Ireland-based software services provider Ergo has teamed up with alternative legal solutions provider Johnson Hana to develop and roll out a testing tool for compliance with the EU’s new Digital Operational Resilience Act (DORA).
Financial services firms are expected to comply to DORA’s rules and regulations by January 2025.
The tool developed by Ergo and Johnson Hana, which has gone live, is called the DORA Readiness Assessment Methodology, which is able to determine whether a financial firm or third-party ICT provider is DORA-compliant.
Following a proper analysis, a range of findings and recommendations are displayed on the platform’s dashboard.
While Ergo focuses on the software and QA testing side, Johnson Hana will focus on the legal aspects of the findings, as well as provide regulatory updates.
The solution is designed in a way that firms can continue to use it as “an ongoing governance monitor of potential shortfalls” with the firm as well as with third-party contractors, explained Steve Blanche, the chief technology officer of Ergo.
“Successful DORA implementation requires a deep understanding of both the technology landscape and the financial services sector,” Dublin-based Blanche said.
“Not every financial service company will have the same burden – it is necessary for organisations to understand their own distinctive needs and requirements under DORA,” he added.
Lee Morrissey of Johnson Hana said the firm has the legal expertise to provide support with the regulatory update.
Nine months to go
DORA is increasingly becoming a priority for financial services firms, lawyers, ICT companies and regulators across the EU.
With less than nine months before DORA will come into force, lawyers, QA teams and compliance officers are trying to make sense of the maze of rules.
Intended to address the rising threat of cyber attacks and the financial sector’s increasing reliance on digital technology, DORA sets out a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities in the EU.
Evidently, the legislation represents a major shift in the EU’s approach to ensuring the robustness and reliability of digital operations within the financial sector.
With the deadline for complying with DORA set for 17 January of next year, pressure is mounting on financial institutions and service providers across the industry to start preparing for the new regulatory framework.
The enforcement of DORA will be overseen by national regulators within each EU member state with the power to impose penalties for non-compliance. They will be directly supervised by lead overseers from the European Supervisory Authorities.
Moreover, DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.
Mass-test
In preparation for DORA, large banks, financial institutions and other financial services (FS) players across the European Union have been urged to take part in a voluntary mass-training exercise ahead of DORA coming into force, as QA Financial reported earlier this month.
Banks across all EU member states, as well as insurers, asset managers and other financial firms have been invited by the European Supervisory Authorities (ESA) to join the mass-testing exercise, which is scheduled to take place next month. An exact date has not been set yet.
The test is co-coordinated by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) as well as the European Securities and Markets Authority (ESMA).
Firms that agree to take part will be asked to hand over the agreements they have in place with any ICT third party providers they work with.
Starting later this month, participating firms will be expected to forward their registers to the ESA through their relevant national watchdogs before the end of August.
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
Providing this information is an important part of DORA because, once in effect, financial firms will be required to register any contractual arrangements they have with third party ICT firms.
In the invitation letter to firms, which was sent in April, the ESA explained they plan to offer extensive help, support and guidance to firms to help them create and maintain a register.
The regulator indicated it will soon propose a standard format and data quality testing will become an important part of the process.
Firms will then be asked to hand over their registers to the ESA through their relevant national watchdogs, most likely between early July and late August.
Tighter regulation
DORA is among several recent and emerging regulations in the EU, created to enhance and standardise requirements for enterprise cyber resiliency.
The rules are specifically for financial entities operating across the EU 27 — including banks, insurance companies, credit agencies and more — and third-party service providers that serve them.
Ahead of the January 2025 deadline, the European Commission formally adopted a number of DORA stipulations in February.
The EU’s executive body issued a whole set of secondary legislation that set out detailed, technical rules specifying some of the key provisions of DORA.
Firstly, it has now been confirmed that DORA will introduce an ‘oversight framework’, which did not exist under pre-existing outsourcing regulations.
ICT third-party service providers that are designated as ‘critical’ will be made subject to regulatory scrutiny, largely overseen by the ESA, which are the above-mentioned ESMA, EBA and EIOPA.
This approach allows the ESA to investigate and inspect providers in relation to IT security, risk management and governance issues.
The framework also gives ESA the power to make recommendations and issue fines of up to 1% of the ICT third-party provider’s annual worldwide turnover.
Moreover, the EC also detailed the criteria “for the designation of ICT third-party service providers as critical for financial entities.”
In other words, it set out what ‘critical ICT providers’ are. In addition, the EU body also introduced a vast and fairly complex structure for oversight fees.
‘Critical’ providers
To determine whether an ICT third-party service provider is ‘critical’ for banks, insurance firms and other financial entities, the ESAs will use sub-criteria in a two-step approach assessment.
Firstly, the ESAs will take into account important ICT services and the diversity and number of financial institutions that use those services.
This is primarily done to “filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers.”
After this ‘first selection’ of ICT third-party service providers, a further in-depth analysis will be carried out that focuses on a range of sub-criteria.
So far, the EC has not set out these standards but has hinted that, in some cases, it will be left to individual member states to fill these gaps.
READ MORE
- QA Financial Forum Chicago 2025: what to expect this afternoon
- QA Financial Forum Chicago 20205: a sitdown with GreatAmerica’s QA lead
- Taking place TODAY: the QA Financial Forum Chicago 2025
- HDFC Bank turns to Katalon and QualityKiosk for QA upgrade
- Perforce’s Clinton Sprauve on AI testing for charts and graphics
