DORA Compliance: Untangling Key Hurdles to Implementation

Key Industry Challenges

With the deadline for compliance rapidly approaching, there are some concerns with firms’ abilities to respond to and apply the DORA requirements by the implementation date, particularly for firms that had not already built most of the required capabilities. Five key concerns are presented below.

1. Constraints with obtaining data points and conducting analysis may lead to excessive reporting, detracting from the effective management of ICT-related incidents

The final technical standard for ICT-related incident classification has been released, and along with the additional draft requirements for compulsory and standardised incident reporting further raises concerns that a strict interpretation could result in a disproportionate amount of reporting at the expense of effectively managing ICT related incidents.

• The potential for over-reporting could dilute the effect of truly meaningful notifications. This may also contribute to a material increase in overhead associated with all incidents.
• The definition of ‘critical services affected’ within the Delegated Act on classification of major incidents is lacking in proportionality and is at risk of capturing essentially all incidents, by virtue of Article 6(b), which references the impact of any service which requires authorisation, registration, or that is supervised. Firms may struggle to create the data-collection tools and processes needed to fully comply with this requirement, leading to excessive time and effort needed for data collection over incident management.
• Clarification is sought in terms of the intent of criteria detail in Article 6(b) (i.e., ‘affects financial services that require authorisation registration or are otherwise supervised by competent authorities’). AFME has called on the European Supervisory Authorities (ESAs) to require all three classification criteria to be met, as opposed to ‘any’ or a single criterion. Some believe the current draft should be interpreted to require firms to report on every major ICT-related incident, or security or operational payment-related incident, given the expansive purview of the criteria. As a result, some firms are interpreting the draft to require that an incident be assumed notifiable until evidence can be obtained to demonstrate that it is not major, creating significant overreporting.
• If the root cause of an ICT-related incident is the same as any major or non-major ICT-related incident in the previous six months, then both incidents would need to be reported. In addition, the requirement to report recurring incidents will make it necessary for firms to conduct a root cause analysis on all ICT-related incidents, no matter the severity. It represents a material reallocation of incident management resources toward documentation and classification work. In practice, given the unfeasibility of conducting this analysis across all ICT-related incidents, firms will need to apply their own internal classification to determine which ICT-related incidents to assess according to the DORA requirements.
• The attribution and subsequent tagging of incidents is typically conducted at the enterprise level given most firms are running global systems, rather than at the legal entity level. Understanding the change impact, related dependencies, third-party relationships, and ultimate jurisdictional impact at a legal-entity level is predicted to be a significant challenge for firms.

Significant amount of time and resources will likely be needed for firms to meet the incident reporting requirements by the January 2025 implementation date; in addition, the significant incremental amount of time and resources would persist into perpetuity.

2. The large volume of potentially in-scope ICT third-party providers and the lack of automation poses complexities with fulfilling the third-party risk management requirements, including contract management and completion of the register of information.

Third-party risk management and subsequent contract management raises concerns across the sector given the material number of third-party providers and subcontractors within firms’ service supply chains.

• The task of filling out numerous fields in the Register of Information, particularly across diverse populations of ICT third-party service providers and subcontractors, is daunting. The register requires several new data points previously not required for EU outsourcing registers by financial entities. It may also require certain subcontractors to be treated as direct third-party providers for the purposes of the Register, despite the lack of direct contractual agreement.^[2] Given that the primary objective of the DORA register is to provide authorities with insights into critical third-party providers and to help inform their designation under the DORA oversight framework, there is a shared sentiment across institutions that this task may not be in proportion to its intended purpose. Leniency on the delivery dates for certain data requirements would be welcomed, for example on providing Legal Entity Identifiers (LEIs) for all ICT third-party providers.
• Authorities continue to overestimate the extent of automation of data-collection processes; many firms will be dependent on manual efforts to maintain and submit the register of information. There is minimal confidence in existing repositories that are comprehensive, current, and in the prescribed format required by DORA, thus requiring substantial reliance on the broad network of relationship owners and service subject matter experts to obtain or reformat this data. Consequently, this could lead to a high degree of discrepancy in the quality and accuracy of the data.
• The time frames to review and renegotiate the volume of contracts by January 2025 may not be feasible without a proportionate approach to supervision by the authorities. Further, there is no assurance that vendors will be willing to accept the contractual changes. Requiring financial entities to oversee the entire subcontracting chain of their ICT providers and to review contracts between their vendors and their subcontractors is a challenge and subject to commercial sensitivities. This may create confusion by obligating the financial entity to act like a supervisor, which is not the intent of the regulation.

AFME has called for the ESAs to explicitly set out in the final report due 17 July 2024 that it is limited to those sub-contractual arrangements effectively underpinning Critical or Important Functions (CIFs), as was the case with the Delegated Act for the Register of Information.

3. The potentially broad scope of threat-led penetration testing (TLPT) and the involvement of third-party providers in the scope of a firm’s TLPT could place pressure on firms’ ability to manage the TLPT exercise.

The limited experience and minimal level of guidance to execute threat-led penetration testing (TLPT) alongside third parties may constitute a risk to financial institutions. Further consultation with the industry is sought before pooled testing and the inclusion of third-party providers can be considered feasible. There is also ambiguity in the RTS^[3] concerning the application of TLPT to Critical or Important Functions (CIFs). This could drive excessive testing if TLPT becomes a ‘tick-box’ exercise requiring evidence against every CIF.

• The RTS on TLPT has unclear language regarding how a TLPT authority would consider the scope or relevance of a test for ‘the facilitation of mutual recognition’. The reference to CIFs within the Technical Standard’s text and supporting Annex infers that a TLPT could be on the basis of services, instead of the defensive capabilities of financial entities. Additionally, for the purposes of management reporting, there are concerns whether the testing would be duplicative, in terms of the infrastructure and underlying assets and systems. While CIFs may be an appropriate targeting mechanism, attempting to cover all CIFs, or to view TLPT as a standard control, may introduce excessive testing across all Member States on the same ICT systems and control teams.
• The expectations for third-party involvement in TLPT activities must be clearly stipulated given the minimal level of guidance and limited experience in the sector. The authorities abstaining firms from including third parties within the scope of initial TLPT exercises, until full guidance can be developed in collaboration with industry, would be welcomed. In the absence of such clarity, a pooled test could result in significant cybersecurity risk, operational difficulty, and legal complications. AFME has called on the ESAs to develop guidance on TLPT, similar to the information provided for purple teaming exercises.

The industry welcomes the close adherence to TIBER-EU that the authorities have achieved in the draft RTS. However, the potential expansion of TLPT testing to a wide set of a firm’s CIFs and the inclusion of third parties in testing may create risks to the smooth functioning of a TLPT testing programme.

4. The subjective nature of the DORA definitions and the unclear notion of proportionality may increase the scope and subsequent time and effort required to adhere to regulatory requirements.

The subjective nature of DORA definitions and terminologies, such as CIF, will influence the scope and the requisite time and effort to adhere to regulatory requirements. Firms should be proportionate by applying the compliance requirements according to their size and overall risk profile, and the nature, scale and complexity of their services, activities and 
operations. The concern is that firms will be reprimanded given differences in the application of proportionality across the sector or on the basis of Member State supervisory perspectives.

• Firms have applied varied approaches to ensure that their CIF listing is complete and accurate, commonly weighing whether to leverage existing firmwide assessments versus regional criticality assessments of services, such as the Basel Committee on Banking Standards forums on critical operations, or the UK’s important business services (IBS) methodology. An inflated final list of CIFs may have downstream implications, including additional systems falling into the purview of testing or additional service providers requiring contract renewal. This could make it hard for firms to manage their resilience programme and may create resource constraints for enhanced resilience programmes.
• The notion of proportionality appears throughout the DORA text and supporting technical standards. However, in the absence of standardised directives, there may be disparate approaches in the application of proportionality across firms. Additional prescriptive text on proportionality is not sought after. Instead, there is a desire that any differences in the interpretation and application of proportionality across the sector will not be negatively marked.

Firms are of the understanding that providing adequate rationale and holding a defensible position in their approach to CIF identification and their application of proportionality across the requirements, is sufficient in meeting the overarching regulatory mandate.

5. The January 2025 compliance date may be impractical for some firms without a proportionate approach to supervision and enforcement.

There is still ambiguity in terms of what is fundamentally required by the January 2025 compliance date and whether there is flexibility for certain requirements to be managed following this specific date.

• Taking the register of information as an example, firms may struggle to produce the requisite data from their entire supply chain if the authorities anticipate information collection by the deadline date.
• Similarly, DORA does not allow for a transitional period for contract uplift, as is standard in regulations mandating new contractual terms. Many firms will churn through numerous contracts but will only be able to commence the process of remediation when the final technical standard4 on subcontracting is published, despite this likely being only a couple of months ahead of the January application deadline. There is also concern that needing to choose between achieving the desired contractual terms and meeting the tight deadline may lead many to accept inferior terms from their service providers.

Firms will likely have to prioritise register compilation and contract uplifts for ICT third-party service providers supporting CIFs in the first instance, and subsequently work through their contact backlog in line with contract renewals, in order to meet the January 2025 deadline.

1. The European Commission has adopted three more Delegated Regulations for DORA and is now for European Parliament and the Council of the EU to scrutinise and adopt the delegated acts. Refer to: https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en.

2. The Final Report on Draft Regulatory Technical Standards specifies the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents and significant cyber threats.

3. The RTS will specify threat-led penetration-testing aspects.