The timeline for the Digital Operational Resilience Act (DORA) is “extremely challenging” and the requirements for major incident reporting “excessively detailed”, says the European Association of CCP Clearing Houses (EACH). These two comments are part of the four key messages it highlights in its response to the joint consultation drawn up by the European Supervisory Authorities (ESAs) on DORA’s second batch of policy mandates.
Set for 17 January 2025, DORA’s implementation is less than a year away – a date that EACH calls “extremely challenging”. The regulation seems to have flown under the radar for many in the industry, as was observed during a panel discussion during the PostTrade 360° Helsinki conference held in November last year. In its response, EACH requests for an extension of the timeline to “ensure a smooth and efficient implementation”.
Too many details
Touching upon major incident reporting, the association judges that “the amount of data fields to be provided in the context of the initial, intermediate and final reports seems often excessively detailed”. It suggests extending the four-hour time limit for submitting the initial report, and moving certain required data fields from the initial report to the intermediate one.
In its third point, EACH suggests that ICT services provided by the parent company to a subsiary or vice versa for the support of critical or important functions should not be defined as subcontracting.
Finally, it proposes that external testers and intelligence providers should be required not just to prove their epxerience in threat-led penetration testing (TLPT), but in TLPT in the finance sector. To avoid the high costs and burden of preparing and managing the tests, “financial entities should be allowed to rely on TLPT that are performed by ICT third-party service providers”.
DORA is an EU regulation that, according to the European Securities and Markets Authority (ESMA), aims to strengthen “the information and communication technology (ICT) security of financial entities in the remit of the three ESAs”. The ESAs include the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and ESMA itself.