The Digital Operational Resilience Act: the next step in a connected digital world

Contribution by Anneli Tuominen, Member of the Supervisory Board of the ECB, for Eurofi Magazine

20 February 2024

The Digital Operational Resilience Act (DORA) aims to achieve a high common level of digital operational resilience across European financial entities. This is a welcome step in an increasingly connected world that is ever more exposed to cross-border information and communication Technology (ICT) risks and cyber risks.

The Act lays down requirements for ICT risk management, reporting major ICT-related incidents to supervisory authorities, digital operational resilience testing and the sound management of ICT third-party risk. It provides a direct legislative basis for the work we have been performing for several years as part of our supervisory priorities^[1], including collecting information on cyber incidents from banks. In addition, it establishes an oversight framework for critical ICT third-party service providers.

The joint committee of the European Supervisory Authorities submitted the first set of final draft technical standards to the European Commission, addressing items such as ICT and third-party risk management as well as incident reporting frameworks.^[2] The ECB welcomes these final draft technical standards. Given the tight timeline for developing the legislation and its potentially complex implementation, I believe that stakeholders may find it challenging to meet all the requirements in a timely manner, particularly the new ones relating to threat-led penetration testing (TLPT) and oversight of critical third-party providers (CTPPs).

However, there are ways of facilitating a successful outcome, including interaction with stakeholders, which will be key. For example, oversight of CTPPs will be an important addition to the regulatory and supervisory framework. The criteria used to define the list of CTPPs will be very important. It will therefore be essential to involve the relevant stakeholders at this stage. At this juncture, it may also be worth considering consistency and interoperability between authorities from other jurisdictions. In addition, oversight of CTPPs will require close monitoring and possibly on-site inspections similar to those carried out for financial intermediaries. It is important that CTPPs will be ready to take part in these discussions.

Regarding the set up and organisation of the work of the joint examination teams (JETs), we will need to go through a full oversight cycle before we are able to establish a comprehensive operating process for them. Further clarification on the number of CTPPs and the type of resources needed, for instance, could help to ensure that the competent authorities provide the appropriate level of support. By building on their shared experience, regulators and supervisors should ensure that priorities for the JETs are correctly established. They should also ensure the teams have the requisite balance of competencies and flexibility to perform the tasks assigned to them. How the teams actually operate is likely to evolve over time.

DORA will have a significant impact on banking supervision activities. First, supervisory practices will have to adapt to overseeing new types of entities and working in a new operating environment where innovation is continuous and driven largely by technology. Second, the Act will help to reinforce supervisory activities. For instance, as mentioned earlier, it will help to improve the cyber-incident reporting framework in place since 2017 by streamlining it and making it more consistent. DORA will also create several new tasks, including conducting TLPT and the contribution to JETs in charge of the oversight of critical third-party service providers.

To perform these tasks, we will need to update the existing methodologies and toolkits used to supervise ICT risk and monitor the impact of technology on business models. The improved understanding of ICT risk introduced by DORA will need to be integrated into the overall supervisory view on banks' safety and soundness. A specific approach will be needed for CTPPs due to their specific technical nature and the additional amount of work overseeing them is likely to generate.

Finally, let me add that a mechanism for sharing information and achieving a common level of digital resilience is very important since digitalisation affects operational resilience and banks become more dependent on third-party service providers. At the same time, we should not forget that having DORA in place, does not mean that all risks are managed. We need to closely monitor the evolution of more sophisticated cyber threats originated by criminal and government attackers. DORA is a step in the right direction that will help us rise to these challenges together.