Edward Roozenburg: DORA, are you ready yet?

November 5, 2024

^{This column was originally written in Dutch. This is an English translation.}

By Edward Roozenburg, written in a personal capacity

With the approaching deadline for DORA of 17 January 2025, the pressure is mounting. For many financial institutions, being compliant on time is a challenge. What makes the implementation of these useful regulations complicated and what is best to focus on if you are running out of time?

On the face of it, DORA is a useful regulation that sets clear requirements for managing ICT risks of financial institutions. Straightforwardly drafted. At least that is what I myself thought when I first laid eyes on the text. It is a legal text in respect of a number of well-defined topics with some clear elaborations accompanied by templates. In fact, some of these templates are so clear that they can be copied exactly for an organisation. A matter of ‘cut and paste’. But alas... reality turns out to be more complex than thought. So what actually makes it complex for pension funds and other financial institutions?

Absolute compliance

First, the perceived absoluteness of compliance in general plays a role. There is no such thing as being a bit compliant. You are compliant, or you are not. At least, that's how it seems to be perceived. By 17 January, everything must be in place and implementation provable. This is what directors want. And they rightly convey that to their employees. This leads to confusion in implementation that everything must be provably in place.

The practice is a bit more nuanced. Compliance is often demonstrable only after a period of operation. And that is not yet the case on 17 January for a number of things. The distinction between what has to be in operation and what only has to be present in intent on 17 January is not specified in the law.

For example, consider reporting major incidents to the supervisor within four hours of detection. You can have the procedure for this ready, but if you haven't had a major incident before 17 January, you don't know whether this procedure works in practice. And so there are more things for which there is a need to have it provably implemented, but whose operation will only be in place during 2025.

Dependence on third parties

Secondly, dependence on third parties plays an important role. Almost all pension funds I know (and probably many asset managers) need to review their contracts with outsourcing parties. There should be additional agreements on incident reporting and on reporting the performance of the outsourcing party if it is not yet comprehensive enough. The exit strategy should not be missing either. Not all suppliers are financial institutions subject to European law. They may not feel like cooperating at all because they do not have to comply with it themselves.

Clarity of the law

Also problematic is that the law is sometimes very specific and at other points vague. With the specific part, it is difficult because things have to be implemented exactly as the legislator wants. There is little room for customisation. This while with the vagueness, it is unclear exactly what the legislator wants. For instance, which suppliers (or which processes) should be labelled ‘critical’ in the information register?

It seems simple. There is data exchange, the service is available 24/7, and if it fails, the institution has a problem. But does that make the bank critical? And if you can still pay pensions and track investments if the office automation fails, should the office automation provider be labelled ‘critical’ or not? The interpretation of ‘critical’ can vary somewhat and also depends mainly on the other characteristics of the financial institution.

Another example of ambiguity is the principle of proportionality in Article 4. This article allows institutions to claim that certain measures are disproportionate for the type of organisation. But what exactly is meant by this and how it can be applied is unclear in practice.

DORA and the Wtp

Finally, especially in the pensions sector, there is also a need to take into account the other major law for the pensions sector: The Future Pensions Act (Wtp). Often, directors' attention is currently focused on drafting implementation plans for the Wtp. And compliance with this law also gets a lot of attention.

It is not always easy to give the necessary administrative attention to DORA in addition. And that while it is precisely in DORA that directors are indicated to have a clear involvement in the management and supervision of ICT risks. This also affects the implementation levels of funds, because there, too, the focus is mainly on what the board calls for. And that is mainly the WTP.

Nevertheless, all financial institutions must be compliant by 17 January 2025. But if you have to make choices, and you fall under DNB's supervision, at least focus on the areas where DNB has already indicated that their attention will be on them in early 2025.

ICT risk management

In any case, DNB will have a focus on ICT risk management. Financial institutions should have a robust ICT risk management system that is able to identify, assess and manage risks. This system should be regularly updated and tested to ensure that it remains effective in a changing digital environment. Therefore, ensure that documentation on these processes and policies is in place and that it is enforceable by 2025.

Another component explicitly identified by DNB is ICT incident reporting. It is essential that financial institutions have a system for reporting ICT incidents. This system should not only record incidents, but also analyse their impact and propose measures to prevent their recurrence. DNB will pay specific attention to the timeliness and completeness of these reports. Moreover, DNB must also be informed about major incidents. And that within four hours of the incident becoming known. So make sure that is possible.

Knowledge of ICT risks on the board also has the regulator's attention. DNB stresses the importance of sufficient knowledge and attention among directors and internal supervisors regarding ICT risk management. The board should be able to make strategic and tactical choices based on a good understanding of key IT and cyber risks. Ensure that it can be demonstrated that this knowledge is invested in the board.

Information register

Finally, DNB will request the information register. Under DORA, financial institutions must maintain an information register for all contractual agreements on the use of ICT services provided by third-party providers. This register helps monitor the ICT risk of third-party providers. It provides insight not only for the financial institution itself, but most importantly for the regulator. And so the regulator is likely to request this register in Q2. Make sure it is ready by then.

Of course, the aim is to have everything from DORA set up on time. Also consider the relationship with outsourcing partners and testing digital resilience with pen testing. These are certainly important issues within DORA and therefore have a separate chapter in DORA.

Often, the requirements can only be implemented during 2025. All financial institutions will need to do something about testing their digital resilience, but that does not necessarily mean that on 17 January, the improvement actions from the outcomes of the tests will have been implemented. So do the implementation when necessary. So again, this gives some leeway. And that without compromising compliance.