Counting Down to DORA Compliance: Recent Developments

With less than three months remaining until the implementation date of the EU Digital Operational Resilience Act (DORA), this note highlights recent developments in the EU’s efforts to facilitate firms’ transition to DORA compliance by the 17 January 2025 deadline. 

Potential Standardisation of Threat-led Penetration Testing

In September 2024, the European Central Bank (ECB) published a paper (Paper) on the European framework for threat intelligence-based ethical red teaming (TIBER-EU framework). The Paper aims to help national competent authorities (NCAs) and financial entities (FEs) equip themselves to fulfill the threat-led penetration testing (TLPT) requirements under DORA. 

The Paper considers the benefits of the TIBER-EU framework for NCAs and FEs in the context of DORA, and suggests that, because the framework is already established and widely used in the EU, it could readily serve as a common solution for FEs in complying with their TLPT requirements under DORA.

By way of background, TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of FEs’ critical live production systems. Sixteen EU Member States have already implemented the TIBER-EU framework with more Member States in the process of adopting it, and still yet others have expressed an interest in doing so.

The Paper argues that the TIBER-EU framework could operate as a handbook or a set of detailed guidelines on how to complete DORA TLPT in a qualitative, controlled and safe manner. In that regard, the Paper notes that the TIBER-EU framework will give NCAs and FEs comprehensive support in fulfilling TLPT requirements under DORA. In particular, it provides guidance on how NCAs, FEs, threat intelligence providers and red team testers should work together to test and improve FEs’ cyber resilience by carrying out controlled cyber attacks.

The ECB explains that there are no differences between the existing TIBER-EU framework testing process and the upcoming TLPT process set out in DORA. 

Director Appointed to Lead Joint Oversight under DORA

On 1 October 2024, the European Insurance and Occupational Pensions Authority published a press release (Press Release) announcing that the Joint Committee of the European Supervisory Authorities (ESAs) has appointed Marc Andries as the Director to lead their joint oversight under DORA.

Mr Andries will lead the ESAs’ new joint Directorate in charge of oversight activities for critical information and communication technology (ICT) third-party providers (CTTPs) under DORA. In such role, Mr Andries will be responsible for implementing and running an oversight framework for CTPPs at a pan-European scale.

ESAs’ 2025 Work Programme 

On 4 October 2024, the ESAs published their joint work programme for 2025 (Work Programme).

The Work Programme sets out the ESAs’ priorities for 2025 which includes, among other things, digital operational resilience. The Work Programme notes that the ESAs will continue to have a strong focus on DORA-related work and will also continue to co-ordinate the implementation of DORA. 

By mid-January 2025, the Work Programme states that the ESAs will have delivered all DORA policy mandates envisaged in Level 1 measures, following which the ESAs will focus on supervisory convergence work on the application of DORA framework. Notably, certain policy mandates (e.g., incident reporting and TLPT) may require joint governance processes among authorities that will need to be further defined in 2025. 

The ESAs will also begin to implement the oversight framework for CTPPs as well as the major ICT-related incident co-ordination framework required by DORA. In the first part of 2025, the ESAs will develop the necessary oversight procedures and methodologies, such as establishing the Oversight Forum and Joint Oversight Network, and collecting the relevant information to assess the criticality of the ICT third party service providers (TPPs). Following this, the ESAs will designate the first group of CTPPs, set up the Joint Examination Teams and begin the core oversight activities.

ESAs’ Opinion on the Register of Information 

On 15 October 2024, the ESAs published an opinion (Opinion) on the European Commission (Commission)’s amendments to the draft implementing technical standards (ITS) on registers of information under DORA. 

In accordance with Article 28(3) of DORA, FEs are required to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by TPPs. Article 28(9) of DORA mandated the ESAs to develop draft ITS on the standard templates for the purposes of the register of information. The Commission recently sent a letter to the ESAs rejecting the draft ITS, on the basis that FEs should have the choice of using European unique identifiers (EUIDs) as well as legal entity identifier for EU TPPs, and proposing a revised version of the ITS.

In the Opinion, the ESAs set out their concerns regarding the introduction of the EUID as an alternative identifier. In particular, they consider that this would require unexpected implementation and maintenance efforts and costs for FEs due to changes in the register templates and the need to collect and provide additional information.

Annexes 2 and 3 to the Opinion set out proposed amendments to the draft ITS intended to address the introduction of the EUID, if the Commission proceeds with its proposed policy. In addition, the ESAs suggest additional technical amendments to the ITS, as a result of feedback received from the voluntary dry run exercise carried out by the ESAs during 2024.

The Paper, Press Release, Work Programme and Opinion are available here, here, here and here, respectively.