On 20 July 2024, a software update malfunction brought global systems to a standstill, disrupting airports, hospitals, and access to bank accounts. This incident vividly underscored the vulnerability of digital infrastructures and the critical need for resilient IT systems.
The Digital Operational Resilience Act (DORA) seeks to address these challenges by establishing an EU-wide framework for digital operational resilience. To operationalise these objectives, Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and Guidelines (GL) have been developed. The second set of standards was published on 17 July 2024, providing financial institutions with detailed guidance on their implementation.
This article examines the most significant changes introduced by the second phase of DORA for financial institutions.
Notification of serious ICT-related incidents
The updated standards aim to improve the responsiveness and resilience of financial institutions by defining clear requirements for reporting ICT-related incidents. The key changes include:
- Extended reporting deadlines: Companies now have more time to gather and prepare the necessary information. The initial reporting deadline ranges between 4 and 24 hours after an incident is classified as "serious". Subsequent deadlines are based on the timing of the previous report, rather than the incident’s classification. An interim report must be submitted no later than 72 hours after the initial notification, and a final report is due within one month of the last interim report.
- Weekend and public holiday reporting: Institutions are no longer required to submit reports on weekends or public holidays. Instead, reports must be filed by midday on the next working day.
- Simplified reporting template: The number of mandatory report fields has been reduced from 84 to 59, with the initial notification requiring only 7 fields, down from 46.
Aggregate reporting: Third-party suppliers or financial groups may now submit a single, aggregated report on behalf of all concerned institutions, subject to certain conditions.
Guidelines for estimating aggregate costs and losses
New guidelines on estimating aggregate costs and losses from major ICT incidents aim to simplify financial reporting to the authorities and enhance data comparability. Key improvements include:
- Choice of reference year: Financial institutions now have the flexibility to choose either the calendar year or their financial year for reporting purposes.
- Simplified cost estimation: Institutions are no longer required to estimate both gross and net costs and losses. Only gross costs and losses are necessary, easing the administrative burden by eliminating one calculation step.
Threat-Led Penetration Tests (TLPT)
With the implementation of DORA, Threat-Led Penetration Tests (TLPT) have become mandatory for financial institutions, following the TIBER-EU framework. A Regulatory Technical Standard (RTS) on TLPTs has been issued, detailing which institutions must perform these tests and under what criteria. Key changes include:
- Refined criteria for TLPT obligation: The criteria for determining which financial undertakings are required to carry out TLPTs have been clarified. These criteria now consider factors such as the institution's "impact on the financial sector" and potential "financial stability concerns." Financial institutions must reassess their status under these updated criteria, some of which have been relaxed. For example, the threshold for payment institutions has been raised, requiring payment volumes to increase from €120 billion to €150 billion over two consecutive years to trigger TLPT obligations.
- In-house testers’ employment period: The employment duration required for in-house testers has been reduced from two years to one, providing more flexibility for institutions.
- Clarification of "Pooled TLPTs" and "Joined TLPTs": Both concepts have been clearly defined in the revised RTS. Additionally, the flexibility to conduct tests at individual or group levels has been increased, providing institutions with more options for conducting TLPTs.
Management of third-party subcontracting
The RTS on outsourcing management for critical or essential functions sets out comprehensive governance, risk management, and internal control frameworks that financial firms must adhere to when using third-party ICT service providers. Key principles include:
- Principle of proportionality: Regulatory authorities have emphasised the principle of proportionality in risk management. Article 1, for instance, extends the risk profile to various classifications and introduces additional requirements depending on the size and significance of the financial undertaking.
- Supervision of the subcontracting chain: Financial institutions are now required to document and monitor the entire ICT outsourcing chain. This includes complying with Article 28(3) of DORA and the ITS on information registers. Institutions must assess risks before entering into contracts and ensure subcontractors meet the necessary quality standards for critical ICT services. Additionally, institutions are required to secure regulatory compliance in their contracts with third-party ICT service providers and ensure adequate resources for continuous monitoring throughout the outsourcing chain.
Promising changes for the future
DORA signals a new chapter in enhancing digital resilience across the financial sector. The final drafts published by European regulators, following extensive consultations, reflect the industry’s commitment to building a more secure and stable ICT landscape at a manageable cost. The revisions, informed by feedback from financial institutions, demonstrate that a cooperative approach between regulators and the sector is not only achievable but highly beneficial.
How can Sopra Steria help you?
The second phase of DORA has introduced numerous clarifications and adjustments to the original requirements. Sopra Steria can assist your organisation in interpreting and integrating these changes into your DORA roadmap.
DORA will take effect on 17 January 2025, leaving financial institutions a limited window to implement the necessary changes. Those that have yet to conduct a gap analysis should prioritise doing so immediately. Implementing DORA is not just a regulatory obligation but a chance to enhance customer trust in the digital resilience of the financial sector.
Together, we can help you navigate the challenges and capitalise on the opportunities that come with strengthening digital resilience. Leverage our expertise in cyber risk management, bolstered by our integrated vision and sophisticated tools, especially in the context of TIBER-EU.