DORA Compliance: Key Insights from the CBI’s Industry Briefing

On Wednesday, November 6, 2024, the Central Bank of Ireland (CBI) held an industry briefing to discuss the implementation of the Digital Operational Resilience Act (DORA), which will set new standards for cybersecurity and operational resilience, ensuring firms are better prepared to withstand and respond to digital disruptions. During this session, the CBI outlined critical expectations for firms, including compliance timelines, gap analysis requirements, and specific contract considerations for ICT providers.

As part of our Emerging Regulations Watch series, we break down these crucial updates to help firms stay informed and ready for the January 2025 deadline and beyond.

 

DORA CBI Briefing

 

DORA Implementation Timeline: Key Milestones and Compliance Expectations

The CBI has highlighted that the 17 January 2025 DORA implementation deadline is a hard, legally binding milestone. 

After 17 January 2025, regulators will expect clear evidence of a high-quality implementation, and see the gap analysis carried out by firms to establish the firm’s position under DORA. The gaps identified require quantification with regard to the seriousness of the non-compliance; the impact of the non-compliance per DORA; the persistent nature of the non-compliance; and if there has been a pattern of non-compliance across the firm.

According to the CBI, the proportionality principle will be applied to decide the time allowed to address gaps. Where gaps identified are related to existing requirements under sectoral-specific legislation then, the CBI’s response will be more stringent. Firms must be in a position to furnish the CBI with a copy of the gap analysis performed, if requested, and produce evidence of how resources have been allocated to ensure that such firms will achieve compliance.

 

ICT Providers and Contract Reviews: What You Need to Know

Contract reviews with ICT providers are essential under DORA. Specific areas to be considered during reviews were set out as follows:

  • the strengthening of access for audit purposes;
  • the testing an ICT provider is conducting on its own systems; and
  • transparency regarding subcontracting.

 

Level 2 Measures: Understanding the Current Status and Future Adjustments

It is noteworthy that the regulation continues to evolve and that not all Level 2 requirements have been finalised. The CBI noted that the European Commission is reviewing “a couple of discrete aspects”.  

 

Existing Central Bank Guidance: Updates on Operational Resilience & Cybersecurity

The  CBI is undertaking a review exercise to identify any national guidance impacted by DORA and to establish if any conflicts arise. Firms can expect updates on existing cross-industry guidance soon.

An update on the “Cross Industry Guidance in Respect of Information Technology and Cybersecurity Risks” by the CBI can be expected, as well as a further review of  “Cross Industry Guidance on Operational Resilience and Outsourcing”. As these regulations evolve, firms must stay proactive, ensuring that they have systems in place that can support the reporting process and ensure compliance.

 

 

Navigate DORA Compliance with Confidence

For additional support with DORA compliance, don’t hesitate to get in touch with AQMetrics’ compliance consultants and customer success team. From expert assistance with knowledge management on DORA, gap analysis documentation, action planning to address identified gaps, resolution planning and general DORA risk management, our global team of in-house experts are here to help. Get in touch today and ensure DORA compliance for 2025 and beyond.

 

Contact Us