event.
I am happy to be here in my role as Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland, and as Chair of the Joint European Supervisory Authorities (ESAs) Sub-Committee on Digital Operational Resilience.
15 months ago exactly - on 28 March 2023 - I spoke here in Brussels on the challenges and opportunities the DORA implementation would be likely to have. At that time we were 21 months from application and the delivery of the policy mandates loomed large. As you may recall we established five working principles to address these challenges. These were: momentum, pragmatism, quality, proportionality and engagement
In the work of the ESAs’ Joint Committee on DORA we were committed to maintain the strong Momentum that came from the level-1 negotiations. In order to deliver against these deadlines, we embraced a pragmatic approach to deliver on time a well-specified, strongly coherent and consistent, and comprehensive package of regulation. We were clear that momentum and pragmatism should not come at the expense of quality.
Given the very wide range of firms subject to DORA and he need for the framework to be fit for application to firms of all types, sizes, shapes, and levels of complexity, proportionality was a further essential principle. The final enabling principle governing our work was engagement. We knew that to be successful we would need to engage effectively and well across the financial services ecosystem.
These five principles have been proved valuable and enduring. They have served us all well. Indeed the experience that we have had of their deployment suggests that they could serve as principles of good regulatory practice more generally as we face into the challenge of a rapidly changing and uncertain world.
They can also serve well as headings to provide my update today on where the work has got to, where we are going to, and how to overcome the challenges that are still to come.
Momentum
Momentum was and is important. Not simply because the co-legislators set a tight deadline for the coming into effect of the new framework – the 17th January 2025. But also because this legislative timetable reflects the underlying urgency of the issue that we are addressing. Digital operational resilience is a fundamental underpinning of a resilient and well-functioning financial system supporting the economy and serving the needs of citizens. Financial services are fundamentally about information and data. So the threat surface is large, the risks are significant and increasing, and the potential impact is great.
In short, we don’t have time to lose. That is why momentum has been one of our key working principles.
I am pleased to report today that strong momentum has been maintained and we remain pretty much on track to deliver the new regulatory framework on time and to schedule.
The delivery of the DORA regulatory implementation work has, as you know, been split into two phases with a 12-month and an 18-month deadline respectively.
The phase 1 proposals were submitted to the Commission earlier this year on 17 January 2024. Three regulatory technical standards (RTS) from this phase have already been adopted by the Commission on 13 March this year and published in the Official Journal of the EU this week (Tuesday, 25 June 2024). These RTSs set out the requirements on ICT risk management; detail the criteria for the classification of ICT-related incidents; and prescribe the required elements in financial entities’ policies governing outsourcing of ICT services to third parties.
The fourth phase 1 proposal is an implementing technical standard, or ITS, that provides the templates for the registers of information on ICT outsourcing.
We have sought to maintain strong momentum is the development of these registers. This is important in itself because of the pressing need to develop a good understanding of the overall ICT ecosystem which the financial sector is part of, and upon which it is critically dependent. It is doubly important because the implementation of the new oversight framework for critical third party service providers (CTPPs) is dependent upon the information which will be made available through these registers.
In order to facilitate the timely and smooth introduction of these registers, the ESAs and Competent Authorities are collaborating in a dry run exercise to assist financial entities to become familiar with the operation of the new templates. Our thanks to those many firms who have volunteered to participate in this exercise.
The proposed draft ITS on the registers has been submitted to the European Commission for its approval in January. We of course encourage the European Commission to adopt this ITS as soon as possible to facilitate the timely implementation of the registers. To the extent that enhancements might be considered, I would encourage people to adopt the pragmatic approach which we regulators have adopted. In particular, as I will mention below, we have not sought to achieve perfection in all respects now, recognising that there is a multi-year aspect to this work and enhancements can certainly be achieved in the years to come.
Turning for a moment to the Phase 2 proposals: following the public consultation earlier this year and the 480 comments received, these draft technical standards are now being finalised and are on-track for submission to the Commission on time by 17 July 2024. These standards will contain the requirements for subcontracting ICT services that support critical or important functions within a financial entity; the requirements for conducting a thread-led penetration test; and the content, timelines and templates for the reporting of major ICT-related incidents.
Pragmatism
The second principle that has strongly guided our work has been that of pragmatism. This is a really valuable regulatory watchword. When developing new regulation it is of course, as I shall discuss below, very important to pay close attention to quality. But it is also very important to be pragmatic. We are interested in outcomes – a resilient financial system that supports the economy and serves citizens. And these outcomes are determined not only by the ‘y’ axis of activities, but also by the ‘x’ axis of time (and its corollary, change). There is no point in taking additional time getting things marginally better if in the meantime time and change mean that we are falling further behind the curve.
Accordingly in our work we have adopted the view that we need to find the best solutions possible in the limited time available before implementation. But we also have firmly recognised that the regulation of digital operational resilience is not a once-and-done exercise and that is optimal to adopt a multi-year, multifaceted perspective.
So, for example, while we are nearing the completion of the level 2 regulation development, it has been decided to maintain the Joint Committee Sub-Committee on DORA in existence so that it can provide the bridge to, and organisational basis for, for example, any future level 3 guidance.
And this brings me to a further very important aspect of pragmatism. That is the need for a pragmatic approach to be maintained as we move now into the period of coming into effect of the new regime. One of the messages that we heard during the course of the recent consultation was that the time period between the finalising of the regulatory requirements and their coming into effect is extremely short. Respondents are concerned that the time available for them to implement the finalised rules is too short. We recognise that this is a valid concern. It is however also a nuanced picture.
First of all, these regulations represent the legal reality as mandated by the co-legislative authorities. It is outside the power of any ESA or competent authority to alter this fact.
Secondly, DORA itself and the overall regulatory framework has been under development for quite a while now. Moreover it represents in many respects what any well managed firm should be doing. So while it may be recognised that there are aspects that are only becoming finally clear now. At the same time firms can be expected to have already been laying much of the groundwork for implementation over the recent years.
Moreover, for some sectors many of the requirements under DORA are already in place under sectoral legislation. For these firm the gap to implementation is smaller.
Beyond this however, I believe that there is merit in the idea that when new regulations are introduced there is often benefit in taking a “Day 1/Day 2” perspective when it comes to supervisory expectations for initial implementation. In other words, while legal requirements remain legal requirements, there is often merit in seeing the value in a committed journey by firms and supervisors from initial implementation and compliance to a richer, more fully achieved implementation over time. I believe that this is a valuable consideration also in the context of DORA.
Another very important aspect of pragmatism will be to seek to ensure continuing strong convergence in how competent authorities across the Union implement and supervise the new DORA framework. I am pleased that the structures that we have put in place to develop the level 2 regulation will be maintained in place to support supervisory convergence and consistency of implementation of the new framework and as we move to more permanent arrangements into the future. It is important that all of us in the ecosystem ESAs, Competent Authorities and firms commit the ongoing resources to ensuring this convergence and coordination.
Quality
As I have already said, while momentum and pragmatism have been important principles in how we have been, and continue to, approach our work, it has also been a central consideration that this must not come at the expense of the quality of the regulatory framework to be delivered.
I am very pleased that this third objective has been very fully achieved in the work to date.
Whichever perspective you decide to look from. Whether it be looking at the larger picture and the interlocking structure of digital operational resilience – including risk management, third party outsourcing and subcontracting, concentration risk and system mapping, incident reporting, threat led penetration testing, as well as the new departure into oversight of critical third party service providers. Or whether you take a more up-close look at the structuring of the different regulations and the balance, focus, and proportionality of the different components and provisions. Whichever of these perspectives you take, I think you will, like me, find that what is being delivered is a high quality, well judged, appropriately demanding, but balanced and proportionate new regulatory framework.
You will see, I believe, that it reflects not only the significant contribution that has been made by many of you stakeholders through our engagement and consultation processes – about which, more shortly - but also other key principles of good regulation. That it should remain outcomes focused, clear in its expectations, and delivering benefits that materially outweigh any costs. All of this, I believe is being well delivered on.
Proportionality
As I have mentioned a number of times, ensuring proportionality has been a central focus of the work to develop the DORA framework. This is an essential requirement of all regulation, but even more so in the case of DORA with its unique feature of being fully cross-sectoral and applying to almost all financial firms whatever their nature, scale or business model. If we don’t achieve proportionality then not only will the new framework not be successful, it will also hamper Europe in achieving the economic success which is so important to achieve.
Proportionality is strongly built into the foundational architecture of the new Digital Operational Resilience framework. It is there in some of the key concepts – a risk management framework consistent with the size and nature of a firms’ activities; in concepts such as “criticality”, “major”, and “systemic” which are embedded throughout the framework; and in specific features such as the simplified risk management framework for non-complex firms.
But it has also been very important that as we design the more detailed regulatory rules we continue to embed proportionality at every step of the way. This we have done. Let me give you some examples:
The RTS on the Risk Management Framework, has been designed mindful of the wide variety of financial entities that differ in size, structure, internal organisation, and in the nature and complexity of their activities. In addition to a simplified ICT risk management framework for smaller financial entities, a strong emphasis on proportionality is incorporated in relation to ICT security policies, procedures, protocols and tools. For example in the provision that financial entities should be allowed to use any existing documentation to comply with documentation requirements. And as per the very important Article 1 of the RTS permitting firms and requiring supervisors to take into account elements of increased or reduced complexity and risk.
With regard to ICT incident reporting, proportionality was a strong consideration. For example when drafting the RTS on the classification of ICT related incidents the quantitative values have been set purposely high to reduce the burden on smaller entities. For smaller / less complex firms they would be exempt from having to report over the weekend.
In the RTS on Threat-Led Penetration Testing the selection criteria have been tested to ensure only the biggest and most appropriate financial entities will become subject to TLPT requirements.
One topic that has been closely considered in the finalisation of the new framework is what should be expected of financial entities when it comes to the monitoring of the chains of subcontractors, sub-subcontractors, sub-sub-subcontractors and so on, that now constitute an important part of the digital operating environment.
Stakeholders have been concerned that they might find themselves subject to regulatory requirements for detailed knowledge, monitoring and engagement which would be impossible for very difficult to achieve. Requirements that would in fact be unrealistic. We regulators fully recognise this concern. And we agree with it. The new framework should not and must not impose requirements that are not aligned with sound but reasonable business practices. This is why we have come up with a very straightforward and reasonable approach.
When firms carry on activities themselves, they are responsible for them. This remains the case when they are outsourced. That is a fundamental principle, and it cannot be otherwise.
So what then does this mean in this context? Well it means that firms that outsource remain responsible for all the activities that are outsourced. This means that they need to have ongoing knowledge about the overall functioning of the chain or “tree” of subcontracting arrangements and this means that there should be appropriate monitoring of the overall functioning of that “tree”. It does not mean that each link in the chain needs to be monitored. And for example one way of fulfilling the responsibility may be to make sure that primary or material subcontractors themselves have in place an approach to subcontracting and due diligence that is robust and appropriate.
Where more detailed monitoring should be required is in respect of those subcontractors that are material to the critical or important functions of the firm. And again this is fully embedded in the proportionality principle and the idea that expectations for oversight should be aligned with responsibility for the firm’s activities whether or not they have been outsourced.
Engagement
A key aspect of Digital Operational resilience is that it is an ecosystem construct. In the same way as network effects bring further benefits the more initial benefits are achieved, something similar applies in the context of an ecosystem construct. The more we can achieve enhanced resilience across the ecosystem the more individual participants will benefit. This supports further enhancements by them which redounds in turn to the benefit of the system.
All of which is to say, that taking an ecosystem perspective ensuring high levels of engagement with stakeholders as have been developing the regulation has been a key part of our approach.
In developing the regulatory proposals we have, as you know, carried out two full-blown consultation exercises – resulting close to 900 responses being received. Responses which have been very important in finalising the framework. In addition of course there have been numerous stakeholder events and engagements, more or less informal, including events such as this timely one in Brussels today.
But engagement is as much about the spirit and approach adopted as it is about the activity itself. It has been important to us to engage in such a way that we were really listening not only to the questions and suggestions of stakeholders but to their insights and rich experience. We have been successful in this. And the proposed framework has benefitted.
Let me set out just a few examples of the ways that the engagement carried out has impacted the development and finalisation of the proposals. With the health warnings that (a) the finalisation work is still ongoing; and (b) providing a few examples in no way does justice to the rich and detailed impact that the input received has had on the finalisation of the regulations. So, a few examples:
The RTS on the classification of ICT related incidents as major (and hence reportable) was amended so that it is clearer, simpler and straight forward for financial firms to perform the classification of major ICT incidents under DORA at a time when the financial entity is dealing with an incident. For example, the criterion ‘critical services affected’ is now a mandatory condition that should aid a quick triage of ICT incidents. Also, a number of the materiality thresholds have been changed based on feedback received and the approach for recurring incidents was simplified to minimise reporting burdens.
On incident reporting, we received feedback on the timelines and content. While this is still being finalised we hope to adjust this a little further to provide some more flexibility. Though in general, our view has been that the original proposal contained more flexibility than some of the comments received reflected. We are also looking at a reduction in data fields to reduce the proposed reporting burden.
In relation to the register of information on third party arrangements the quantity of information requested is proposed to be further reduced and rationalised. For example, while still being finalised, we are hoping to rationalise a little further the approach to reporting at entity level and at sub-consolidated level.
On threat led penetration testing (TLPT) I anticipate that you will recognise, in response to feedback received on the proposals, efforts to add clarity in the selection criteria for insurance and reinsurance undertakings, on the provisions for TLPTs involving several financial entities and/or ICT providers, and revisions providing more flexibility in the requirements applicable to testers and threat intelligence providers in conjunction with appropriate risk management measures.
As I say, these are just a few examples of areas where the responses received have allowed us to adjust our proposals to make them better.
Oversight of Critical Third Party Providers
Finally let me say a few further words on the new oversight regime for critical third party service providers (CTPPs).
Bringing critical third-party providers of ICT services to financial entities under an oversight regime reflects the important role that these technology firms have in the functioning of the financial system. At the same time it recognises that these technology firms are not providers of financial services but rather the providers of outsourced activities. And financial entities, receiving services from CTPPs, remain fully responsibility for the respective ICT outsourcing activities and ICT services received.
Over recent months, the ESAs and national competent authorities have established a High-Level Group on Oversight that is helping oversee the establishment of the operational aspects of the new framework.
One key aspect, of course, will be the designation of those third party ICT service providers which should be considered critical (so-called Critical Third Party Providers or CTPPs) in accordance with the delegated act adopted in February. The designation is of course depended on the collection and analysis of the registers of information on ICT outsourced services, which I have discussed above in the context of the ongoing work to have the new registers of outsourcing arrangements up and running on time.
Work is under way to develop the arrangements to put in place the new Joint Examination Teams (JETs) which will be the collaborative teams established under the coordination of the Lead Overseer to carry out the oversight of individual CTPPs.
Given the challenges that will inevitably be faced in setting up and running a wholly new oversight framework such as this, high quality cooperation and collaboration will be essential to success. This is particularly the case given the general scarcity of the expert resources that will be needed to implement a regime at once technically, logistically, and strategically as complex as this.
Luckily this has been very well understood by the Level 1 legislators who have embedded important structural concepts designed to optimise the early and ongoing success of the new framework. The approach is both balanced and nuanced. It provides, very appropriately for leadership to be provided by one or other of the ESAs as Lead Overseer.
The Lead Overseer will carry out their work through Joint Examination Teams which are to consist of ESAs staff and staff from relevant competent authorities. This collaborative approach, with ESAs and competent authorities working collaboratively together to achieve the shared outcomes sought is currently being fleshed out, with good progress being made.
Conclusion
In conclusion, let me thank you for your attention here this morning.
But more importantly for your engagement and contribution to the development and implementation of the new EU Digital Operational Resilience framework which is about to become such an important feature of a well-functioning financial system supporting a successful economy and the financial wellbeing of citizens into the future.
We have come a long way. We are largely on time. But there remains much to do.
I look forward to our panel discussion in a few moments.
Thanks you.