This is a transcript of the podcast Practice and procedure with GRIP – DORA implementation in which our GRIP expert writers Jean Hurley and Thomas Hyrkiel discuss all things DORA.
[INTRO]
Jean Hurley: Hello, listeners. I’m Jean Hurley, Commissioning Editor at GRIP. Welcome to our first GRIP on practice and procedures podcast. Today we are joined by my colleague, Thomas Hyrkiel, the Director of Content and Community Services at GRIP. We’re here to discuss all things DORA. Implementation, scope, next steps for financial entities and third-party providers, and the consequences of noncompliance.
Thomas, I’m delighted you could join us. Let’s start at the beginning. What is DORA? And why is it so important.
Thomas Hyrkiel: Hello, Jean! I’m very happy to be here, and I’m very happy to be speaking to you about all things DORA. DORA is, in effect, a response to persistently elevated cyber threat levels, and an increasing threat surface. I think it’s also a result of the fact that what we have is the emerging use of AI tools to enhance the capabilities of hackers. In other words, more people have access to the tools to attack third parties and financial institutions.
Therefore increasing the threat surface quite substantially. I think it’s also a regulatory response to outsourcing. Outsourcing has become a key aspect of running a modern financial services organization.
But unfortunately, this also means that financial institutions are now reliant on such third parties, and regulators are understandably concerned. In the past, what they could do is monitor the financial entities themselves, and put pressure on them to comply and amend their systems. But what they’re finding now is that what has emerged is a massive blind spot in terms of critical systems and technologies that are effectively outside of the regulatory perimeter, and DORA is an attempt by the EU to correct course and fix this.
Jean Hurley: Thank you. So you said, it’s by the EU, but you’ve also mentioned that perhaps it does it have an impact outside of the EU and are non EU firms affected?
Thomas Hyrkiel: Yes, so, DORA, as many other bits of important EU legislation has extraterritorial impact. In other words. Let’s put ourselves in the position of a branch office of an asset manager whose Home Office location is the UK, or perhaps the US. If services, ICT services, are being provided to that branch.
Then, technically, the parent entity by the parent entity, then, technically, the parent entity will be within scope of DORA.
Jean Hurley: So it’s quite a wide scope.
Thomas Hyrkiel: It absolutely is. And it’s funny that you mentioned this, because I was going to mention it as well. It is far broader in scope than the equivalent UK or US regulation. In other words. You know, when we speak about financial institutions, we often think about banks, investment managers, asset managers, trading venues, insurers. But I think also within scope of DORA, are non-traditional players, such as Fintechs, crypto operators, payment providers as well. So it is much much wider than existing regulation.
Jean Hurley: So, what took effect on January 17, and you know the implementation plans should have been completed, or are things still underway? Can you give us an update please?
Thomas Hyrkiel: Yes, of course. So, according to ESMA and the supervisory authorities, everyone should be compliant from day one. And that would have been January 17 when DORA took effect. But I think it’s a slightly more nuanced story.
First of all, the technical standards were released quite late in the day, many of them over the summer, some of them as late as December. And I think it’s entirely possible to envision that the regulators will be understanding of an entity who is still working through, let’s say, the repapering exercise or negotiations with third parties, or putting in place some of the other necessary elements of the regime. So, one of the one of the things required is ensuring that the third parties are within scope of your audit plans. That’s actually quite a tall order, and I wouldn’t be surprised if there was some leniency in this area.
However, if a supervisory authority chooses not to be lenient. They’re well within their rights to say ‘Well, we you’ve had a number of years to prepare for this. This is not this wasn’t sprung on you, and and therefore we will move to levy a fine’, let’s say.
Jean Hurley: Because there was a recent survey which said that 40% of respondents were going to miss the January 17 deadline.
I mean what are the implementation challenges for these firms? You’ve you’ve mentioned a few but could you give us a brief overview of what they’re working on, and then maybe we could look at them in more detail afterwards.
Thomas Hyrkiel: Yeah sure, so I cannot claim to know precisely what firms are working on presently, but extrapolating from some of the articles that I’ve seen, some of the somewhat panicked chatter on social media and Linkedin, and where people are able or are willing, some to share some details, I think that one of the things that larger firms, banks, insurers are struggling with is the sheer scale and extent of the outsourcing that they have in place.
Banks and insurers and larger financial institutions are likely to be in a very good position already as a result of having to comply with other similar regimes.
However, because of the extent of what DORA is asking for, it’s entirely possible that there are aspects of their operation that have never been in scope, or that have not been scrutinized very closely, and I think this will almost certainly represent a challenge as well as the fact that sometimes, so there are two things worth mentioning here. I think, one, sometimes outsourcing happens at a departmental or function level, which means that the organization, the wider organization, may not have insight or visibility on some of the outsourcing that is happening. So that could be a challenge.
Another challenge is the fact that many of these entities have outsourced the outsourcing itself. Which may sound really funny, but there are specialist vendors who will go out and negotiate on the part of a certain function within a large bank for the provision of a certain bundle of services. And I think, that in itself represents a challenge, because, in in effect, what you need to do is suddenly look through that outsourcing relationship to to the service provider itself for the smaller entities. It’s a slightly different challenge, I think. So I think they’re specialist skills. Specialist knowledge is often lacking.
And let’s face it, a lack of resource for such a work. Intensive regulatory effort may be missing entirely, especially when it comes to the legal function, which is the one that I would expect to be under pressure at the present moment.
Jean Hurley: If we look at it in more detail, I was looking and there’s the register of information. Can you tell us more about this please.
Thomas Hyrkiel: So, this is one of the first steps of becoming compliant with with the regime. Every entity has to identify the ICT assets in place, and also identify the ICT services that are being provided by third-parties. In in other words, you must be aware of who your who you are outsourcing, what your what your ICT services are that are within scope of this regime, and which of those services you’re outsourcing. I think it’s it’s a critical first step. If you have a good grasp of what you are outsourcing, and what functions are affected. You’re already in a fantastic position to be DORA compliant, or to become.
Jean Hurley: And so I think this leads on to the mandatory contractual provisions. There’s many financial institutions, third-party providers have found very difficult, agreeing to a standard form. You know, from your research and everything you’ve written and looked into, and researched. Do you have any best practice on this anything, any advice you can offer.
Thomas Hyrkiel: I think this is a challenge for the third-parties and as well as the financial institutions. And unfortunately, it’s the financial institutions who are on the hook.
In other words, it’s unlikely that a regulator would go after a third-party should they choose not to cooperate or be helpful in repapering exercise, or insist on terms that the legal team at a financial institution is uncomfortable with.
Of course, this does have an impact on the working relationship. It’s very unlikely that a third-party who chooses not to cooperate will be considered a reliable partner. And actually, there are provisions within DORA that clearly indicate that a third-party who is found, and I’m I’m simplifying here, wanting should be descoped, and removed and replaced as soon as possible.
What advice would I give? I mean, it’s it’s difficult to say. The this issue is being complicated slightly by the fact that the critical third-parties have not yet been identified by ESMA and the ESAs. And this is problematic, because for many third-parties they will be looking to those critical third-parties for a almost like a pro forma version of a contract, that has been reviewed by top lawyers, and can be used as a starting point, at least for negotiations.
Jean Hurley: So you really see a lack of clarification for these organizations?
Thomas Hyrkiel: There is a lack of clarity. There’s no doubt about it. Again, many entities will be in a good position as a result of having to comply with other similar regulatory regimes. But as with anything new, there is a lot of, and there have been a lot of moving pieces in the recent past. And you know what DORA compliance will actually look like remains to be seen. And I think we will have, or we will see, some clarity in 2025. Certainly a lot more than we have seen up until now.
Jean Hurley: Thank you. And something you touched on earlier was, organizational considerations. You know, which parts of the organization will be overseeing DORA compliance? And could you give us some examples of that?
Thomas Hyrkiel: Yeah, sure, sure Jean. So I think I’ve I’ve touched on two already, which is fragmentation of functions and outsourcing potential issues that we’ve also touched on which concern the provision of services by entities related to the entity within scope. So either a parent or a subsidiary, but there are other, and and I don’t want to repeat myself.
There is another issue which I know that I think I know organizations will struggle with, and the drive run very clearly demonstrated this. Which is data. We know from other regulatory regimes that the capture, organization, classification of data as well as the sending of it downstream is problematic, simply because we’re speaking about such a large volume of data, some of it quite disparate data.
So the regulatory actions in connection with venues, data, completeness issues in connection with venues are a good example, where suddenly a venue simply, or you you missed a venue that for whom you’re meant to be capturing data. And I think that the driver on many organizations failed because they did not classify, or perhaps failed to capture the data required.
I think data issues will persist through throughout 2025, and I think this, the ESA’s deadline of 30th of April, or the provision of the register of information by the entities in scope is a critical date, and if I could advise, if someone is struggling with their DORA compliance. And is looking for one piece of advice from a non specialist. It would be to focus specifically on this simply because the deadline is looming. We’re just about three months away. If you are able to successfully submit that register of information, I think suddenly you win yourself a little bit of breathing space, a little bit of room to maneuver in order to complete all the other door work required.
Jean Hurley: Yeah, and there’s it’s such a huge burden. And that was very good advice. Thank you, Thomas. I believe we’re still waiting for more guidance. Is that correct? More level 2 guidance? For penetration testing.
Thomas Hyrkiel: That’s exactly right. And this is, you know, and you know I don’t want to tell folks out there that somehow off the hook. But the the fact that we’re waiting for some of the information connected to the scope of services, as you said, threat led penetration testing, but also the identification of these critical third-parties.
I mean it. It suggests a regime that is a work, a regulatory regime. That’s a work in progress rather than something that’s already fully bedded in, and therefore compliance is going to be a question of doing what you can, and then, being prepared in terms of resources and in terms of doing any work that you can for the release of some of this additional information.
Jean Hurley: So do we actually know what is a designated critical third-party provider?
Thomas Hyrkiel: We know the definition on the door.
Jean Hurley: Can you give me some examples?
Thomas Hyrkiel: Sure, I think you know. Since this is a friendly audience. I think it’s very likely that Microsoft, Amazon, and perhaps Oracle will be among the parties who are designated as critical. One the regular one of the regulators, I believe, has inadvertently mentioned or mentioned as part of a call. The fact that we’re looking at a handful of such entities.
In other words, the bar will be very high, and only the largest entities will be caught in that net. And this is hugely important, and we’re almost be a a relief for many third-party providers out there, because the requirements on a party that is designated as critical third-party that is designated as critical are very onerous. And we’re speaking about effectively being caught within the European regulatory net.
Jean Hurley: Thank you. That’s really helpful. So what happens if financial institutions, miss out on all these deadlines, what happens about non-compliance with DORA?
Thomas Hyrkiel: Wow, that’s an excellent question. Yeah, I mean, the consequences of noncompliance are quite serious. I mean, we’re not only speaking about a slap on the wrist. The DORA has in place provisions that would lead to some severe fines, and I think that is just the tip of the iceberg, I would say.
Let’s say that you take a chance and decide not to be compliant with this regime. Expecting that, a fine will be something that is simply the cost of doing business, and and some entities do have this type of discussion. What happens if a party on whom you rely is successfully breached and goes offline for, let’s say, a period of 2 to 3 weeks. As a result, you’re not able to do something that is critical to the running of your business. Not only do you have an operational problem. How do you get back online? How do you address this?
Right away, you become a target for the regulators and there is absolutely no doubt in my mind that they will say Aha! So, you’ve chosen not to be DORA, compliant. Here are the consequences. You’ve gone on you’ve gone offline. These are the repercussions for your customers, and, you get the picture. I mean, the consequences could be severe, no doubt about it. And and the fact that, let’s go back to the where the conversation started.
This is all, this entire regime is being put in place against the backdrop of an elevated level of cyber security threats, and that, it has been elevated for quite some time, but the introduction of Chat GPT is just making things worse. So I’ve just recently read a very interesting Mckinsey report on cybersecurity, which demonstrates that phishing attacks and fishing sites have increased by approximately 138%. And this is as of 2024 since the launch of Chat Gpt, simply because it’s so easy to send phishing emails and set up a site that looks convincing. So I think institutions would be well advised to get their act in order now, before it’s too late.
Jean Hurley: Thank you. It’s a the threat levels are, you know, huge. But other positives would you say about AI in DORA? And do you think that firms will have to signal whether well, whether the third-parties will need to signal that AI is part of their system?
Thomas Hyrkiel: Jean, that’s an excellent question, and I will take a rain check on this one simply because, I don’t know. I think, is there anything that I’ve seen in DORA that suggests that you must reveal the fact that you’re using AI? I don’t think so. Contractually, however, I think if you’re deploying AI tools it’s possible you may need to disclose that to your customer.
I think this is a very, very complex area. So just taking a step back, you’re a third-party, who’s providing a tool that processes payments and you decide to utilize an AI tool in order to make the provision of that service more efficient. Is that any concern to the parties whom you’re providing service to? I mean potentially. But you’re well within your rights to make amendments to your system.
So long as it still continues to provide the service that you’re contractually bound to provide. This is a this is a very, very complex area. I think we could probably speak about this for an hour, ish.
Jean Hurley: Well, thank you. Thank you for certainly looking into it and giving us some idea on best practice and procedure. And, in fact, thank you for everything you’ve said. I think the listeners will find it really useful.
So we’re coming to the end of our chat. And we’re gonna finish with just a snap, yes or no round.
So, Thomas, are you ready?
Thomas Hyrkiel: Okay.
Jean Hurley: Will we see an enforcement action connected to DORA in 2025, yes or no?
Thomas Hyrkiel: No.
Jean Hurley: Will DORA make a difference to financial institution resilience in the EU?
Thomas Hyrkiel: No.
Jean Hurley: Is DORA like GDPR, a global trendsetter?
Thomas Hyrkiel: Yes.
Jean Hurley: And finally, will we see a UK DORA equivalent soon?
Thomas Hyrkiel: No.
Jean Hurley: Thank you, Thomas. I’m sure there’ll be loads to talk about next time when we have you on in probably about six months down the line. So listeners, we like to thank you. If you’re hearing this, you probably know about us. But tell your friends about GRIP. You can find us at grip.globalrelay.com. And you can follow us on Linkedin until our next podcast or article. I bid, you farewell.