We have pulled together the latest updates from the Central Bank of Ireland (CBI) in relation to the Digital Operational Resilience Act (DORA). The focus areas include the supervision of expectations on regulated financial entities, the collection and reporting of ICT incidents and cyber threats, and the management of the Register of Information on ICT outsourcing.
Engagement and Stakeholder Involvement
CBI places emphasis on engagement. The first step involves promoting awareness of DORA, followed by understanding stakeholder concerns. This approach supports policy decisions and encourages effective implementation.
Technical Standards and Progress
At a recent EY round table event on 22 February, CBI noted a delay in finalising technical standards due to European elections and the summer recess. These are now expected in September 2024. CBI recognised the strong progress made by the European Supervisory Authorities and the Joint Committee Sub Committee on DORA, supported by principles such as Momentum, Pragmatism, Quality, Proportionality and Engagement.
Reviewing 2016 Guidance
CBI is reviewing its 2016 guidance on ICT and Cyber Risk Management in light of DORA. The decision to retain or remove this guidance is still under consideration. CBI highlighted the priority of DORA compliance for relevant entities due to its lex specialis nature.
Critical ICT Third Parties
CBI discussed its engagement with critical ICT third parties such as Amazon and Microsoft. The final list is not yet confirmed. CBI noted that approximately 5,000 ICT service providers were identified based on historical ESA information gathering from a 4 percent sample of EU institutions. Consultation continues across Europe on the criteria for designation as a CTPP, although the final number remains unknown.
Outsourcing
CBI stated that they are satisfied with the work completed on Outsourcing across Irish financial entities. Ireland is ahead of other EU countries in this area. From a DORA viewpoint, CBI Outsourcing guidance is closely aligned with DORA requirements, which should mean less uplift for Irish financial entities.
As CBI continues work on DORA implementation, stakeholders are encouraged to stay informed and involved. The focus on awareness, collaboration and alignment with technical standards places CBI in a strong position ahead of the application date of 17 January 2025.
Engagement and Stakeholder Involvement
As part of their strategic approach, CBI places a strong emphasis on engagement. The first step involves promoting awareness of DORA, followed by a meticulous understanding of stakeholder concerns. This inclusive approach helps shape CBI’s policy decisions and ensures a collaborative effort in implementing DORA effectively.
