Q&A on Compliance

The aim of the DOR law is to create a legal framework for digital business resilience, where all organisations must ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats, not just IT security disruptions, threats such as DDOS attacks or similar. The requirements are standardised in all EU Member States.

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on Digital Operational Resilience for the financial sector

• The DOR Act is valid from 17 January 2023.
   
• The DOR Act will be in force from 17 January 2025. 
   

When does the regulation come into force, i.e. by when do I have to comply with it?
 

• As a financial institution, you must comply with the regulations by the date on which the DORA comes into force, i.e. 17 January 2025.

This is difficult to say. Two principles also apply to DORA: the principle of proportionality and the risk-based approach. It all depends on the size of your organisation, the complexity of the processes, the risk and the ICT environment.  It should be assumed that the IT department (from operations, development, architecture to IT security and risk), risk management (general RM and especially operational risk management and cyber security risk management), the compliance department, the procurement department, the outsourcing department and other departments not listed here will be involved.  

We are happy to help you with this. Our standardised approach is three-tiered and we can offer not only consulting services, audits and compliance, but also technical and security services - in other words, a complete package:

• Maturity assessment
• Development of a roadmap
• Implementation
   

If you are fully compliant with e.g: ISO 27K or NIST800, you are already well positioned. You only need to perform a maturity assessment for DORA compliance, but you should more or less only need to review some specific requirements of DORA in reporting areas or approvals from regulatory authorities.

If you are not compliant with any certification, you will need to perform all three phases mentioned above. It must always be decided what level of resilience I want to achieve, taking into account my risk appetite and the resources available to ensure resilience. DORA leaves some room for workarounds etc. but these need to be very well documented and you need to have arguments ready.

DORA follows the notorious risk-based approach. It is good to know your risks, their materiality and likelihood, and to have a plan to address them. 
 

The DORA does not mention "outsourcing" at all. However, it does mention ICT systems and services that support important or critical activities, processes and functions of a financial institution.  The outsourcing guidelines also work with the institution of criticality and importance. So this is where the overlap lies.

Not all outsourcing is critical or important, i.e. it does not support critical or important functions. Not all ICT services that are provided by third-party providers and support critical or important functions are outsourcing.

This leads to the awkward fact that financial institutions have to control many more ICT services than before DORA, but in a similar way as under the outsourcing guidelines.
The DORA requirements for third-party ICT services that support critical or important functions are slightly higher than the outsourcing guidelines.

This depends on which services you provide that are listed in Annexes I and II of the Directive. 
Do you provide any of the listed services in one or more EU Member States? 
If you answered "yes" to both questions, you are most likely subject to NIS2.  You also need to assess your size and consider very carefully where, i.e. in which Member State, you provide your Annex I and/or II listed services.  Each EU Member State has its own specific conditions, which may be stricter than the Directive itself (e.g. Germany, Czech Republic). 

The directive is in force from 16 January 2023. However, EU Member States must transpose it into local law, which must go through the legislative procedures and be adopted at local level by 17 October 2024 at the latest (unless the Member State pays a fine to the EU for late adoption of local rules). It is expected that there will be a transition period of twelve months, i.e. that the local rules will be fully in force from October 2025, but this depends from country to country. 

The requirements are similar to those of the DOR Act. It is necessary to put in place proper cybersecurity governance and risk management, which includes awareness and training for employees, but most importantly for members of statutory bodies, not forgetting to put in place lines and procedures for reporting cybersecurity incidents, but not only internally within the organisation, but also to your local CSERT, CSIRT.  

No, AI and the cloud are not outsourcing by default.

When is it outsourcing?

Whether AI is outsourcing depends on several factors, which can be categorised into three groups: a) type of AI role, b) data included in the AI model, c) contractual risks, third-party providers.

The AI Act is still in preparation.  Nevertheless, it is advisable to comply with it now in order to be ready later when it comes into force (in 2026) without having to make abrupt changes. 
However, we also need to look at other regulations that are already in force now.  If you answer the questions above about the three groups of AI factors, you will also get an answer to this question about regulation. 

You need to reckon with regulation for data protection (GDPR, DSG, EDPB recommendations, etc.), outsourcing regulation if outsourcing is the case (ESA guidelines, BWG, etc.), and consider whether AI supports some of your important, critical activities, functions and processes, and if so, align with DORA requirements. 

You can also refer to international standards for AI, such as: NIST AI RM Framework, ISO 42001. 

The best way to answer the questions about the AI factors (type of role of AI, b) data that feeds into the AI model, c) contractual risks, third-party providers) is within the framework of the applicable regulations, which will guide you.  

Many institutions are already using Datalakes and Databricks with AI. It's perfectly fine, you just need to answer the 3 questions above again and the answers should point you in the right direction.