DORA Regulation: ICT Risks with CTPPs, Reporting, and EUCLID

On November 15, 2024, the European Supervisory Authorities (ESAs)—comprising the EBA, EIOPA, and ESMA—released critical updates under the Digital Operational Resilience Act (DORA Regulation). These updates provide a structured roadmap for managing risks associated with ICT third-party providers in the EU financial sector. The updates include requirements for the submission of detailed registers of information by April 30, 2025, centralized reporting through the EUCLID system, and the establishment of validation rules for ensuring data quality. These regulatory measures aim to enhance resilience, mitigate systemic risks, and standardize operational practices across the EU.

Source

[1]

The ESAs announce timeline to collect information for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act | European Banking Authority

European Banking Authority logo

[2]

Implementing Technical Standards to establish the templates for the register of information | European Banking Authority

European Banking Authority logo

Key Regulatory Developments in the The Digital Operational Resilience Act (DORA)

The DORA Regulation addresses the growing digital transformation within the financial sector and the rising reliance on ICT third-party providers. Recent incidents of cyberattacks and operational failures have highlighted the urgent need for a robust framework to mitigate these risks. These updates aim to fortify operational resilience, ensuring financial stability and trust in a digitalized economic landscape.

1.Designation of Critical ICT Third-Party Providers (CTPPs)

Under Article 31 of the DORA Regulation, the ESAs are mandated to annually designate ICT providers as critical based on their systemic importance to financial stability. The designation process follows these regulatory updates:

• Assessment Criteria: Criticality is determined using specific benchmarks outlined in the Delegated Regulation (EU) 2024/1502. These include:
  • Service criticality and substitutability.
  • Levels of interdependencies across financial entities.
  • Potential systemic risks from operational failures.
• Collaborative Data Collection:
  Competent authorities collect and submit detailed registers of contractual arrangements involving ICT providers, ensuring that data points like service agreements, cost structures, and risk mitigation measures are analyzed comprehensively.
• Oversight Forum:
  The ESAs utilize their joint Oversight Forum to review and finalize criticality designations, ensuring transparency and alignment with EU financial resilience goals.
• Regulatory Action:
  ICT providers identified as CTPPs are subject to stringent resilience and compliance measures, including mandatory audits and periodic reviews.

2. Annual Reporting Requirements

Article 28 of the DORA Regulation outlines mandatory reporting obligations for financial entities and competent authorities:

• Scope of Reporting:
  Financial entities must provide:
  • Registers of ICT contractual arrangements, including details on services rendered, costs, renewal clauses, and termination conditions.
  • Information on the criticality and substitutability of these services.
  • Details on subcontractor dependencies and alternative providers.
• Reporting Deadlines:
  Initial submissions are due by April 30, 2025, with annual updates aligned to a December 31 reference date.
• Role of Competent Authorities:
  Authorities are responsible for validating and submitting collected data through EUCLID while ensuring adherence to quality and consistency standards.

3. Centralized Data Collection via EUCLID

The European Centralized Infrastructure of Data (EUCLID) facilitates a streamlined approach to regulatory reporting:

• Unified Repository:
  EUCLID serves as the central platform for all ICT-related data submissions, reducing duplication and fostering inter-authority collaboration.
• Standardized Formats:
  Predefined templates and structured data models ensure consistency, making it easier for regulators to monitor and analyze ICT dependencies.
• Enhanced Confidentiality:
  Data submitted to EUCLID is protected under stringent EU professional secrecy regulations, reinforcing stakeholder trust.

Operational Framework for Financial Entities

To ensure compliance with the DORA Regulation, financial entities are required to adopt robust frameworks, incorporating the following elements:

1. Comprehensive Registers of Information

Financial entities must maintain detailed, regularly updated records of all ICT contractual arrangements. This includes:

• Cost evaluations and annual expense tracking.
• Recovery time objectives (RTO) and recovery point objectives (RPO) tied to critical functions.
• Alternative service providers for mitigating supply chain risks.

2. Criticality Assessments

Entities must conduct periodic evaluations of ICT services to:

• Assess their operational impact on core financial functions.
• Identify vulnerabilities in their reliance on specific service providers.
• Establish clear contingency plans in case of disruptions.

3. Internal Validation and Data Quality Assurance

Validation processes must ensure:

• Accurate mapping of data points, such as legal identifiers and contract terms, to the DORA data model.
• Consistency across group hierarchies and financial entity structures.
• Robust oversight of all reported data before submission to competent authorities.

4. Implementation of DORA-Defined Standards

Financial entities are expected to align with the standards defined in the technical implementation documents, which outline:

• Approved data exchange formats and file structures.
• Risk assessment methodologies tailored to ICT service dependencies.
• Regular updates to address changes in regulatory or operational landscapes.

Impact of DORA Regulation Updates

The Digital Operational Resilience Act (DORA) introduces several regulatory updates aimed at enhancing the resilience of the EU financial sector. Below is an analysis of each update's impact, identifying the affected parties, the nature of the impact, and the necessary actions to ensure compliance.

1. Designation of Critical ICT Third-Party Providers (CTPPs)

• Impacted Parties: Information and Communication Technology (ICT) service providers and financial entities operating within the EU.
• Impact: ICT service providers designated as CTPPs will be subject to stringent oversight by the European Supervisory Authorities (ESAs). This includes mandatory compliance with DORA's requirements, such as implementing robust risk management frameworks, conducting regular resilience testing, and ensuring effective incident reporting mechanisms. Financial entities must assess their reliance on these providers and ensure that their contracts and operational dependencies align with DORA's standards.
• Actions Required:
  • For ICT Service Providers:
    • Evaluate the potential for being designated as a CTPP based on the criteria outlined in DORA, including the systemic impact of services provided and the degree of substitutability.
    • Develop and implement comprehensive risk management and resilience frameworks to meet DORA's requirements.
    • Prepare for ESA oversight, including readiness for audits and inspections.
  • For Financial Entities:
    • Conduct thorough assessments of ICT service providers to determine their criticality and compliance with DORA standards.
    • Ensure that contractual agreements with ICT providers include provisions for compliance with DORA, such as clauses on risk management, incident reporting, and resilience testing.
    • Establish contingency plans to address potential disruptions from critical ICT service providers.

2. Annual Reporting Requirements

• Impacted Parties: All financial entities within the EU.
• Impact: Financial entities are required to maintain and submit detailed registers of information regarding their ICT service providers and related contracts. This includes data on service criticality, risk assessments, and dependency analyses. Non-compliance may result in regulatory actions, including fines and increased scrutiny.
• Actions Required:
  • Establish and maintain comprehensive registers of all ICT-related contracts, including details on service criticality, risk assessments, and dependency analyses.
  • Implement internal processes to ensure the accuracy and timeliness of the information submitted to the ESAs.
  • Train relevant personnel on DORA's reporting requirements and the importance of maintaining up-to-date records.

3. Centralized Data Collection via EUCLID

• Impacted Parties: Financial entities and regulatory authorities within the EU.
• Impact: The European Centralized Infrastructure of Data (EUCLID) platform will serve as the central repository for data submission and analysis. Financial entities must adapt their data management systems to ensure compatibility with EUCLID's requirements, facilitating streamlined reporting and oversight.
• Actions Required:
• Upgrade or modify existing data management systems to ensure compatibility with EUCLID's data submission formats and protocols.
• Establish internal procedures for regular data submission to EUCLID, ensuring accuracy and completeness.
• Engage with regulatory authorities to understand specific data requirements and timelines associated with EUCLID reporting.

4. Validation Rules and Data Model

• Impacted Parties: Financial entities and ICT service providers operating within the EU.
• Impact: The introduction of standardized validation rules and data models aims to enhance data quality and consistency across the financial sector. Entities must ensure that their data collection and reporting processes align with these standards to facilitate effective regulatory oversight.
• Actions Required:
  • Review and align internal data collection and reporting processes with the standardized data models and validation rules established under DORA.
  • Implement quality control measures to ensure data accuracy, consistency, and completeness in all submissions.
  • Provide training to staff involved in data management and reporting to ensure understanding and compliance with the new standards.

By proactively addressing these regulatory updates, financial entities and ICT service providers can enhance their operational resilience, ensure compliance with DORA, and contribute to the overall stability of the EU financial sector.

Digital Operational Resilience Act: Transitional Activities

The ESAs have taken proactive measures to support stakeholders in adopting the DORA Regulation. Key initiatives include:

• 2024 Dry-Run Exercise: Conducted with over 1,000 entities, this exercise tested reporting processes and identified potential challenges, helping to refine the framework.
• Workshops and Guidance: A virtual workshop on December 18, 2024, will provide practical guidance on preparing registers and ensuring compliance with DORA requirements.

These activities reflect the ESAs’ commitment to easing the transition for financial entities and fostering collaboration across the industry.

Strategic Implications of the Digital Operational Resilience Act (DORA)

1. Enhanced Digital Resilience
   By focusing on ICT oversight, the DORA Regulation ensures that the financial sector is better equipped to handle cyber threats and operational disruptions.
2. Standardization Across the EU
   The centralized approach under EUCLID harmonizes regulatory practices, creating a more consistent oversight framework across member states.
3. Alignment with Global Standards
   The DORA Regulation positions the EU as a leader in operational resilience, aligning with global best practices and enhancing its competitive edge.
4. Increased Accountability
   With detailed reporting and validation requirements, financial entities and ICT providers are held accountable for their operational resilience, promoting transparency and trust.