実施期限
欧州のデジタル運用レジリエンス法(Digital Operational Resilience Act、DORA)1の要件実施に関する規制は2025年1月17日に施行される予定であり、施行まで数週間しかありません。DORAは、金融サービスセクターにおける情報通信技術(ICT)リスク管理に対処し、EU加盟国間で既存のICTリスク管理規制を調和させることを目的としています。また、ICTサービスプロバイダーの監督を促すことも目指しています。
これらの規制は、2022年12月27日に欧州連合(EU)の官報に掲載され、規制技術基準(Regulatory Technical Standards、RTS)および実施技術基準(Implementing Technical Standards、ITS)という2つの「技術基準」で支えられています。これらの技術基準は、2回に分けて公開諮問にかけられ、初回分は2024年1月17日に欧州委員会(European Commission、EC)に確定、提出され(採択およびその後のEU官報への掲載)、2回目は2024年7月17日に確定されました。これにより、各社が新たな要件対応に使える準備期間が圧縮されましたが、多くの広範な要件が既に長いこと知られていたと主張する人もいます。とはいえ、詳細が非常に重要であり、全ての要件が確定して初めて、自社の準備状況を完全に評価できるようになります。
Implementation deadline
Regulations implementing the requirements of the Digital Operational Resilience Act (DORA)1 are set to become effective from 17 January 2025, now just weeks away. DORA will seek to address information and communication technology (ICT) risk management within the financial services sector and to harmonise existing ICT risk management regulations across individual EU member states. It also aims to facilitate the oversight of ICT service providers.
These regulations, which were published in the Official Journal of the European Union on 27 December 2022, are supported by two sets of “technical standards,” namely Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These technical standards were subject to public consultation, split into two batches, the first of which was finalised for submission to the European Commission (for adoption and subsequent publication in the Official Journal) on 17 January 2024 and the second of which was finalised on 17 July 2024. This has squeezed the available timeframe over which firms have been able to fully prepare for the new requirements, although some would argue that most of the broad brushstrokes of the requirements have been known for some time now. However, the detail is very important, and it is only when all of the requirements have been finalised that firms are able to fully assess their readiness.
Final elements
There are still a number of key regulatory components which remain pending or under review. For instance, the ITS on the information register was recently rejected by the European Commission, and both the RTS on subcontracting and Threat-Led Penetration Testing (TLPT) are still under scrutiny, with further delays expected in the case of the RTS on subcontracting.
The regulations set out criteria which firms need to use in order to determine whether or not they are subject to TLPT. For the avoidance of doubt, though, firms required to conduct TLPT will be notified by the Central Bank of Ireland (CBI) in the coming weeks. It is anticipated that approximately 30 financial entities in Ireland will be subject to TLPT.
The CBI has taken a pragmatic approach to implementation, encouraging firms to take what it considers to be reasonable steps as regards day-1 compliance with the new requirements, and placing a firm focus on understanding the gaps that will remain by 17 January next year. Not only will firms need to fully understand these gaps but they will also need to have well thought-out and realistic plans in place to address these gaps in a timely manner.
Depending on the severity of any issues identified, the CBI may take action, including enforcement action. However, its primary focus during 2025 will be on ensuring a high-quality implementation of DORA, prioritising thorough compliance over rushed or incomplete implementation.
The regulator has also been clear that compliance is not a one-and-done exercise. Instead, continuous review and improvement will be expected in order to further enhance digital operational resilience over time.
While helping to alleviate the immediate strain associated with day-1 compliance, this approach potentially poses heightened compliance and reputational risks for firms. What happens if there is a major ICT incident, for instance a cyberattack which disables key systems and compromises the firm’s ability to continue to service its customers, and that it occurs between 17 January 2025 and the time at which full compliance is achieved? Worse still, what happens if the event in question arose as a result of one of the gaps that firms had identified prior to the implementation deadline? This is where it becomes critically important to have the right governance and risk management processes in place, and that all key stakeholders are fully aware of the risks being accepted in the event that significant gaps exist.
The CBI has confirmed that proportionality may be applied at the local entity level, allowing smaller entities within larger groups to be subject to more tailored, less stringent requirements based on their size and scale.
Mind the gap
Many of the remaining gaps at this stage are firm-specific. However, some common challenges are starting to emerge. One of them is the ability to implement network partitions, as required by the regulations, in order to appropriately segment a firm’s ICT network. With network partitioning in place, even if an attacker successfully breaches the firm’s cyberdefences, segmentation will restrict their access to isolated parts of the network, thereby limiting the potential damage they can inflict. DORA also requires certain specific contractual provisions to form part of third-party ICT outsourcing relationships. The process involved in identifying these contracts and the gaps in their wording, relative to the required contractual provisions, is a task not to be underestimated. Many firms with significant numbers of outsourcing relationships are struggling with the volume of work involved here, and already recognise that this work will continue well past the 17 January implementation deadline.
From our work with clients, there are several further challenges that firms are grappling with at present. Being crystal clear on their critical functions and the ICT systems and processes that support them is one key area. In cases where there is outsourcing of such ICT systems and processes, the extent of the look-through that needs to be applied (as regards sub-outsourcing) may also be unclear. This is true of both intragroup and external third-party relationships. In an Irish context, and against the backdrop of the Senior Executive Accountability Regime (SEAR),2 evidencing that reasonable steps have actually been taken in relation to DORA compliance—especially where full compliance has not been achieved by the formal implementation deadline—may also be a significant challenge.
What next?
A clear next step for all firms in their DORA implementation journey is to perform a thorough stock-take at this stage, to assess where exactly they are relative to the requirements. Identifying and recording the remaining gaps in a systematic way, along with ensuring that there is a detailed and well-documented implementation plan in place to address them in a timely manner, is of critical importance. In general, many firms are in a good position, but unless it is already clear that there is full compliance it will still be necessary to carry out such an assessment.
The clock is ticking!
1 The full text of Regulation (EU) 2022/2554 is available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=EN.
2 The full text of the SEAR regulations is available at https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp153/sear-regulations.pdf?sfvrsn=c4f0631a_1.