Receive the latest insights, news and more direct to your inbox.
The Evolution of DORA
On December 8, 2023, the European Supervisory Authorities (the ESAs) launched a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). On July 17, 2024, the ESAs published the final reports on these policy mandates. The most noteworthy changes for in-scope financial entities emerged across the following areas:
- Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats.
- RTS on threat-led penetration testing (TLPT).
- Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents.
The final report on the RTS on subcontracting ICT services supporting critical functions has not yet been published. Given that this area lacks clarity and continuously presents challenges for financial entities, all are eagerly awaiting the report’s release.
Key DORA Updates
With the looming compliance deadline of January 17, 2025, financial entities are keen to understand the changes between draft and final reports, especially as they progress their assessment and implementation efforts to meet DORA requirements. The below information outlines the most important changes for in-scope entities from the July 2024 reports.
The key changes to DORA regarding TLPT relate to testing criteria, the conducting of testing and the requirements for testers.
- Testing criteria: The ESAs revised and updated the selection criteria for financial entities. The criteria now includes impact-related factors, potential financial stability concerns, ICT risk profiles and levels of ICT maturity. They also increased the threshold for payment institutions to 150 billion euro.
- Conducting of testing: The report clarifies aspects of pooled testing and joint TLPT and when purple team testing should take place.
- Requirements for testers: The ESAs reviewed and eased requirements for testers, introducing flexibility by broadening tester experience criteria from experience in TLPT to experience in penetration testing and red teaming.For internal testers, they have reduced criteria about the required tenure length for holding a role within the financial entity from two years to one. The second batch of DORA mandates also contain a provision making it possible for financial entities to choose TLPT providers that do not meet all requirements in the case of exceptional circumstances.
The changes introduced to the ICT-related incident-reporting regime for financial entities relate to the scope of incidents that require reporting, the timelines for reporting major incidents and the data points for major incident reporting.
- Scope of incidents to be reported: The changes reduce the scope for mandatory weekend and bank holiday reporting by excusing smaller entities from reporting the initial notification in relation to incidents. Not all financial entities are obliged to maintain a 24/7 incident reporting support function. The updates also introduce aggregated incident reporting for instances where a single incident has impacted multiple financial entities.
- Timelines for major incident reporting: The updates extend reporting timelines for financial entities: rather than begin from the moment when the incident is classified, the 24 hour / 72 hour reporting windows will begin when the prior notification or report is submitted. Regarding weekend and bank holiday reporting, the previous time limit of one hour for submitting notifications and reports has been extended, and financial entities now have until noon on the first working day to do so.
- Data points for major incident reporting: To reduce the workload for financial entities dealing with an incident, the ESAs;
- Reduced the number of reporting fields in the reporting template from 84 to 59,
- Reduced the number of reporting fields in the initial notification from 17 to 10, and
- Reduced the number of mandatory fields required across all three reports (initial, intermediate and final). For example, the initial notification was reduced from nine to seven. Overall across the three reports, the total number of mandatory fields has gone from 37 to 28.
The final report introduces two major changes for the estimation of costs and losses. These changes will allow for additional flexibility and seek to further reduce the reporting burden on financial entities.
Financial entities can now choose which reference year they want to use, either the accounting year or the calendar year, and they are no longer required to include and report the net costs and losses.
How Grant Thornton can help you reach DORA compliance
Our team of subject matter experts supports institutions of all sizes in their ongoing journey to DORA compliance. We can provide a different combination of service offerings, depending on your organisation’s specific requirements, to create a best-fit model for DORA implementation that ensures compliance by the January 2025 deadline.
Our first-hand experience, bolstered by our involvement with our EU network of firms, brings strength and depth to our service offerings. Our clients attest that by clarifying the scope and key dependencies, we have helped them avoid potential pitfalls and ensured compliance to the standard required.