The REGIS-TR RoundUp

S10:E5 In-depth Expert Special on the new DORA Regulation

REGIS-TR Season 10 Episode 5

In this show we take a break from EMIR Refit and look at the next major piece of 2024 regulation - DORA the Digital Operations and Resilience Act. This will be a potentially disruptive and complex new set of regulations for EU financial entities, and requires a mix of compliance, legal and technical expertise to ensure your organisation complies. Fortunately, we have our own team from SIX and BME Legal, the Regis-TR chief Information Security Officer, and our Institutional relations team to explain the timelines, contractual changes, supplier relationships and technical implementations you need to get through. Don't miss it!

Speaker 1:

Hi, I'm Andrew Keith Walker, hi, I'm Laura Rodriguez, and this is the number one regulatory reporting podcast in the EU, the UK and around the world. So join us as we go behind the scenes and under the hood to look at the big issues and news stories, companies and personalities who are shaping the world of regtech, fintech and trade repositories. Welcome to the Registr Roundup repositories. Welcome to the Registr Roundup. And remember, this podcast is brought to you by Registr, which is a six company and features members of the Registr team and special guests offering their personal opinions, not the opinions of Registr as an organization. There is no representation made as to the accuracy or completeness of information in this podcast, nor should you take it as legal, tax or other professional advice. And welcome back to the RegisTR Roundup.

Speaker 1:

We are back and it's a big month for everybody this month, because it is none other than the month where EMEA refit the thing we've been talking about for so long, the big disruptor for the industry, this year's biggest piece of regulatory change for many market participants goes live. Yes, that's our special. Amir Refit has gone live. And how did it go for you? Will it be A or will it be A? We'll only find out in the next episode, when we get the initial feedback and responses from people in their post-live environment. And, of course, uh, some of our brilliant guests who are with us today can feed back to us what esmer thinks as well.

Speaker 1:

And on that topic, we should get straight into this week's show, which is looking forward to the next milestone piece of regulatory change, and that is, of course, the DORA regulation that's coming in. Yes, the Digital Operations and Resilience Act that's the theme for today's show. Yes, it's time for us all to sit down and explore the Dora regulation. I'm sorry, I'm sorry. There'll be a lot of puns possibly in this episode, and what we're going to need, of course, is lots of boots on the ground for a show like this. And so joining us, of course, is my regular co-host and someone who is really in the hot seat here, someone who's always got a map in her backpack. It is none other than Laura Rodriguez, our head of institutional relations, Lara.

Speaker 2:

welcome back. Hi, Andrew. Thank you very much.

Speaker 1:

And joining us from Lara's team, we have our senior institutional relations officer, Ozrin Yuschevitskuti. Ozrin, welcome to the show.

Speaker 4:

Hi, hello everyone.

Speaker 1:

Hey, well, not a first time, of course. Regular listeners will have heard Ozrin on the show before. We need double institutional relations power today, because this is a big institutional shift. We also are going to need a legal expert. So very fortunately, we have Alfonso de la Puente from the legal team at BME and 6. Alfonso, welcome to the show.

Speaker 3:

Thank you, Good morning and thanks for inviting me to the podcast.

Speaker 1:

It's great to have you along, alfonso and of course it's a tech-driven piece of legislation. It's all about security and tuning up your digital system, so we need a tech expert too, and for that we have Registriar's Information Security Officer, manuel Requerro Valenzuela. Manuel, welcome to the show.

Speaker 5:

Hello, hi, thank you for having me here.

Speaker 1:

Great, well, thanks for joining us. Okay, so we have got our crack explorer team here for us to head off and make sure that no hackers do any swiping. For those of you listening who think there are way too many Dora the Explorer gags, I promise I'm stopping it right there. Okay, that's it. That's it, no more. We'll get on with the serious portion of the show, and so I'm going to start off with Lara and Azrin. Give us a brief overview of Dora and its significance for the European financial sector, because it's important, isn't it? Not just for regulators, but for financial entities that fall under the scope of DORA as well, of which there are many. So Lara set us off. What does this mean for ESMA and for the regulators?

Speaker 2:

Okay, let's start with, as you know, dora. It became already into force in January of 2023, but it will start applying from January of next year, 2025. So that's important to know that in less than a year, we will have already this regulation in place. And what's the primary goal? Let's say why it is so important. Why it is so important?

Speaker 2:

Mainly, the idea is to strengthen the IT security for the financial entities for example, banks, insurance companies, investment firms and by strengthening the IT security, it is expected that the financial sector remains resilient when we have any difficult time, in operational disruptions, for example. To make it more straightforward how to address these issues. And another of the main goals of DORA is, of course, to harmonize the rules that are related to all the operational resilience across the different type of financial entities and the ICT third-party service provider. And the best way to do it is indeed to harmonize all the EU regulations that are related with digital resilience. So, at the end, this harmonization should simplify the compliance efforts for the financial entities by providing one clear guidance and the clear expectations of what all the financial sectors shall apply for this. So I guess that's the main significance of DORA how it applies across all the financial sectors, ozrin, coming to you.

Speaker 1:

There's detail here, isn't there? So before we zoom in to the sort of the complex, nitty gritty, technical bits, just give us a sort of broad outline of the sort of key elements of DORA, the timelines, what market participants or financial entities can expect to be published and the deadlines they're facing.

Speaker 4:

So now, with ESAS, between 16th of January 2023 and 17th of January 2025, they have to establish regulatory technical standards and also implementing technical standards to explain DORA level 1 integration. So they did it in two batches. So we have first batch that includes RTSs on ICT risk management framework and RTSs on simplified ICT risk management framework. Also RTSs on GRIPS criteria for the classification of ICT-related incidents. Then ITS to establish the templates for the register of information, and RTS is to specify the policy on ICT services performed by ICT third-party providers.

Speaker 4:

So this first batch already was published on the 17th of January 2024. They submitted it to the European Commission that have now to approve them. The second batch of the RTSs and ITSs we already had consultation papers back in December and the final reports we expect to have on 17th of July. And the second batch of RTSs include RTSs and ITSs on content, timelines and templates on incident reporting, guidelines on aggregated costs and losses from major incidents, rtss on threat-led penetration testing, rtss on subcontracting of critical or important functions, rtss on oversight harmonization and finally, guidelines on oversight cooperation between ISAs and competent authorities. So we have these two badges that explain all RTSs and ITSs and that we also have been looking from the trade repository side, analyzing and also, of course, participating in consultation papers.

Speaker 1:

Alfonso, ok, you are today's legal expert, you work in the legal team at VME and Six and I'm guessing, from a sort of legal and compliance viewpoint, this is a huge amount of work for financial entities to get into. So what I want to know is you know, how does this create a workload that's going to fill those gaps in existing cybersecurity and digital resilience frameworks, because, of course, a lot of these policies are kind of already in place for market participants and financial entities.

Speaker 3:

Am I correct in thinking that yes. So the first thing that we need to take into account in order to implement and adapt to Dota regulation is related to what you were saying. We need to perform all the financial entities, at the first stage, a gap analysis on the level one regulation and also on the RTSs and ITSS, because the first thing is knowing how are we in terms of DORA compliance? I mean, what policies, security policies, do we have in place? What incidents reporting procedures we have in place? Are they DORA compliant? Are they not? Also, we need to map every ICT service that we've been provided with, in my opinion, the critical and also the non-critical ones. It's better to have the full list here and also because we need to report those services and also the associated contracts. So this will be, in my opinion, the first step that every financial entity should have already performed. On a second and later stage, we need to focus also on the possible or potential implementation of technological solutions that could contribute to the entity's operational resilience. As you said, maybe there are some tech solutions that are required by Dota but that some financial entities already have in place. So that's why the gap analysis is really, really important. Then we have to focus on the governance and the mandatory awareness and training sessions for all personnel, including senior management, and for me, this is one of the most important points of the process that we have in every financial institution to adapt to Dota, because it's great if we have a policy, a procedure in place to comply with Dota, but imagine that somebody is not aware of that or maybe it's not aware of the different obligations that they will have to perform right under Dota. So the most basic thing is to make everybody aware that Dota is coming. Dota is a reality. The word that Dota is coming, dota is a reality and we'll have to work on the Dota from 17th of January 2025.

Speaker 3:

Then, also, we need to foster, in case it is needed. I mean, also, this depends on the actual practices of every financial institution. We need to get the governing body more involved in this kind of decision, situations, reports, everything. Regarding the responses, we need to, if needed, adapt the incident response framework, which is one of the main pillars of DORA, one that Osrin already commented on, and obviously we need to enforce the tech pen test operational resilience test that every financial entity is currently performing. And obviously we need to have control over the ICPF and other service providers that we are working with, and we need to register that information because we need to report that information.

Speaker 3:

And we need to register that information, because we'll need to report that information and all these things that we need to take into account to Dota are really important, but not just in terms of Dota compliance, but just in terms of the IT security framework that we have. I mean, it is a fact that nowadays, the security framework of all these entities is more commonly in danger. There are more hackers trying to attack. We need to be prepared. So this is a reality that is here and we need to be ready. This is a great tool to be able to fight back against those incidents. If I'm reading this right, there are these three layers.

Speaker 1:

It's a three-pronged piece of legislation in a way, because you've got the internal changes that need to happen, presumably with contracts and frameworks and all the usual compliance processes, but you've also got these operational changes and new activities that have to take place. There's going to be a new layer of work on top and also you have a lot of training and orientation work that needs to be done as well to go along with that. So I'm going to ask you one more question on that front actually, alfonso, which is how, on the legal side so looking very much at the contracts and sort of compliance issues, you know, how is it affecting your day job and your outlook? I mean, what? How are you preparing uh six and bme and the, the broader group? How are they preparing for the, the legal ramifications of dora?

Speaker 3:

so I have to say that, not because I'm a lawyer and obviously I focus more on the contractual side of DOLA, which is true, I mean I have to know about the IT and tech side, but for me the most important one is the contractual one. I have to say that this is one of the hot topics about DOLA. There has been a lot of controversy because we need to have a contractual template in place. Well, a contract signed with every ICT third-party service provider covering the different aspects that Article 30 of DORA obliges us to. So is it easy to have this contract in place? Yes, and I'm sure that most of the financial entities we already have a contract in place. Yes, and I'm sure that most of the financial entities we already have a contract in place that covers, if not all, most of the provisions that we need to include in every contract, such as, for example, having an SLA in place. We need to have an exit plan, we need to be careful about how do we treat data and many other aspects that we need to consider contractually speaking. So, with Article 30 of Dota and also the provisions of the RTS, of subcontracting, we all can have that template in place, or at least we all can be aware if our contracts are 100% Dota compliant.

Speaker 3:

But this is a little bit more difficult than this. It's a bit tricky, in my opinion. Why? Because having a contract drafted it's easy. We have all the information we need for the contract. I mean, of course there are some provisions that can be misunderstood or whatever, but in general terms we can have that template. I mean, all the financial entities should already have a template like that.

Speaker 3:

But it is also true that Article 30.4 of DORA makes a reference to some standard contractual clauses that will be provided by the competent authorities to all of the financial entities. It is true that this article has a nuance because it refers to standard contractual clauses for a specific kind of services, but I have to say that the entire sector is expecting to receive those standard contractual clauses. But why? Because, as I said, having a contract already is easy, but negotiating the contract is not that easy.

Speaker 3:

We have multiple ICT third-party service providers. We have dozens, and I would say maybe hundreds, depending on the financial entity hundreds of contracts. And of course, if everybody has its own contract not compliant, we'll need to negotiate and everybody will feel more comfortable with the terms because even if the provisions to include are the same, at the end there are always nuances or different interpretations. So the work that we have to do to adapt contractually to Dota, it is not easy without those clauses. So maybe this is a good chance also to request the templates to the competent authorities, because it will make really, really easy for us our contractual adaptation to Dota. And, of course, it's not also easy for us, but it will be great because it will help enforcing the contractual framework around Dota and if we all submit to the same set of standard contractual clauses, it will be more secure for sure, not just contractually speaking, but because we have to focus on what's behind the contract.

Speaker 1:

I mean all the provisions that will imply different procedures or IT technicalities and the compliance and legal aspects and come to the really chewy part, the heart of DORA, which is, of course, information security. And, manuel Requero, you are the chief information security officer for RegisDR, so you're already obviously an expert in the kind of threats that come in daily for publicly accessible systems. We know about DDoS. There have been some very high-profile ones alleged recently where you know. We know Instagram went out for a while and Facebook goes out for a while. It's something social networks have to deal with all the time. We also saw massive outages here in the UK for supermarkets and their online banking systems. There were some major disruptions there which could have been DDoS related we don't know or hacking related. There isn't a huge amount of transparency and companies don't always admit when these things have happened, and I'm guessing this is going to be a major overhaul of systems, but also IT reporting processes for entities. So give us that sort of big picture from an information security viewpoint.

Speaker 5:

I'm sure I mean let's start, I mean first. I mean Registry is a very supervised entity, so I mean it's not really new for us. As you can imagine, we're very used to report our incidents, major incidents, to our supervisor and authorities, so it's not new. And I can say that we have been, let's say, preparing for this even before. Maybe DORA, because I mean, at the end, what DORA wants to implement are good practices. So if you perform constantly gap analysis, review and compare against, let's say, standards, for example, the ISO 27001, that is business continuity, let's say best practices, you're kind of in a good point. And because we also entered into SIX recently, we need to perform this, let's say, gap analysis from a very, let's say, complex and very robust framework.

Speaker 5:

So when Dota came out, of course I mean and you read, I mean basically it harmonized all these, let's say, good practices and regulation into one. So, as it was explained before, of course I mean it's going to be an impact, but the good thing is that it makes you rethink everything you have. Not only does my framework, from a, let's say, a documentational perspective, is aligned with Dota, but it also makes you rethink like, okay, so what are the tools that I'm using? What are the processes that I'm using? What's my maturity level? I'm unable.

Speaker 5:

For example, we think about incident management. Do I have all the information required to report to DORA, because I mean we need to have all the logs in place, a system of information event monitoring in place. Are all my applications covered by all these tools? Are they properly configured? So all these questions are. This comes up when you're reviewing and see if you're going to be aligned. Of course I mean it will have an impact because of course I mean there will be some investment that have to be done. There will be also processes that have to rethink and modify in order to comply with DORA. But again, I think that any, let's say, financial entity that is used to perform, as we do continuously, penetration test to critical applications and infrastructure, penetration test to critical applications and infrastructure, perform a security assessment based on standards and good practices. I mean I think you're in a very good starting point and maybe the impact is not going to be a big of an impact.

Speaker 1:

Just precisely who is in scope for DORA? Is it all CCPs, trade repositories, csds, I mean, is it just large public infrastructure, uh? Or does it cover a broader set of financial entities, because it's not all market participants and nfc pluses and nfc minuses and everyone else is it? Just give us a reminder of precisely who falls under DORA.

Speaker 4:

Okay, so we have under the scope of DORA different financial entities that we have listed in DORA Level 1 regulation under Article 2. So actually it includes quite a wide spectrum. So we have credit institutions, payment institutions, investment firms, banks, of course, trading venues, trade repositories that's why it applies also to Registr and also third-party service providers. So we have an extensive list of all the entities that have to follow DORA, extensive list of all the entities that have to follow DORA. And, of course, dora was also introduced in the way of the proportionality principles, so we have to look also more into details what exactly applies to each entity and there's also some different exceptions for micro-industries, for micro-ent, for micro entities, how they have to apply DORA and all the requirements.

Speaker 3:

Also, we need to consider every specific regulation that applies to each of the financial entities. We do not have to forget about CSDR, emir, mifid and all the applicable regulations which well do not regulate the security and operational resilience that DORA does, but will always need to be considered.

Speaker 1:

We've got the implications of DORA touching upon not just, obviously, the financial entities that are in scope, but on the activities of financial entities that mean they have a digital requirement attached to them. Okay, now I'm going to pause it there for a minute.

Speaker 1:

I'm going to ask Laura one of your favorite questions. As our head of institutional relations, I feel it's only fair that I throw the hot potato at you. And that is what about Brexit? Now I've got to say there are suppliers based in the UK who are supplying into European entities who will fall under the scope of DORA and there are various regulations that will apply that are in EU law, not UK law.

Speaker 2:

Well, the idea is to make it as straightforward as possible, but it's true that the UK, the FCA, is also exploring an operational resilient regulation itself. For the moment it's not as mature as in the EU. They have started last year a consultation paper that the participant has been responding to so far, but for the moment it's ongoing. Probably it won't apply at this stage to trace repositories, the current scope that they are defining, this first approach scope that they are defining this first approach, but of course it will apply to all the different financial entities because the scope is kind of different. But I invite everybody to go to the FCA website, look into the operational resilience consultation and have a look to it because, for sure as everything has always happened, if this is going to be applied to the EU next year, something soon will come for the UK and that will give answers to all these questions.

Speaker 1:

There is a major element here isn't there? Which is having incident response processes baked in at different levels across the organization. Are we fudging the lines between compliance and information security here? As Chief Information Security Officer, you're going to be responsible for making sure that the incident reporting is compliant and taking place, and working very closely with compliance. Is that going to be a major new sort of work stream on your desk?

Speaker 5:

Well, at the end, if we think of what DORA wants, it's basically in the instance, let's say, reporting. Nopilar is basically just to harmonize and centralize all the reporting to regulators so they can act or avoid spreading any kind of impact. So this is something that, as I mentioned before, I mean we already perform reporting to our supervisors in terms that we perform, for example, in the case of security, twice per year. We have to share information with them of our threats, the incident that we have, and ensuring this information is very useful for them also to be prepared and also, if they have to, let's say, contact other legal entities, that is very useful. We also perform for any major incident or an old cybersecurity incident. We also have to provide this information to our authorities. Cybersecurity instance, we also have to provide this information to our authorities.

Speaker 5:

So I mean I would say that maybe for small institutions that are not used to this, I mean it's going to be a very huge impact, to be honest, because I mean you have to implement very a lot of, let's say, different sets, like you have to ensure that you have early warning indicators so you are aware, like, if you have an incident, how do you detect it? Do you detect it on time? How can you basically verify and meet all the, let's say, this template that is also provided? Can you provide information of who did something when, what is impacted? So that's why you have to maybe go outside just the incident reporting, let's say, but also consider everything you have.

Speaker 5:

Do you have an asset inventory in place? Do you have all the tools in place? Do you have a login system in place so you can identify everything? Do you classify your incidents? How do you manage them and, of course, how you report it? So yeah, I mean it's not going to be it's very compliance related, because now it's part of our regulation, but at the end, it's something that, if you're a mature enough organization and if you perform as I mentioned before and you compare against good practices and standards, it's something that you have. But again, you now have to do this analysis to see if all the information they requested you can provide it on time and it's to be useful for this regulator. So, yeah, I mean it's in the middle, things that are already performed from a security perspective, but now trying to follow these new requirements of what needs to be reported and how fast, to report this as soon as possible.

Speaker 2:

Totally agree with you, manuel, and from the trade repository perspective, we can speak from the experience, as you said, because we have been compliant with the periodic reporting and notification guidelines for ESMA since 2020. And we have seen that, for example, for the incident part, we needed a period of adaptations to ensure and to be efficient. I mean we started in 2020. Now, in 2024, we can say that we report incident in an efficient and dynamic way. But it took us a lot of time to do it because also the guidelines were very restricted. Let's say that in 24 hours to need to notify a specific number of details of information and then resolutions, timelines of resolutions, impact analysis.

Speaker 2:

I mean it's a huge information, a number of information for something that is happening in a system. You need to report it. At the same time, you need to work on how to handle it and not disrupt the rest of the services. So, yes, I said from our experience, it's something that financial entities need to review with time, because it really takes a lot to be efficient in this part. So it's a huge challenge. I'm sure that many entities they are already reporting this type of incident or similar ones, but having a standardized one is not that easy and of course, even the one that we have now as a trade repository. It will change with DORA, so at the end all the entities will need to adapt again.

Speaker 3:

It's really interesting, dora, that you make reference to the transitional period that you had at your time some years ago, because I think that here, with the reporting in the case of registries, they are really used to report incidents on a recurrent basis. But we need to take into account the proportionality principle, not just because some entities will not have a huge amount of resources dedicated to incident reporting, but also because, as they are not used to that, we do not have to forget that the most important part of an incident is solving the same, not reporting the same. So we'll need to be really careful with this and if we do not have a transitional period to adapt I mean all the financial entities proportionality will play a huge role, something you pointed out to me when we were sort of prepping for today's show.

Speaker 1:

I was confused because I saw a lot of press coverage around the NIS-2, the Network Information Security Act-2, that's going around and applies obviously beyond the financial sector but seems to be overlapping with areas of DORA, and there's been quite a lot of journalism in the press that say that NIS2 and DORA have some sort of overlaps. And actually which one should you prioritize, depending on the entity you are and which one you fall under the scope of? And then of course, there was a big story about you know, in the Netherlands. They weren't going to be enforcing NIS2 at this point. There seems to be a lot of tech-driven regulation right now that seems to be happening simultaneously and I'm just wondering can you clarify for us the difference between NAS2 and DORA and which one takes precedence, which one's more important, especially for our listeners?

Speaker 4:

Yes, sure, thank you for the question, andrew. So, of course, dora and NIST, which stands for Network Information Security 2. So, in general, there are two major pieces of European cybersecurity legislation, right, but what's important to stress, probably, that the Network Information Security 2 is a directive, whereas the Digital Operational Resilience Act, dora, is a regulation. So what it means. So, as NIST 2 is a directive, it must be transposed into the national law of each member state before it can be applied. So each country now must transpose this directive by October 2024. Dora is this already European regulation? So it will be applicable as it is, as it stands. So the text is as it is and it will be applicable to all EU countries from January 17, 2025.

Speaker 4:

So, first of all, we have this and what it means, so that DORA is Lex Specialis of NIS 2, so this is a principle which states that a specific law takes precedence over a general one. So, for entities subject to Dora, this text therefore prevails over NIS 2. However, this does not mean that NIS 2 obligations are no longer applicable, of course, to entities affected by both texts. Also, there are some differences in objectives and the scope of both legislations. So, for instance, in terms of objectives. Nist 2 aims to strengthen the global level of cybersecurity within the European Union, and DORA we already talked aims to ensure the integrity and availability of the financial sector. So it goes through the financial sector. So it goes through financial sector. Also, they do not cover the same entities. So these two concerns essential entities and important entities, and DORA covers the financial sector, so through 21 specific types of entities.

Speaker 1:

So I think this would be the main difference between these two legislations.

Speaker 2:

That's the kind of exciting part, isn't it?

Speaker 1:

That's the bit where anyone who's seen you know movies like you know Mission Impossible or Hackers or any of those things. That's the one where people immediately go to when they think of cybersecurity and that kind of stuff. Is that going to be a major change for you rationalizing that on your side, or are there bigger headaches within DORA?

Speaker 5:

Let's start off kind of explaining what, or trying to explain what a thread-led penetration test is, and testing the different testing actors, right? So in a thread-led penetration test, you have what we call a blue team, right? Also, dora introduces the blue team. They also take all the reference from a previous regulation, that is, the TBRU regulation. They also talk about this type of test. So you have the blue team. That is basically your first line of defense team. You have all the incident response team. You have your security operational center team networks, everyone.

Speaker 5:

So they're the one that let's say they have to be prepared and to be prepared. Of course everyone. So they're the one that let's say they have to be prepared and to be prepared. Of course they have to have all the information and constantly double-checking all their procedures, the playbooks that they have to follow, and also, most importantly, the financial entity itself has to have a very strong awareness program, because, I mean, in this type of test, there's a red team that is going to try to access your asset systems by any means, so they can attack everyone, right? So that's why everyone in the organization is important to be aware of all these kind of threats.

Speaker 5:

So, as I mentioned before. Then you have a red team that they have to specialize in this type of testing that have to be performed. Then you also have the cyber threat intelligence team. That is the key part, because they're the one that they're going to define the scope and help you identify real scenarios that can be used to, let's say, exploit all those possible vulnerabilities that you can have right. And then, finally, you have the white team. That is the team that performs the follow-up and the coordination of the test. That is basically the regulator, supervisor and also management from the legal institution. So, yeah, it's going to be, and something that is also important that not many people know is that this type of test there's like a it's kind of a secret, this type of test because hackers- don't know when it's going to start.

Speaker 1:

So, by the way, we're going to DDoS. They just have to be prepared. Yeah, correct, so basically, way we're going to DDoS.

Speaker 5:

They just have to be prepared. Yeah, correct. So basically they don't know when or what type of attack is going to take place. So that's why, as I mentioned before, they have to constantly analyze all the, make sure they have all the system tools, ensure that all the tools are configured and applies to all critical applications and infrastructure and, again, a very strong awareness campaign, because if someone tries to gain access to a phishing campaign, they can basically attack the CEO or someone to gain that type of access.

Speaker 5:

So of course, I mean it's going to be an impact, because I mean also this type, this type of test, let's say, is a bit of expensive, because I mean because of all the planning, all the people that have to be involved and the time, because it's not a like a normal penetration test that you can define to uh a scope and perform the test like in a week. Right now, this type of test maybe is a month, because I mean it can start one month and then in two other months they can test another, try to get to another asset, for example. So it's not something that is easy to perform. It's quite complex.

Speaker 1:

And, from the legal perspective, how should MTS, its scope and their supplies be preparing for DORA?

Speaker 3:

So here I will say that the first thing is that we need to receive the final draft of the RTS on subcontracting, as well as some responses by the regulators, and as soon as we have all of our doubts solved, I guess maybe collaboration is a nice tool. I mean, the ideal scenario for me will be having a transitional period for negotiating all the contracts, because, let me be honest here, it's going to be really difficult to have every contract in place, fully adapted to Dota in every case and I'm talking not from my personal point of view, but I'm just repeating what all the financial entities have already said in other forums, such as the webinars that were held by ESMA during the consultation papers period, such as the webinars that were held by ESMA during the consultation papers period. So a transitional period will be perfect. Another thing that we need to take into account that will be quite useful is collaboration, because before we were talking about the five or six pillars under DORA, the one regarding the reporting of the incidents aims to offer some transparency that will bolster the security framework that all the entities have thanks to the information that can be shared. I mean, we need to obviously have limits in terms of what information can I share or not?

Speaker 3:

I mean, if I am and, manuel, please correct me if I'm wrong, because this is maybe a little bit more techie If I am attacked and my password is discovered, I'm not going to say to the entire financial sector hey, I was attacked and this was my password, no, no, no, I will tell them about the attack and the tools that they use so they can be prepared. So, in terms of transparency, it will be also helpful for the financial entities to cooperate and to help each other, like, for example, negotiating the contracts together, trying to talk to each other and see what everybody is doing to adapt contractually to Dota. So, yeah, we all need to cooperate and collaborate. We are all on the same page and this is good and beneficial for all the financial entities man well, we all need to cooperate and collaborate.

Speaker 1:

We are all on the same page and this is good and beneficial for all the financial entities. Man well, chief Information Security Officer, what's your advice to entities in scope and their suppliers to prepare for DORA? What do you think should be your first step right now?

Speaker 5:

Well, as I mentioned before, maybe if they have already performed, you know like they have compared against good practices, standards, and they perform continuous tests, for example, if they perform disaster recovery tests, if they perform tabletop exercise, for instance, management, if they focus on closing all those identified gaps, for example, you're in a good position. Basically, and as it was mentioned before, the starting point is to get the regulation make a deep dive analysis, a gap analysis, evaluate the maturity of your control against Dota, basically rethink everything. You already know what the process is applications, have an inventory, identify all critical functions, applications, so have a very broad vision of everything and, of course, we cannot forget, have a very strong awareness and training. Okay and Azrin, what about from your side?

Speaker 1:

What sort of advice should entities like RegiCR be giving to their clients relative to DORA, if they fall within scope?

Speaker 4:

fall within scope. Well, I think I would also, you know, agree with Manuel and, of course, also what already said. So, mainly, I would start first of all with the gap analysis. So, just you know, take the DORA Level 1 legislation and go through it and see, you know what you already have in your company, you know what order you are applying and what changes you have to apply. So, just to check the impact and really understand you know how you have to adapt from 2025. So I would say, first, gap analysis of DORA level one.

Speaker 4:

So just to see, you see now all the regulatory requirements. We already know that we have RTSs and ITSs from the first batch that they mentioned before, already published. So we have final reports, and they were on the 17th of January. So we also could start doing this analysis as well while we're still waiting for the second batch in July. But we could already look at all those details so we can see how the register of information, for instance, needs to be built, what are all the templates and details that we'll need to report.

Speaker 4:

So we could already start gathering information for this one, for instance. We could also see how the instance will be classified and we could also see what ICT risk management framework really requires, what policies and procedures needs to be in place, so we could order something that we could already start building and already start preparing, you know, for 2025, because the idea of these two years, you know, between when it was published and came into force and it will become applicable, is to really prepare for that and that's what actually Trader Force is already doing. So we are on track there and I would like all the financial entities, to do the same.

Speaker 1:

You're there in the hot seat, as always, between ESMA and the industry and I want to ask you I'm guessing there are webinars, events, various different opportunities, working groups may be being set up just give us some idea of how the industry is going to come together around dora, as it has done around amir and all the other legislation, sfr and things we've covered, and the role that Registry Art is playing in that.

Speaker 2:

You read my mind, andrew, because that's actually the point that I wanted to note for all the listeners. The ESAs, the European Supervisory Authorities that are leading DORA they are doing doing specific workshop after they launch the consultation papers or the RTSs, and it's really important that everybody I mean that possible to participate to see what they are discussing there, the questions that the industry is raising there, because maybe you might have a question from your perspective we have many questions from the trade repository perspective, but then when going to this workshop, we see that it's questions that all the industry is putting on the table, not only us. So we can see that there are still things that need to be clarified and even if the RTSs some of them are already there, there are things that need to be clarified in addition to what is already published. So very important to go to the EOPA, eva and ESMA websites to see what information they have there, to see the workshop that had already been taking place, and follow up very closely all the compliance teams from the different entities to these updates and these news from the supervisory authorities and, of course, from our side.

Speaker 2:

As you know, race-tr is a very supervised entity and ESMA is our supervisor. So we are closely collaborating with them already with a specific exercise that they are asking us. So we yeah, because of course, they want their supervised entities to be prepared for 2025. So we are closely uh working with uh with them already. Uh, so that's my uh advice, too, for everybody to uh okay.

Speaker 1:

So just if you thought this was going to be your busiest month, as much as possible compliance wise, and then the rest of the year was going to be plane sailing, forget it it's. It's all starting again first thing thing Monday morning after refit has gone live. So at this point we have to draw these threads together and give a huge thank you to our very special team of experts for this show, who have done brilliantly in depth and under the hood, with the DORA compliance special. And that is in no particular order. But starting with a huge registry of thank you to Alfonso de la Puente from the legal team at BME in six, alfonso, thank you very much.

Speaker 3:

Thank you very much for the opportunity. It's been really fun to be here with you all.

Speaker 1:

Also a man who's given us lots of insights today and, I should point out, out, is calling in from home and battling through a very nasty dose of flu to be on the show today. It is the brilliant Chief Information Security Officer for Registrar Manuel Requerro of Venezuela. Thank you very much for joining us today.

Speaker 1:

Thank you, thank you and yes rest, if you work in IT, I'm telling you that now anyone out there like myself, who spent their career working in development and technology, you will know that nothing stops you from working because you can always take your laptop to bed. So thanks for that and also for joining us today. An old friend of the show, who has been on before with her insights and information and excellent advice. It's Ozrin Yusceviscuti. Ozrin, thank you so much for coming back.

Speaker 4:

Thank you, thank you, thank you very much and thank you for you.

Speaker 1:

Thank you and thank you, okay, and of course, a huge thank you uh goes to my regular co-host, uh, the person who has been the voice of esma uh for us many, many times. Uh, not, that's not an official job title, by the way. I'll just clarify that it is, of course, our head of institutional relations, lar Laura Rodriguez.

Speaker 2:

Laura, thank you so much. Thank you, andrew. I never thought we could do a podcast on Dora. Quite interesting and fun. You know this is such a complex topic, but yeah, I think our colleagues did it great and it was fantastic, and I want to take the opportunity to wish everybody best of luck with the refit implementation and, of course, we see you here. Okay, thank you to all our guests for joining us.

Speaker 1:

That's been fantastic we will be back.

Speaker 1:

As Laura just said, we're the post-match analysis in our next show, where we will be finding out how Amir refit went and what the major problems would be, if there have been any problems at all or if it's run super smooth. We will find out. And in the meantime, for taking us through a very, very complicated topic today and putting up with my terrible Dora the Explorer jokes, I would like to thank everyone on the show and from myself and from Liana Sudan, the show's producer, and everyone here in the virtual studio, regis CR. We'd like to say thank you and join us on our LinkedIn page that is linkedincom. Slash company slash Regis, hyphen tier and in the meantime, have a good month, have a safe month. I hope your EMEA goes well and I hope your cybersecurity preparations are underway.

Speaker 2:

And from all of us here, bye-bye, let's go. Dora, dora, dora, the Explorer, dora, who's that super cool exploradora Me?