April 17, 2024 • 51 mins
In this show we take a break from EMIR Refit and look at the next major piece of 2024 regulation - DORA the Digital Operations and Resilience Act. This will be a potentially disruptive and complex new set of regulations for EU financial entities, and requires a mix of compliance, legal and technical expertise to ensure your organisation complies. Fortunately, we have our own team from SIX and BME Legal, the Regis-TR chief Information Security Officer, and our Institutional relations team to explain the timelines, contractual changes, supplier relationships and technical implementations you need to get through. Don't miss it!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Hi, I'm Andrew Keith Walker, hi, I'm Laura Rodriguez,
and this is the number oneregulatory reporting podcast in
the EU, the UK and around theworld.
So join us as we go behind thescenes and under the hood to
look at the big issues and newsstories, companies and
personalities who are shapingthe world of regtech, fintech
and trade repositories.
Welcome to the Registr Rounduprepositories.
(00:28):
Welcome to the Registr Roundup.
And remember, this podcast isbrought to you by Registr, which
is a six company and featuresmembers of the Registr team and
special guests offering theirpersonal opinions, not the
opinions of Registr as anorganization.
There is no representation madeas to the accuracy or
completeness of information inthis podcast, nor should you
take it as legal, tax or otherprofessional advice.
And welcome back to the RegisTRRoundup.
(00:56):
We are back and it's a big monthfor everybody this month,
because it is none other thanthe month where EMEA refit the
thing we've been talking aboutfor so long, the big disruptor
for the industry, this year'sbiggest piece of regulatory
change for many marketparticipants goes live.
Yes, that's our special.
(01:16):
Amir Refit has gone live.
And how did it go for you?
Will it be A or will it be A?
We'll only find out in the nextepisode, when we get the
initial feedback and responsesfrom people in their post-live
environment.
And, of course, uh, some of ourbrilliant guests who are with
(01:38):
us today can feed back to uswhat esmer thinks as well.
And on that topic, we should getstraight into this week's show,
which is looking forward to thenext milestone piece of
regulatory change, and that is,of course, the DORA regulation
that's coming in.
Yes, the Digital Operations andResilience Act that's the theme
(01:59):
for today's show.
Yes, it's time for us all tosit down and explore the Dora
regulation.
I'm sorry, I'm sorry.
There'll be a lot of punspossibly in this episode, and
what we're going to need, ofcourse, is lots of boots on the
ground for a show like this.
And so joining us, of course,is my regular co-host and
someone who is really in the hotseat here, someone who's always
(02:20):
got a map in her backpack.
It is none other than LauraRodriguez, our head of
institutional relations, Lara.
Speaker 2 (02:28):
welcome back.
Hi, Andrew.
Thank you very much.
Speaker 1 (02:31):
And joining us from Lara's team, we have our senior
institutional relations officer,Ozrin Yuschevitskuti.
Ozrin, welcome to the show.
Speaker 4 (02:40):
Hi, hello everyone.
Speaker 1 (02:41):
Hey, well, not a first time, of course.
Regular listeners will haveheard Ozrin on the show before.
We need double institutionalrelations power today, because
this is a big institutionalshift.
We also are going to need alegal expert.
So very fortunately, we haveAlfonso de la Puente from the
legal team at BME and 6.
Alfonso, welcome to the show.
Speaker 3 (03:01):
Thank you, Good morning and thanks for inviting
me to the podcast.
Speaker 1 (03:04):
It's great to have you along, alfonso and of course
it's a tech-driven piece oflegislation.
It's all about security andtuning up your digital system,
so we need a tech expert too,and for that we have
Registriar's InformationSecurity Officer, manuel
Requerro Valenzuela.
Manuel, welcome to the show.
Speaker 5 (03:26):
Hello, hi, thank you for having me here.
Speaker 1 (03:28):
Great, well, thanks for joining us.
Okay, so we have got our crackexplorer team here for us to
head off and make sure that nohackers do any swiping.
For those of you listening whothink there are way too many
Dora the Explorer gags, Ipromise I'm stopping it right
there.
Okay, that's it.
That's it, no more.
We'll get on with the seriousportion of the show, and so I'm
(03:59):
going to start off with Lara andAzrin.
Give us a brief overview ofDora and its significance for
the European financial sector,because it's important, isn't it
?
Not just for regulators, butfor financial entities that fall
under the scope of DORA as well, of which there are many.
So Lara set us off.
What does this mean for ESMAand for the regulators?
Speaker 2 (04:16):
Okay, let's start with, as you know, dora.
It became already into force inJanuary of 2023, but it will
start applying from January ofnext year, 2025.
So that's important to knowthat in less than a year, we
(04:39):
will have already thisregulation in place.
And what's the primary goal?
Let's say why it is soimportant.
Why it is so important?
Mainly, the idea is tostrengthen the IT security for
the financial entities forexample, banks, insurance
companies, investment firms andby strengthening the IT security
, it is expected that thefinancial sector remains
(05:00):
resilient when we have anydifficult time, in operational
disruptions, for example.
To make it more straightforwardhow to address these issues.
And another of the main goalsof DORA is, of course, to
harmonize the rules that arerelated to all the operational
(05:23):
resilience across the differenttype of financial entities and
the ICT third-party serviceprovider.
And the best way to do it isindeed to harmonize all the EU
regulations that are relatedwith digital resilience.
So, at the end, thisharmonization should simplify
(05:43):
the compliance efforts for thefinancial entities by providing
one clear guidance and the clearexpectations of what all the
financial sectors shall applyfor this.
So I guess that's the mainsignificance of DORA how it
(06:05):
applies across all the financialsectors, ozrin, coming to you.
Speaker 1 (06:09):
There's detail here, isn't there?
So before we zoom in to thesort of the complex, nitty
gritty, technical bits, justgive us a sort of broad outline
of the sort of key elements ofDORA, the timelines, what market
participants or financialentities can expect to be
published and the deadlinesthey're facing.
Speaker 4 (06:33):
So now, with ESAS, between 16th of January 2023 and
17th of January 2025, they haveto establish regulatory
technical standards and alsoimplementing technical standards
to explain DORA level 1integration.
So they did it in two batches.
So we have first batch thatincludes RTSs on ICT risk
(06:59):
management framework and RTSs onsimplified ICT risk management
framework.
Also RTSs on GRIPS criteria forthe classification of
ICT-related incidents.
Then ITS to establish thetemplates for the register of
information, and RTS is tospecify the policy on ICT
services performed by ICTthird-party providers.
(07:20):
So this first batch already waspublished on the 17th of January
2024.
They submitted it to theEuropean Commission that have
now to approve them.
The second batch of the RTSsand ITSs we already had
consultation papers back inDecember and the final reports
(07:43):
we expect to have on 17th ofJuly.
And the second batch of RTSsinclude RTSs and ITSs on content
, timelines and templates onincident reporting, guidelines
on aggregated costs and lossesfrom major incidents, rtss on
threat-led penetration testing,rtss on subcontracting of
(08:04):
critical or important functions,rtss on oversight harmonization
and finally, guidelines onoversight cooperation between
ISAs and competent authorities.
So we have these two badgesthat explain all RTSs and ITSs
and that we also have beenlooking from the trade
repository side, analyzing andalso, of course, participating
(08:25):
in consultation papers.
Speaker 1 (08:27):
Alfonso, ok, you are today's legal expert, you work
in the legal team at VME and Sixand I'm guessing, from a sort
of legal and complianceviewpoint, this is a huge amount
of work for financial entitiesto get into.
So what I want to know is youknow, how does this create a
(08:51):
workload that's going to fillthose gaps in existing
cybersecurity and digitalresilience frameworks, because,
of course, a lot of thesepolicies are kind of already in
place for market participantsand financial entities.
Speaker 3 (09:13):
Am I correct in thinking that yes.
So the first thing that we needto take into account in order
to implement and adapt to Dotaregulation is related to what
you were saying.
We need to perform all thefinancial entities, at the first
stage, a gap analysis on thelevel one regulation and also on
the RTSs and ITSS, because thefirst thing is knowing how are
(09:35):
we in terms of DORA compliance?
I mean, what policies, securitypolicies, do we have in place?
What incidents reportingprocedures we have in place?
Are they DORA compliant?
Are they not?
Also, we need to map every ICTservice that we've been provided
(09:55):
with, in my opinion, thecritical and also the
non-critical ones.
It's better to have the fulllist here and also because we
need to report those servicesand also the associated
contracts.
So this will be, in my opinion,the first step that every
financial entity should havealready performed.
On a second and later stage, weneed to focus also on the
(10:21):
possible or potentialimplementation of technological
solutions that could contributeto the entity's operational
resilience.
As you said, maybe there aresome tech solutions that are
required by Dota but that somefinancial entities already have
in place.
So that's why the gap analysisis really, really important.
Then we have to focus on thegovernance and the mandatory
(10:45):
awareness and training sessionsfor all personnel, including
senior management, and for me,this is one of the most
important points of the processthat we have in every financial
institution to adapt to Dota,because it's great if we have a
policy, a procedure in place tocomply with Dota, but imagine
(11:07):
that somebody is not aware ofthat or maybe it's not aware of
the different obligations thatthey will have to perform right
under Dota.
So the most basic thing is tomake everybody aware that Dota
is coming.
Dota is a reality.
The word that Dota is coming,dota is a reality and we'll have
(11:31):
to work on the Dota from 17thof January 2025.
Then, also, we need to foster,in case it is needed.
I mean, also, this depends onthe actual practices of every
financial institution.
We need to get the governingbody more involved in this kind
of decision, situations, reports, everything.
Regarding the responses, weneed to, if needed, adapt the
(11:53):
incident response framework,which is one of the main pillars
of DORA, one that Osrin alreadycommented on, and obviously we
need to enforce the tech pentest operational resilience test
(12:14):
that every financial entity iscurrently performing.
And obviously we need to havecontrol over the ICPF and other
service providers that we areworking with, and we need to
register that informationbecause we need to report that
information.
And we need to register thatinformation, because we'll need
to report that information andall these things that we need to
take into account to Dota arereally important, but not just
in terms of Dota compliance, butjust in terms of the IT
(12:34):
security framework that we have.
I mean, it is a fact thatnowadays, the security framework
of all these entities is morecommonly in danger.
There are more hackers tryingto attack.
We need to be prepared.
So this is a reality that ishere and we need to be ready.
This is a great tool to be ableto fight back against those
(12:56):
incidents.
If I'm reading this right,there are these three layers.
Speaker 1 (13:00):
It's a three-pronged piece of legislation in a way,
because you've got the internalchanges that need to happen,
presumably with contracts andframeworks and all the usual
compliance processes, but you'vealso got these operational
changes and new activities thathave to take place.
There's going to be a new layerof work on top and also you
(13:24):
have a lot of training andorientation work that needs to
be done as well to go along withthat.
So I'm going to ask you onemore question on that front
actually, alfonso, which is how,on the legal side so looking
very much at the contracts andsort of compliance issues, you
know, how is it affecting yourday job and your outlook?
(13:47):
I mean, what?
How are you preparing uh sixand bme and the, the broader
group?
How are they preparing for the,the legal ramifications of dora
?
Speaker 3 (14:01):
so I have to say that , not because I'm a lawyer and
obviously I focus more on thecontractual side of DOLA, which
is true, I mean I have to knowabout the IT and tech side, but
for me the most important one isthe contractual one.
I have to say that this is oneof the hot topics about DOLA.
There has been a lot ofcontroversy because we need to
(14:23):
have a contractual template inplace.
Well, a contract signed withevery ICT third-party service
provider covering the differentaspects that Article 30 of DORA
obliges us to.
So is it easy to have thiscontract in place?
Yes, and I'm sure that most ofthe financial entities we
(14:46):
already have a contract in place.
Yes, and I'm sure that most ofthe financial entities we
already have a contract in placethat covers, if not all, most
of the provisions that we needto include in every contract,
such as, for example, having anSLA in place.
We need to have an exit plan,we need to be careful about how
do we treat data and many otheraspects that we need to consider
(15:07):
contractually speaking.
So, with Article 30 of Dota andalso the provisions of the RTS,
of subcontracting, we all canhave that template in place, or
at least we all can be aware ifour contracts are 100% Dota
compliant.
But this is a little bit moredifficult than this.
(15:29):
It's a bit tricky, in myopinion.
Why?
Because having a contractdrafted it's easy.
We have all the information weneed for the contract.
I mean, of course there aresome provisions that can be
misunderstood or whatever, butin general terms we can have
that template.
I mean, all the financialentities should already have a
(15:51):
template like that.
But it is also true that Article30.4 of DORA makes a reference
to some standard contractualclauses that will be provided by
the competent authorities toall of the financial entities.
It is true that this articlehas a nuance because it refers
to standard contractual clausesfor a specific kind of services,
(16:14):
but I have to say that theentire sector is expecting to
receive those standardcontractual clauses.
But why?
Because, as I said, having acontract already is easy, but
negotiating the contract is notthat easy.
We have multiple ICT third-partyservice providers.
We have dozens, and I would saymaybe hundreds, depending on
(16:36):
the financial entity hundreds ofcontracts.
And of course, if everybody hasits own contract not compliant,
we'll need to negotiate andeverybody will feel more
comfortable with the termsbecause even if the provisions
to include are the same, at theend there are always nuances or
different interpretations.
So the work that we have to doto adapt contractually to Dota,
(17:00):
it is not easy without thoseclauses.
So maybe this is a good chancealso to request the templates to
the competent authorities,because it will make really,
really easy for us ourcontractual adaptation to Dota.
And, of course, it's not alsoeasy for us, but it will be
(17:22):
great because it will helpenforcing the contractual
framework around Dota and if weall submit to the same set of
standard contractual clauses, itwill be more secure for sure,
not just contractually speaking,but because we have to focus on
what's behind the contract.
Speaker 1 (17:41):
I mean all the provisions that will imply
different procedures or ITtechnicalities and the
compliance and legal aspects andcome to the really chewy part,
the heart of DORA, which is, ofcourse, information security.
And, manuel Requero, you arethe chief information security
(18:03):
officer for RegisDR, so you'realready obviously an expert in
the kind of threats that come indaily for publicly accessible
systems.
We know about DDoS.
There have been some veryhigh-profile ones alleged
recently where you know.
We know Instagram went out fora while and Facebook goes out
for a while.
It's something social networkshave to deal with all the time.
We also saw massive outageshere in the UK for supermarkets
(18:29):
and their online banking systems.
There were some majordisruptions there which could
have been DDoS related we don'tknow or hacking related.
There isn't a huge amount oftransparency and companies don't
always admit when these thingshave happened, and I'm guessing
this is going to be a majoroverhaul of systems, but also IT
(18:49):
reporting processes forentities.
So give us that sort of bigpicture from an information
security viewpoint.
Speaker 5 (19:05):
I'm sure I mean let's start, I mean first.
I mean Registry is a verysupervised entity, so I mean
it's not really new for us.
As you can imagine, we're veryused to report our incidents,
major incidents, to oursupervisor and authorities, so
(19:27):
it's not new.
And I can say that we have been, let's say, preparing for this
even before.
Maybe DORA, because I mean, atthe end, what DORA wants to
implement are good practices.
So if you perform constantlygap analysis, review and compare
against, let's say, standards,for example, the ISO 27001, that
(19:53):
is business continuity, let'ssay best practices, you're kind
of in a good point.
And because we also enteredinto SIX recently, we need to
perform this, let's say, gapanalysis from a very, let's say,
(20:17):
complex and very robustframework.
So when Dota came out, of courseI mean and you read, I mean
basically it harmonized allthese, let's say, good practices
and regulation into one.
So, as it was explained before,of course I mean it's going to
(20:38):
be an impact, but the good thingis that it makes you rethink
everything you have.
Not only does my framework,from a, let's say, a
documentational perspective, isaligned with Dota, but it also
makes you rethink like, okay, sowhat are the tools that I'm
using?
What are the processes that I'musing?
What's my maturity level?
(20:59):
I'm unable.
For example, we think aboutincident management.
Do I have all the informationrequired to report to DORA,
because I mean we need to haveall the logs in place, a system
of information event monitoringin place.
Are all my applications coveredby all these tools?
(21:21):
Are they properly configured?
So all these questions are.
This comes up when you'rereviewing and see if you're
going to be aligned.
Of course I mean it will havean impact because of course I
mean there will be someinvestment that have to be done.
There will be also processesthat have to rethink and modify
(21:42):
in order to comply with DORA.
But again, I think that any,let's say, financial entity that
is used to perform, as we docontinuously, penetration test
to critical applications andinfrastructure, penetration test
to critical applications andinfrastructure, perform a
security assessment based onstandards and good practices.
(22:05):
I mean I think you're in a verygood starting point and maybe
the impact is not going to be abig of an impact.
Speaker 1 (22:15):
Just precisely who is in scope for DORA?
Is it all CCPs, traderepositories, csds, I mean, is
it just large publicinfrastructure, uh?
Or does it cover a broader setof financial entities, because
it's not all market participantsand nfc pluses and nfc minuses
and everyone else is it?
Just give us a reminder ofprecisely who falls under DORA.
Speaker 4 (22:45):
Okay, so we have under the scope of DORA
different financial entitiesthat we have listed in DORA
Level 1 regulation under Article2.
So actually it includes quite awide spectrum.
So we have credit institutions,payment institutions,
investment firms, banks, ofcourse, trading venues, trade
(23:05):
repositories that's why itapplies also to Registr and also
third-party service providers.
So we have an extensive list ofall the entities that have to
follow DORA, extensive list ofall the entities that have to
follow DORA.
And, of course, dora was alsointroduced in the way of the
(23:27):
proportionality principles, sowe have to look also more into
details what exactly applies toeach entity and there's also
some different exceptions formicro-industries, for micro-ent,
for micro entities, how theyhave to apply DORA and all the
requirements.
Speaker 3 (23:44):
Also, we need to consider every specific
regulation that applies to eachof the financial entities.
We do not have to forget aboutCSDR, emir, mifid and all the
applicable regulations whichwell do not regulate the
security and operationalresilience that DORA does, but
(24:05):
will always need to beconsidered.
Speaker 1 (24:06):
We've got the implications of DORA touching
upon not just, obviously, thefinancial entities that are in
scope, but on the activities offinancial entities that mean
they have a digital requirementattached to them.
Okay, now I'm going to pause itthere for a minute.
I'm going to ask Laura one ofyour favorite questions.
As our head of institutionalrelations, I feel it's only fair
(24:30):
that I throw the hot potato atyou.
And that is what about Brexit?
Now I've got to say there aresuppliers based in the UK who
are supplying into Europeanentities who will fall under the
scope of DORA and there arevarious regulations that will
apply that are in EU law, not UKlaw.
Speaker 2 (24:56):
Well, the idea is to make it as straightforward as
possible, but it's true that theUK, the FCA, is also exploring
an operational resilientregulation itself.
For the moment it's not asmature as in the EU.
They have started last year aconsultation paper that the
(25:19):
participant has been respondingto so far, but for the moment
it's ongoing.
Probably it won't apply at thisstage to trace repositories,
the current scope that they aredefining, this first approach
scope that they are definingthis first approach, but of
(25:41):
course it will apply to all thedifferent financial entities
because the scope is kind ofdifferent.
But I invite everybody to go tothe FCA website, look into the
operational resilienceconsultation and have a look to
it because, for sure aseverything has always happened,
(26:03):
if this is going to be appliedto the EU next year, something
soon will come for the UK andthat will give answers to all
these questions.
Speaker 1 (26:14):
There is a major element here isn't there?
Which is having incidentresponse processes baked in at
different levels across theorganization.
Are we fudging the linesbetween compliance and
information security here?
As Chief Information SecurityOfficer, you're going to be
responsible for making sure thatthe incident reporting is
(26:37):
compliant and taking place, andworking very closely with
compliance.
Is that going to be a major newsort of work stream on your
desk?
Speaker 5 (26:52):
Well, at the end, if we think of what DORA wants,
it's basically in the instance,let's say, reporting.
Nopilar is basically just toharmonize and centralize all the
reporting to regulators so theycan act or avoid spreading any
(27:17):
kind of impact.
So this is something that, as Imentioned before, I mean we
already perform reporting to oursupervisors in terms that we
perform, for example, in thecase of security, twice per year
.
We have to share informationwith them of our threats, the
(27:38):
incident that we have, andensuring this information is
very useful for them also to beprepared and also, if they have
to, let's say, contact otherlegal entities, that is very
useful.
We also perform for any majorincident or an old cybersecurity
incident.
We also have to provide thisinformation to our authorities.
Cybersecurity instance, we alsohave to provide this
information to our authorities.
(27:59):
So I mean I would say that maybefor small institutions that are
not used to this, I mean it'sgoing to be a very huge impact,
to be honest, because I mean youhave to implement very a lot of
, let's say, different sets,like you have to ensure that you
have early warning indicatorsso you are aware, like, if you
(28:24):
have an incident, how do youdetect it?
Do you detect it on time?
How can you basically verifyand meet all the, let's say,
this template that is alsoprovided?
Can you provide information ofwho did something when, what is
impacted?
So that's why you have to maybego outside just the incident
(28:48):
reporting, let's say, but alsoconsider everything you have.
Do you have an asset inventoryin place?
Do you have all the tools inplace?
Do you have a login system inplace so you can identify
everything?
Do you classify your incidents?
How do you manage them and, ofcourse, how you report it?
So yeah, I mean it's not goingto be it's very compliance
(29:11):
related, because now it's partof our regulation, but at the
end, it's something that, ifyou're a mature enough
organization and if you performas I mentioned before and you
compare against good practicesand standards, it's something
that you have.
But again, you now have to dothis analysis to see if all the
(29:33):
information they requested youcan provide it on time and it's
to be useful for this regulator.
So, yeah, I mean it's in themiddle, things that are already
performed from a securityperspective, but now trying to
follow these new requirements ofwhat needs to be reported and
how fast, to report this as soonas possible.
Speaker 2 (29:55):
Totally agree with you, manuel, and from the trade
repository perspective, we canspeak from the experience, as
you said, because we have beencompliant with the periodic
reporting and notificationguidelines for ESMA since 2020.
And we have seen that, forexample, for the incident part,
(30:17):
we needed a period ofadaptations to ensure and to be
efficient.
I mean we started in 2020.
Now, in 2024, we can say thatwe report incident in an
efficient and dynamic way.
But it took us a lot of time todo it because also the
guidelines were very restricted.
Let's say that in 24 hours toneed to notify a specific number
(30:40):
of details of information andthen resolutions, timelines of
resolutions, impact analysis.
I mean it's a huge information,a number of information for
something that is happening in asystem.
You need to report it.
At the same time, you need towork on how to handle it and not
(31:01):
disrupt the rest of theservices.
So, yes, I said from ourexperience, it's something that
financial entities need toreview with time, because it
really takes a lot to beefficient in this part.
(31:21):
So it's a huge challenge.
I'm sure that many entitiesthey are already reporting this
type of incident or similar ones, but having a standardized one
is not that easy and of course,even the one that we have now as
a trade repository.
It will change with DORA, so atthe end all the entities will
(31:45):
need to adapt again.
Speaker 3 (31:47):
It's really interesting, dora, that you make
reference to the transitionalperiod that you had at your time
some years ago, because I thinkthat here, with the reporting
in the case of registries, theyare really used to report
incidents on a recurrent basis.
But we need to take intoaccount the proportionality
principle, not just because someentities will not have a huge
(32:08):
amount of resources dedicated toincident reporting, but also
because, as they are not used tothat, we do not have to forget
that the most important part ofan incident is solving the same,
not reporting the same.
So we'll need to be reallycareful with this and if we do
not have a transitional periodto adapt I mean all the
(32:31):
financial entitiesproportionality will play a huge
role, something you pointed outto me when we were sort of
prepping for today's show.
Speaker 1 (32:41):
I was confused because I saw a lot of press
coverage around the NIS-2, theNetwork Information Security
Act-2, that's going around andapplies obviously beyond the
financial sector but seems to beoverlapping with areas of DORA,
and there's been quite a lot ofjournalism in the press that
say that NIS2 and DORA have somesort of overlaps.
(33:03):
And actually which one shouldyou prioritize, depending on the
entity you are and which oneyou fall under the scope of?
And then of course, there was abig story about you know, in
the Netherlands.
They weren't going to beenforcing NIS2 at this point.
There seems to be a lot oftech-driven regulation right now
that seems to be happeningsimultaneously and I'm just
(33:23):
wondering can you clarify for usthe difference between NAS2 and
DORA and which one takesprecedence, which one's more
important, especially for ourlisteners?
Speaker 4 (33:37):
Yes, sure, thank you for the question, andrew.
So, of course, dora and NIST,which stands for Network
Information Security 2.
So, in general, there are twomajor pieces of European
cybersecurity legislation, right, but what's important to stress
, probably, that the NetworkInformation Security 2 is a
directive, whereas the DigitalOperational Resilience Act, dora
(34:01):
, is a regulation.
So what it means.
So, as NIST 2 is a directive,it must be transposed into the
national law of each memberstate before it can be applied.
So each country now musttranspose this directive by
October 2024.
Dora is this already Europeanregulation?
So it will be applicable as itis, as it stands.
(34:23):
So the text is as it is and itwill be applicable to all EU
countries from January 17, 2025.
So, first of all, we have thisand what it means, so that DORA
is Lex Specialis of NIS 2, sothis is a principle which states
that a specific law takesprecedence over a general one.
So, for entities subject toDora, this text therefore
(34:45):
prevails over NIS 2.
However, this does not meanthat NIS 2 obligations are no
longer applicable, of course, toentities affected by both texts
.
Also, there are somedifferences in objectives and
the scope of both legislations.
So, for instance, in terms ofobjectives.
(35:07):
Nist 2 aims to strengthen theglobal level of cybersecurity
within the European Union, andDORA we already talked aims to
ensure the integrity andavailability of the financial
sector.
So it goes through thefinancial sector.
So it goes through financialsector.
Also, they do not cover thesame entities.
So these two concerns essentialentities and important entities
(35:27):
, and DORA covers the financialsector, so through 21 specific
types of entities.
Speaker 1 (35:34):
So I think this would be the main difference between
these two legislations.
Speaker 2 (35:38):
That's the kind of exciting part, isn't it?
Speaker 1 (35:39):
That's the bit where anyone who's seen you know
movies like you know MissionImpossible or Hackers or any of
those things.
That's the one where peopleimmediately go to when they
think of cybersecurity and thatkind of stuff.
Is that going to be a majorchange for you rationalizing
that on your side, or are therebigger headaches within DORA?
Speaker 5 (36:07):
Let's start off kind of explaining what, or trying to
explain what a thread-ledpenetration test is, and testing
the different testing actors,right?
So in a thread-led penetrationtest, you have what we call a
blue team, right?
Also, dora introduces the blueteam.
They also take all thereference from a previous
(36:29):
regulation, that is, the TBRUregulation.
They also talk about this typeof test.
So you have the blue team.
That is basically your firstline of defense team.
You have all the incidentresponse team.
You have your securityoperational center team networks
, everyone.
So they're the one that let'ssay they have to be prepared and
to be prepared.
Of course everyone.
So they're the one that let'ssay they have to be prepared and
to be prepared.
(36:49):
Of course they have to have allthe information and constantly
double-checking all theirprocedures, the playbooks that
they have to follow, and also,most importantly, the financial
entity itself has to have a verystrong awareness program,
because, I mean, in this type oftest, there's a red team that
(37:12):
is going to try to access yourasset systems by any means, so
they can attack everyone, right?
So that's why everyone in theorganization is important to be
aware of all these kind ofthreats.
So, as I mentioned before.
Then you have a red team thatthey have to specialize in this
type of testing that have to beperformed.
Then you also have the cyberthreat intelligence team.
(37:35):
That is the key part, becausethey're the one that they're
going to define the scope andhelp you identify real scenarios
that can be used to, let's say,exploit all those possible
vulnerabilities that you canhave right.
And then, finally, you have thewhite team.
That is the team that performsthe follow-up and the
(37:58):
coordination of the test.
That is basically the regulator, supervisor and also management
from the legal institution.
So, yeah, it's going to be, andsomething that is also
important that not many peopleknow is that this type of test
there's like a it's kind of asecret, this type of test
(38:20):
because hackers- don't know whenit's going to start.
Speaker 1 (38:21):
So, by the way, we're going to DDoS.
They just have to be prepared.
Yeah, correct, so basically,way we're going to DDoS.
Speaker 5 (38:24):
They just have to be prepared.
Yeah, correct.
So basically they don't knowwhen or what type of attack is
going to take place.
So that's why, as I mentionedbefore, they have to constantly
analyze all the, make sure theyhave all the system tools,
ensure that all the tools areconfigured and applies to all
(38:45):
critical applications andinfrastructure and, again, a
very strong awareness campaign,because if someone tries to gain
access to a phishing campaign,they can basically attack the
CEO or someone to gain that typeof access.
So of course, I mean it's goingto be an impact, because I mean
also this type, this type oftest, let's say, is a bit of
(39:10):
expensive, because I meanbecause of all the planning, all
the people that have to beinvolved and the time, because
it's not a like a normalpenetration test that you can
define to uh a scope and performthe test like in a week.
Right now, this type of testmaybe is a month, because I mean
it can start one month and thenin two other months they can
(39:33):
test another, try to get toanother asset, for example.
So it's not something that iseasy to perform.
It's quite complex.
Speaker 1 (39:45):
And, from the legal perspective, how should MTS, its
scope and their supplies bepreparing for DORA?
Speaker 3 (39:58):
So here I will say that the first thing is that we
need to receive the final draftof the RTS on subcontracting, as
well as some responses by theregulators, and as soon as we
have all of our doubts solved, Iguess maybe collaboration is a
nice tool.
I mean, the ideal scenario forme will be having a transitional
(40:21):
period for negotiating all thecontracts, because, let me be
honest here, it's going to bereally difficult to have every
contract in place, fully adaptedto Dota in every case and I'm
talking not from my personalpoint of view, but I'm just
repeating what all the financialentities have already said in
(40:41):
other forums, such as thewebinars that were held by ESMA
during the consultation papersperiod, such as the webinars
that were held by ESMA duringthe consultation papers period.
So a transitional period willbe perfect.
Another thing that we need totake into account that will be
quite useful is collaboration,because before we were talking
about the five or six pillarsunder DORA, the one regarding
(41:03):
the reporting of the incidentsaims to offer some transparency
that will bolster the securityframework that all the entities
have thanks to the informationthat can be shared.
I mean, we need to obviouslyhave limits in terms of what
information can I share or not?
(41:24):
I mean, if I am and, manuel,please correct me if I'm wrong,
because this is maybe a littlebit more techie If I am attacked
and my password is discovered,I'm not going to say to the
entire financial sector hey, Iwas attacked and this was my
password, no, no, no, I willtell them about the attack and
the tools that they use so theycan be prepared.
(41:44):
So, in terms of transparency,it will be also helpful for the
financial entities to cooperateand to help each other, like,
for example, negotiating thecontracts together, trying to
talk to each other and see whateverybody is doing to adapt
contractually to Dota.
So, yeah, we all need tocooperate and collaborate.
(42:06):
We are all on the same page andthis is good and beneficial for
all the financial entities manwell, we all need to cooperate
and collaborate.
Speaker 1 (42:08):
We are all on the same page and this is good and
beneficial for all the financialentities.
Man well, chief InformationSecurity Officer, what's your
advice to entities in scope andtheir suppliers to prepare for
DORA?
What do you think should beyour first step right now?
Speaker 5 (42:27):
Well, as I mentioned before, maybe if they have
already performed, you know likethey have compared against good
practices, standards, and theyperform continuous tests, for
example, if they performdisaster recovery tests, if they
perform tabletop exercise, forinstance, management, if they
(42:49):
focus on closing all thoseidentified gaps, for example,
you're in a good position.
Basically, and as it wasmentioned before, the starting
point is to get the regulationmake a deep dive analysis, a gap
analysis, evaluate the maturityof your control against Dota,
basically rethink everything.
(43:10):
You already know what theprocess is applications, have an
inventory, identify allcritical functions, applications
, so have a very broad vision ofeverything and, of course, we
cannot forget, have a verystrong awareness and training.
Okay and Azrin, what about fromyour side?
Speaker 1 (43:32):
What sort of advice should entities like RegiCR be
giving to their clients relativeto DORA, if they fall within
scope?
Speaker 4 (43:49):
fall within scope.
Well, I think I would also, youknow, agree with Manuel and, of
course, also what already said.
So, mainly, I would start firstof all with the gap analysis.
So, just you know, take theDORA Level 1 legislation and go
through it and see, you knowwhat you already have in your
company, you know what order youare applying and what changes
(44:11):
you have to apply.
So, just to check the impactand really understand you know
how you have to adapt from 2025.
So I would say, first, gapanalysis of DORA level one.
So just to see, you see now allthe regulatory requirements.
We already know that we haveRTSs and ITSs from the first
(44:32):
batch that they mentioned before, already published.
So we have final reports, andthey were on the 17th of January
.
So we also could start doingthis analysis as well while
we're still waiting for thesecond batch in July.
But we could already look atall those details so we can see
how the register of information,for instance, needs to be built
(44:54):
, what are all the templates anddetails that we'll need to
report.
So we could already startgathering information for this
one, for instance.
We could also see how theinstance will be classified and
we could also see what ICT riskmanagement framework really
requires, what policies andprocedures needs to be in place,
so we could order somethingthat we could already start
(45:16):
building and already startpreparing, you know, for 2025,
because the idea of these twoyears, you know, between when it
was published and came intoforce and it will become
applicable, is to really preparefor that and that's what
actually Trader Force is alreadydoing.
So we are on track there and Iwould like all the financial
(45:40):
entities, to do the same.
Speaker 1 (45:41):
You're there in the hot seat, as always, between
ESMA and the industry and I wantto ask you I'm guessing there
are webinars, events, variousdifferent opportunities, working
groups may be being set up justgive us some idea of how the
industry is going to cometogether around dora, as it has
done around amir and all theother legislation, sfr and
(46:03):
things we've covered, and therole that Registry Art is
playing in that.
Speaker 2 (46:12):
You read my mind, andrew, because that's actually
the point that I wanted to notefor all the listeners.
The ESAs, the EuropeanSupervisory Authorities that are
leading DORA they are doingdoing specific workshop after
(46:32):
they launch the consultationpapers or the RTSs, and it's
really important that everybodyI mean that possible to
participate to see what they arediscussing there, the questions
that the industry is raisingthere, because maybe you might
have a question from yourperspective we have many
questions from the traderepository perspective, but then
(46:52):
when going to this workshop, wesee that it's questions that
all the industry is putting onthe table, not only us.
So we can see that there arestill things that need to be
clarified and even if the RTSssome of them are already there,
there are things that need to beclarified in addition to what
(47:14):
is already published.
So very important to go to theEOPA, eva and ESMA websites to
see what information they havethere, to see the workshop that
had already been taking place,and follow up very closely all
the compliance teams from thedifferent entities to these
(47:38):
updates and these news from thesupervisory authorities and, of
course, from our side.
As you know, race-tr is a verysupervised entity and ESMA is
our supervisor.
So we are closely collaboratingwith them already with a
specific exercise that they areasking us.
So we yeah, because of course,they want their supervised
(48:02):
entities to be prepared for 2025.
So we are closely uh workingwith uh with them already.
Uh, so that's my uh advice, too, for everybody to uh okay.
Speaker 1 (48:15):
So just if you thought this was going to be
your busiest month, as much aspossible compliance wise, and
then the rest of the year wasgoing to be plane sailing,
forget it it's.
It's all starting again firstthing thing Monday morning after
refit has gone live.
So at this point we have todraw these threads together and
give a huge thank you to ourvery special team of experts for
(48:37):
this show, who have donebrilliantly in depth and under
the hood, with the DORAcompliance special.
And that is in no particularorder.
But starting with a hugeregistry of thank you to Alfonso
de la Puente from the legalteam at BME in six, alfonso,
thank you very much.
Speaker 3 (49:01):
Thank you very much for the opportunity.
It's been really fun to be herewith you all.
Speaker 1 (49:04):
Also a man who's given us lots of insights today
and, I should point out, out, iscalling in from home and
battling through a very nastydose of flu to be on the show
today.
It is the brilliant ChiefInformation Security Officer for
Registrar Manuel Requerro ofVenezuela.
Thank you very much for joiningus today.
(49:27):
Thank you, thank you and yesrest, if you work in IT, I'm
telling you that now anyone outthere like myself, who spent
their career working indevelopment and technology, you
will know that nothing stops youfrom working because you can
always take your laptop to bed.
So thanks for that and also forjoining us today.
(49:49):
An old friend of the show, whohas been on before with her
insights and information andexcellent advice.
It's Ozrin Yusceviscuti.
Ozrin, thank you so much forcoming back.
Speaker 4 (50:06):
Thank you, thank you, thank you very much and thank
you for you.
Speaker 1 (50:07):
Thank you and thank you, okay, and of course, a huge
thank you uh goes to my regularco-host, uh, the person who has
been the voice of esma uh forus many, many times.
Uh, not, that's not an officialjob title, by the way.
I'll just clarify that it is,of course, our head of
institutional relations, larLaura Rodriguez.
Speaker 2 (50:34):
Laura, thank you so much.
Thank you, andrew.
I never thought we could do apodcast on Dora.
Quite interesting and fun.
You know this is such a complextopic, but yeah, I think our
colleagues did it great and itwas fantastic, and I want to
(50:58):
take the opportunity to wisheverybody best of luck with the
refit implementation and, ofcourse, we see you here.
Okay, thank you to all ourguests for joining us.
Speaker 1 (51:04):
That's been fantastic we will be back.
As Laura just said, we're thepost-match analysis in our next
show, where we will be findingout how Amir refit went and what
the major problems would be, ifthere have been any problems at
all or if it's run super smooth.
We will find out.
And in the meantime, for takingus through a very, very
complicated topic today andputting up with my terrible Dora
(51:26):
the Explorer jokes, I wouldlike to thank everyone on the
show and from myself and fromLiana Sudan, the show's producer
, and everyone here in thevirtual studio, regis CR.
We'd like to say thank you andjoin us on our LinkedIn page
that is linkedincom.
Slash company slash Regis,hyphen tier and in the meantime,
have a good month, have a safemonth.
(51:47):
I hope your EMEA goes well andI hope your cybersecurity
preparations are underway.
Speaker 2 (52:08):
And from all of us here, bye-bye, let's go.
Dora, dora, dora, the Explorer,dora, who's that super cool
exploradora Me?
Hi, I'm Andrew Keith Walker, hi, I'm Laura Rodriguez,
and this is the number oneregulatory reporting podcast in
the EU, the UK and around theworld.
So join us as we go behind thescenes and under the hood to
look at the big issues and newsstories, companies and
personalities who are shapingthe world of regtech, fintech
and trade repositories.
Welcome to the Registr Rounduprepositories.
(00:28):
Welcome to the Registr Roundup.
And remember, this podcast isbrought to you by Registr, which
is a six company and featuresmembers of the Registr team and
special guests offering theirpersonal opinions, not the
opinions of Registr as anorganization.
There is no representation madeas to the accuracy or
completeness of information inthis podcast, nor should you
take it as legal, tax or otherprofessional advice.
And welcome back to the RegisTRRoundup.
(00:56):
We are back and it's a big monthfor everybody this month,
because it is none other thanthe month where EMEA refit the
thing we've been talking aboutfor so long, the big disruptor
for the industry, this year'sbiggest piece of regulatory
change for many marketparticipants goes live.
Yes, that's our special.
(01:16):
Amir Refit has gone live.
And how did it go for you?
Will it be A or will it be A?
We'll only find out in the nextepisode, when we get the
initial feedback and responsesfrom people in their post-live
environment.
And, of course, uh, some of ourbrilliant guests who are with
(01:38):
us today can feed back to uswhat esmer thinks as well.
And on that topic, we should getstraight into this week's show,
which is looking forward to thenext milestone piece of
regulatory change, and that is,of course, the DORA regulation
that's coming in.
Yes, the Digital Operations andResilience Act that's the theme
(01:59):
for today's show.
Yes, it's time for us all tosit down and explore the Dora
regulation.
I'm sorry, I'm sorry.
There'll be a lot of punspossibly in this episode, and
what we're going to need, ofcourse, is lots of boots on the
ground for a show like this.
And so joining us, of course,is my regular co-host and
someone who is really in the hotseat here, someone who's always
(02:20):
got a map in her backpack.
It is none other than LauraRodriguez, our head of
institutional relations, Lara.
Speaker 2 (02:28):
welcome back.
Hi, Andrew.
Thank you very much.
Speaker 1 (02:31):
And joining us from Lara's team, we have our senior
institutional relations officer,Ozrin Yuschevitskuti.
Ozrin, welcome to the show.
Speaker 4 (02:40):
Hi, hello everyone.
Speaker 1 (02:41):
Hey, well, not a first time, of course.
Regular listeners will haveheard Ozrin on the show before.
We need double institutionalrelations power today, because
this is a big institutionalshift.
We also are going to need alegal expert.
So very fortunately, we haveAlfonso de la Puente from the
legal team at BME and 6.
Alfonso, welcome to the show.
Speaker 3 (03:01):
Thank you, Good morning and thanks for inviting
me to the podcast.
Speaker 1 (03:04):
It's great to have you along, alfonso and of course
it's a tech-driven piece oflegislation.
It's all about security andtuning up your digital system,
so we need a tech expert too,and for that we have
Registriar's InformationSecurity Officer, manuel
Requerro Valenzuela.
Manuel, welcome to the show.
Speaker 5 (03:26):
Hello, hi, thank you for having me here.
Speaker 1 (03:28):
Great, well, thanks for joining us.
Okay, so we have got our crackexplorer team here for us to
head off and make sure that nohackers do any swiping.
For those of you listening whothink there are way too many
Dora the Explorer gags, Ipromise I'm stopping it right
there.
Okay, that's it.
That's it, no more.
We'll get on with the seriousportion of the show, and so I'm
(03:59):
going to start off with Lara andAzrin.
Give us a brief overview ofDora and its significance for
the European financial sector,because it's important, isn't it
?
Not just for regulators, butfor financial entities that fall
under the scope of DORA as well, of which there are many.
So Lara set us off.
What does this mean for ESMAand for the regulators?
Speaker 2 (04:16):
Okay, let's start with, as you know, dora.
It became already into force inJanuary of 2023, but it will
start applying from January ofnext year, 2025.
So that's important to knowthat in less than a year, we
(04:39):
will have already thisregulation in place.
And what's the primary goal?
Let's say why it is soimportant.
Why it is so important?
Mainly, the idea is tostrengthen the IT security for
the financial entities forexample, banks, insurance
companies, investment firms andby strengthening the IT security
, it is expected that thefinancial sector remains
(05:00):
resilient when we have anydifficult time, in operational
disruptions, for example.
To make it more straightforwardhow to address these issues.
And another of the main goalsof DORA is, of course, to
harmonize the rules that arerelated to all the operational
(05:23):
resilience across the differenttype of financial entities and
the ICT third-party serviceprovider.
And the best way to do it isindeed to harmonize all the EU
regulations that are relatedwith digital resilience.
So, at the end, thisharmonization should simplify
(05:43):
the compliance efforts for thefinancial entities by providing
one clear guidance and the clearexpectations of what all the
financial sectors shall applyfor this.
So I guess that's the mainsignificance of DORA how it
(06:05):
applies across all the financialsectors, ozrin, coming to you.
Speaker 1 (06:09):
There's detail here, isn't there?
So before we zoom in to thesort of the complex, nitty
gritty, technical bits, justgive us a sort of broad outline
of the sort of key elements ofDORA, the timelines, what market
participants or financialentities can expect to be
published and the deadlinesthey're facing.
Speaker 4 (06:33):
So now, with ESAS, between 16th of January 2023 and
17th of January 2025, they haveto establish regulatory
technical standards and alsoimplementing technical standards
to explain DORA level 1integration.
So they did it in two batches.
So we have first batch thatincludes RTSs on ICT risk
(06:59):
management framework and RTSs onsimplified ICT risk management
framework.
Also RTSs on GRIPS criteria forthe classification of
ICT-related incidents.
Then ITS to establish thetemplates for the register of
information, and RTS is tospecify the policy on ICT
services performed by ICTthird-party providers.
(07:20):
So this first batch already waspublished on the 17th of January
2024.
They submitted it to theEuropean Commission that have
now to approve them.
The second batch of the RTSsand ITSs we already had
consultation papers back inDecember and the final reports
(07:43):
we expect to have on 17th ofJuly.
And the second batch of RTSsinclude RTSs and ITSs on content
, timelines and templates onincident reporting, guidelines
on aggregated costs and lossesfrom major incidents, rtss on
threat-led penetration testing,rtss on subcontracting of
(08:04):
critical or important functions,rtss on oversight harmonization
and finally, guidelines onoversight cooperation between
ISAs and competent authorities.
So we have these two badgesthat explain all RTSs and ITSs
and that we also have beenlooking from the trade
repository side, analyzing andalso, of course, participating
(08:25):
in consultation papers.
Speaker 1 (08:27):
Alfonso, ok, you are today's legal expert, you work
in the legal team at VME and Sixand I'm guessing, from a sort
of legal and complianceviewpoint, this is a huge amount
of work for financial entitiesto get into.
So what I want to know is youknow, how does this create a
(08:51):
workload that's going to fillthose gaps in existing
cybersecurity and digitalresilience frameworks, because,
of course, a lot of thesepolicies are kind of already in
place for market participantsand financial entities.
Speaker 3 (09:13):
Am I correct in thinking that yes.
So the first thing that we needto take into account in order
to implement and adapt to Dotaregulation is related to what
you were saying.
We need to perform all thefinancial entities, at the first
stage, a gap analysis on thelevel one regulation and also on
the RTSs and ITSS, because thefirst thing is knowing how are
(09:35):
we in terms of DORA compliance?
I mean, what policies, securitypolicies, do we have in place?
What incidents reportingprocedures we have in place?
Are they DORA compliant?
Are they not?
Also, we need to map every ICTservice that we've been provided
(09:55):
with, in my opinion, thecritical and also the
non-critical ones.
It's better to have the fulllist here and also because we
need to report those servicesand also the associated
contracts.
So this will be, in my opinion,the first step that every
financial entity should havealready performed.
On a second and later stage, weneed to focus also on the
(10:21):
possible or potentialimplementation of technological
solutions that could contributeto the entity's operational
resilience.
As you said, maybe there aresome tech solutions that are
required by Dota but that somefinancial entities already have
in place.
So that's why the gap analysisis really, really important.
Then we have to focus on thegovernance and the mandatory
(10:45):
awareness and training sessionsfor all personnel, including
senior management, and for me,this is one of the most
important points of the processthat we have in every financial
institution to adapt to Dota,because it's great if we have a
policy, a procedure in place tocomply with Dota, but imagine
(11:07):
that somebody is not aware ofthat or maybe it's not aware of
the different obligations thatthey will have to perform right
under Dota.
So the most basic thing is tomake everybody aware that Dota
is coming.
Dota is a reality.
The word that Dota is coming,dota is a reality and we'll have
(11:31):
to work on the Dota from 17thof January 2025.
Then, also, we need to foster,in case it is needed.
I mean, also, this depends onthe actual practices of every
financial institution.
We need to get the governingbody more involved in this kind
of decision, situations, reports, everything.
Regarding the responses, weneed to, if needed, adapt the
(11:53):
incident response framework,which is one of the main pillars
of DORA, one that Osrin alreadycommented on, and obviously we
need to enforce the tech pentest operational resilience test
(12:14):
that every financial entity iscurrently performing.
And obviously we need to havecontrol over the ICPF and other
service providers that we areworking with, and we need to
register that informationbecause we need to report that
information.
And we need to register thatinformation, because we'll need
to report that information andall these things that we need to
take into account to Dota arereally important, but not just
in terms of Dota compliance, butjust in terms of the IT
(12:34):
security framework that we have.
I mean, it is a fact thatnowadays, the security framework
of all these entities is morecommonly in danger.
There are more hackers tryingto attack.
We need to be prepared.
So this is a reality that ishere and we need to be ready.
This is a great tool to be ableto fight back against those
(12:56):
incidents.
If I'm reading this right,there are these three layers.
Speaker 1 (13:00):
It's a three-pronged piece of legislation in a way,
because you've got the internalchanges that need to happen,
presumably with contracts andframeworks and all the usual
compliance processes, but you'vealso got these operational
changes and new activities thathave to take place.
There's going to be a new layerof work on top and also you
(13:24):
have a lot of training andorientation work that needs to
be done as well to go along withthat.
So I'm going to ask you onemore question on that front
actually, alfonso, which is how,on the legal side so looking
very much at the contracts andsort of compliance issues, you
know, how is it affecting yourday job and your outlook?
(13:47):
I mean, what?
How are you preparing uh sixand bme and the, the broader
group?
How are they preparing for the,the legal ramifications of dora
?
Speaker 3 (14:01):
so I have to say that , not because I'm a lawyer and
obviously I focus more on thecontractual side of DOLA, which
is true, I mean I have to knowabout the IT and tech side, but
for me the most important one isthe contractual one.
I have to say that this is oneof the hot topics about DOLA.
There has been a lot ofcontroversy because we need to
(14:23):
have a contractual template inplace.
Well, a contract signed withevery ICT third-party service
provider covering the differentaspects that Article 30 of DORA
obliges us to.
So is it easy to have thiscontract in place?
Yes, and I'm sure that most ofthe financial entities we
(14:46):
already have a contract in place.
Yes, and I'm sure that most ofthe financial entities we
already have a contract in placethat covers, if not all, most
of the provisions that we needto include in every contract,
such as, for example, having anSLA in place.
We need to have an exit plan,we need to be careful about how
do we treat data and many otheraspects that we need to consider
(15:07):
contractually speaking.
So, with Article 30 of Dota andalso the provisions of the RTS,
of subcontracting, we all canhave that template in place, or
at least we all can be aware ifour contracts are 100% Dota
compliant.
But this is a little bit moredifficult than this.
(15:29):
It's a bit tricky, in myopinion.
Why?
Because having a contractdrafted it's easy.
We have all the information weneed for the contract.
I mean, of course there aresome provisions that can be
misunderstood or whatever, butin general terms we can have
that template.
I mean, all the financialentities should already have a
(15:51):
template like that.
But it is also true that Article30.4 of DORA makes a reference
to some standard contractualclauses that will be provided by
the competent authorities toall of the financial entities.
It is true that this articlehas a nuance because it refers
to standard contractual clausesfor a specific kind of services,
(16:14):
but I have to say that theentire sector is expecting to
receive those standardcontractual clauses.
But why?
Because, as I said, having acontract already is easy, but
negotiating the contract is notthat easy.
We have multiple ICT third-partyservice providers.
We have dozens, and I would saymaybe hundreds, depending on
(16:36):
the financial entity hundreds ofcontracts.
And of course, if everybody hasits own contract not compliant,
we'll need to negotiate andeverybody will feel more
comfortable with the termsbecause even if the provisions
to include are the same, at theend there are always nuances or
different interpretations.
So the work that we have to doto adapt contractually to Dota,
(17:00):
it is not easy without thoseclauses.
So maybe this is a good chancealso to request the templates to
the competent authorities,because it will make really,
really easy for us ourcontractual adaptation to Dota.
And, of course, it's not alsoeasy for us, but it will be
(17:22):
great because it will helpenforcing the contractual
framework around Dota and if weall submit to the same set of
standard contractual clauses, itwill be more secure for sure,
not just contractually speaking,but because we have to focus on
what's behind the contract.
Speaker 1 (17:41):
I mean all the provisions that will imply
different procedures or ITtechnicalities and the
compliance and legal aspects andcome to the really chewy part,
the heart of DORA, which is, ofcourse, information security.
And, manuel Requero, you arethe chief information security
(18:03):
officer for RegisDR, so you'realready obviously an expert in
the kind of threats that come indaily for publicly accessible
systems.
We know about DDoS.
There have been some veryhigh-profile ones alleged
recently where you know.
We know Instagram went out fora while and Facebook goes out
for a while.
It's something social networkshave to deal with all the time.
We also saw massive outageshere in the UK for supermarkets
(18:29):
and their online banking systems.
There were some majordisruptions there which could
have been DDoS related we don'tknow or hacking related.
There isn't a huge amount oftransparency and companies don't
always admit when these thingshave happened, and I'm guessing
this is going to be a majoroverhaul of systems, but also IT
(18:49):
reporting processes forentities.
So give us that sort of bigpicture from an information
security viewpoint.
Speaker 5 (19:05):
I'm sure I mean let's start, I mean first.
I mean Registry is a verysupervised entity, so I mean
it's not really new for us.
As you can imagine, we're veryused to report our incidents,
major incidents, to oursupervisor and authorities, so
(19:27):
it's not new.
And I can say that we have been, let's say, preparing for this
even before.
Maybe DORA, because I mean, atthe end, what DORA wants to
implement are good practices.
So if you perform constantlygap analysis, review and compare
against, let's say, standards,for example, the ISO 27001, that
(19:53):
is business continuity, let'ssay best practices, you're kind
of in a good point.
And because we also enteredinto SIX recently, we need to
perform this, let's say, gapanalysis from a very, let's say,
(20:17):
complex and very robustframework.
So when Dota came out, of courseI mean and you read, I mean
basically it harmonized allthese, let's say, good practices
and regulation into one.
So, as it was explained before,of course I mean it's going to
(20:38):
be an impact, but the good thingis that it makes you rethink
everything you have.
Not only does my framework,from a, let's say, a
documentational perspective, isaligned with Dota, but it also
makes you rethink like, okay, sowhat are the tools that I'm
using?
What are the processes that I'musing?
What's my maturity level?
(20:59):
I'm unable.
For example, we think aboutincident management.
Do I have all the informationrequired to report to DORA,
because I mean we need to haveall the logs in place, a system
of information event monitoringin place.
Are all my applications coveredby all these tools?
(21:21):
Are they properly configured?
So all these questions are.
This comes up when you'rereviewing and see if you're
going to be aligned.
Of course I mean it will havean impact because of course I
mean there will be someinvestment that have to be done.
There will be also processesthat have to rethink and modify
(21:42):
in order to comply with DORA.
But again, I think that any,let's say, financial entity that
is used to perform, as we docontinuously, penetration test
to critical applications andinfrastructure, penetration test
to critical applications andinfrastructure, perform a
security assessment based onstandards and good practices.
(22:05):
I mean I think you're in a verygood starting point and maybe
the impact is not going to be abig of an impact.
Speaker 1 (22:15):
Just precisely who is in scope for DORA?
Is it all CCPs, traderepositories, csds, I mean, is
it just large publicinfrastructure, uh?
Or does it cover a broader setof financial entities, because
it's not all market participantsand nfc pluses and nfc minuses
and everyone else is it?
Just give us a reminder ofprecisely who falls under DORA.
Speaker 4 (22:45):
Okay, so we have under the scope of DORA
different financial entitiesthat we have listed in DORA
Level 1 regulation under Article2.
So actually it includes quite awide spectrum.
So we have credit institutions,payment institutions,
investment firms, banks, ofcourse, trading venues, trade
(23:05):
repositories that's why itapplies also to Registr and also
third-party service providers.
So we have an extensive list ofall the entities that have to
follow DORA, extensive list ofall the entities that have to
follow DORA.
And, of course, dora was alsointroduced in the way of the
(23:27):
proportionality principles, sowe have to look also more into
details what exactly applies toeach entity and there's also
some different exceptions formicro-industries, for micro-ent,
for micro entities, how theyhave to apply DORA and all the
requirements.
Speaker 3 (23:44):
Also, we need to consider every specific
regulation that applies to eachof the financial entities.
We do not have to forget aboutCSDR, emir, mifid and all the
applicable regulations whichwell do not regulate the
security and operationalresilience that DORA does, but
(24:05):
will always need to beconsidered.
Speaker 1 (24:06):
We've got the implications of DORA touching
upon not just, obviously, thefinancial entities that are in
scope, but on the activities offinancial entities that mean
they have a digital requirementattached to them.
Okay, now I'm going to pause itthere for a minute.
I'm going to ask Laura one ofyour favorite questions.
As our head of institutionalrelations, I feel it's only fair
(24:30):
that I throw the hot potato atyou.
And that is what about Brexit?
Now I've got to say there aresuppliers based in the UK who
are supplying into Europeanentities who will fall under the
scope of DORA and there arevarious regulations that will
apply that are in EU law, not UKlaw.
Speaker 2 (24:56):
Well, the idea is to make it as straightforward as
possible, but it's true that theUK, the FCA, is also exploring
an operational resilientregulation itself.
For the moment it's not asmature as in the EU.
They have started last year aconsultation paper that the
(25:19):
participant has been respondingto so far, but for the moment
it's ongoing.
Probably it won't apply at thisstage to trace repositories,
the current scope that they aredefining, this first approach
scope that they are definingthis first approach, but of
(25:41):
course it will apply to all thedifferent financial entities
because the scope is kind ofdifferent.
But I invite everybody to go tothe FCA website, look into the
operational resilienceconsultation and have a look to
it because, for sure aseverything has always happened,
(26:03):
if this is going to be appliedto the EU next year, something
soon will come for the UK andthat will give answers to all
these questions.
Speaker 1 (26:14):
There is a major element here isn't there?
Which is having incidentresponse processes baked in at
different levels across theorganization.
Are we fudging the linesbetween compliance and
information security here?
As Chief Information SecurityOfficer, you're going to be
responsible for making sure thatthe incident reporting is
(26:37):
compliant and taking place, andworking very closely with
compliance.
Is that going to be a major newsort of work stream on your
desk?
Speaker 5 (26:52):
Well, at the end, if we think of what DORA wants,
it's basically in the instance,let's say, reporting.
Nopilar is basically just toharmonize and centralize all the
reporting to regulators so theycan act or avoid spreading any
(27:17):
kind of impact.
So this is something that, as Imentioned before, I mean we
already perform reporting to oursupervisors in terms that we
perform, for example, in thecase of security, twice per year
.
We have to share informationwith them of our threats, the
(27:38):
incident that we have, andensuring this information is
very useful for them also to beprepared and also, if they have
to, let's say, contact otherlegal entities, that is very
useful.
We also perform for any majorincident or an old cybersecurity
incident.
We also have to provide thisinformation to our authorities.
Cybersecurity instance, we alsohave to provide this
information to our authorities.
(27:59):
So I mean I would say that maybefor small institutions that are
not used to this, I mean it'sgoing to be a very huge impact,
to be honest, because I mean youhave to implement very a lot of
, let's say, different sets,like you have to ensure that you
have early warning indicatorsso you are aware, like, if you
(28:24):
have an incident, how do youdetect it?
Do you detect it on time?
How can you basically verifyand meet all the, let's say,
this template that is alsoprovided?
Can you provide information ofwho did something when, what is
impacted?
So that's why you have to maybego outside just the incident
(28:48):
reporting, let's say, but alsoconsider everything you have.
Do you have an asset inventoryin place?
Do you have all the tools inplace?
Do you have a login system inplace so you can identify
everything?
Do you classify your incidents?
How do you manage them and, ofcourse, how you report it?
So yeah, I mean it's not goingto be it's very compliance
(29:11):
related, because now it's partof our regulation, but at the
end, it's something that, ifyou're a mature enough
organization and if you performas I mentioned before and you
compare against good practicesand standards, it's something
that you have.
But again, you now have to dothis analysis to see if all the
(29:33):
information they requested youcan provide it on time and it's
to be useful for this regulator.
So, yeah, I mean it's in themiddle, things that are already
performed from a securityperspective, but now trying to
follow these new requirements ofwhat needs to be reported and
how fast, to report this as soonas possible.
Speaker 2 (29:55):
Totally agree with you, manuel, and from the trade
repository perspective, we canspeak from the experience, as
you said, because we have beencompliant with the periodic
reporting and notificationguidelines for ESMA since 2020.
And we have seen that, forexample, for the incident part,
(30:17):
we needed a period ofadaptations to ensure and to be
efficient.
I mean we started in 2020.
Now, in 2024, we can say thatwe report incident in an
efficient and dynamic way.
But it took us a lot of time todo it because also the
guidelines were very restricted.
Let's say that in 24 hours toneed to notify a specific number
(30:40):
of details of information andthen resolutions, timelines of
resolutions, impact analysis.
I mean it's a huge information,a number of information for
something that is happening in asystem.
You need to report it.
At the same time, you need towork on how to handle it and not
(31:01):
disrupt the rest of theservices.
So, yes, I said from ourexperience, it's something that
financial entities need toreview with time, because it
really takes a lot to beefficient in this part.
(31:21):
So it's a huge challenge.
I'm sure that many entitiesthey are already reporting this
type of incident or similar ones, but having a standardized one
is not that easy and of course,even the one that we have now as
a trade repository.
It will change with DORA, so atthe end all the entities will
(31:45):
need to adapt again.
Speaker 3 (31:47):
It's really interesting, dora, that you make
reference to the transitionalperiod that you had at your time
some years ago, because I thinkthat here, with the reporting
in the case of registries, theyare really used to report
incidents on a recurrent basis.
But we need to take intoaccount the proportionality
principle, not just because someentities will not have a huge
(32:08):
amount of resources dedicated toincident reporting, but also
because, as they are not used tothat, we do not have to forget
that the most important part ofan incident is solving the same,
not reporting the same.
So we'll need to be reallycareful with this and if we do
not have a transitional periodto adapt I mean all the
(32:31):
financial entitiesproportionality will play a huge
role, something you pointed outto me when we were sort of
prepping for today's show.
Speaker 1 (32:41):
I was confused because I saw a lot of press
coverage around the NIS-2, theNetwork Information Security
Act-2, that's going around andapplies obviously beyond the
financial sector but seems to beoverlapping with areas of DORA,
and there's been quite a lot ofjournalism in the press that
say that NIS2 and DORA have somesort of overlaps.
(33:03):
And actually which one shouldyou prioritize, depending on the
entity you are and which oneyou fall under the scope of?
And then of course, there was abig story about you know, in
the Netherlands.
They weren't going to beenforcing NIS2 at this point.
There seems to be a lot oftech-driven regulation right now
that seems to be happeningsimultaneously and I'm just
(33:23):
wondering can you clarify for usthe difference between NAS2 and
DORA and which one takesprecedence, which one's more
important, especially for ourlisteners?
Speaker 4 (33:37):
Yes, sure, thank you for the question, andrew.
So, of course, dora and NIST,which stands for Network
Information Security 2.
So, in general, there are twomajor pieces of European
cybersecurity legislation, right, but what's important to stress
, probably, that the NetworkInformation Security 2 is a
directive, whereas the DigitalOperational Resilience Act, dora
(34:01):
, is a regulation.
So what it means.
So, as NIST 2 is a directive,it must be transposed into the
national law of each memberstate before it can be applied.
So each country now musttranspose this directive by
October 2024.
Dora is this already Europeanregulation?
So it will be applicable as itis, as it stands.
(34:23):
So the text is as it is and itwill be applicable to all EU
countries from January 17, 2025.
So, first of all, we have thisand what it means, so that DORA
is Lex Specialis of NIS 2, sothis is a principle which states
that a specific law takesprecedence over a general one.
So, for entities subject toDora, this text therefore
(34:45):
prevails over NIS 2.
However, this does not meanthat NIS 2 obligations are no
longer applicable, of course, toentities affected by both texts
.
Also, there are somedifferences in objectives and
the scope of both legislations.
So, for instance, in terms ofobjectives.
(35:07):
Nist 2 aims to strengthen theglobal level of cybersecurity
within the European Union, andDORA we already talked aims to
ensure the integrity andavailability of the financial
sector.
So it goes through thefinancial sector.
So it goes through financialsector.
Also, they do not cover thesame entities.
So these two concerns essentialentities and important entities
(35:27):
, and DORA covers the financialsector, so through 21 specific
types of entities.
Speaker 1 (35:34):
So I think this would be the main difference between
these two legislations.
Speaker 2 (35:38):
That's the kind of exciting part, isn't it?
Speaker 1 (35:39):
That's the bit where anyone who's seen you know
movies like you know MissionImpossible or Hackers or any of
those things.
That's the one where peopleimmediately go to when they
think of cybersecurity and thatkind of stuff.
Is that going to be a majorchange for you rationalizing
that on your side, or are therebigger headaches within DORA?
Speaker 5 (36:07):
Let's start off kind of explaining what, or trying to
explain what a thread-ledpenetration test is, and testing
the different testing actors,right?
So in a thread-led penetrationtest, you have what we call a
blue team, right?
Also, dora introduces the blueteam.
They also take all thereference from a previous
(36:29):
regulation, that is, the TBRUregulation.
They also talk about this typeof test.
So you have the blue team.
That is basically your firstline of defense team.
You have all the incidentresponse team.
You have your securityoperational center team networks
, everyone.
So they're the one that let'ssay they have to be prepared and
to be prepared.
Of course everyone.
So they're the one that let'ssay they have to be prepared and
to be prepared.
(36:49):
Of course they have to have allthe information and constantly
double-checking all theirprocedures, the playbooks that
they have to follow, and also,most importantly, the financial
entity itself has to have a verystrong awareness program,
because, I mean, in this type oftest, there's a red team that
(37:12):
is going to try to access yourasset systems by any means, so
they can attack everyone, right?
So that's why everyone in theorganization is important to be
aware of all these kind ofthreats.
So, as I mentioned before.
Then you have a red team thatthey have to specialize in this
type of testing that have to beperformed.
Then you also have the cyberthreat intelligence team.
(37:35):
That is the key part, becausethey're the one that they're
going to define the scope andhelp you identify real scenarios
that can be used to, let's say,exploit all those possible
vulnerabilities that you canhave right.
And then, finally, you have thewhite team.
That is the team that performsthe follow-up and the
(37:58):
coordination of the test.
That is basically the regulator, supervisor and also management
from the legal institution.
So, yeah, it's going to be, andsomething that is also
important that not many peopleknow is that this type of test
there's like a it's kind of asecret, this type of test
(38:20):
because hackers- don't know whenit's going to start.
Speaker 1 (38:21):
So, by the way, we're going to DDoS.
They just have to be prepared.
Yeah, correct, so basically,way we're going to DDoS.
Speaker 5 (38:24):
They just have to be prepared.
Yeah, correct.
So basically they don't knowwhen or what type of attack is
going to take place.
So that's why, as I mentionedbefore, they have to constantly
analyze all the, make sure theyhave all the system tools,
ensure that all the tools areconfigured and applies to all
(38:45):
critical applications andinfrastructure and, again, a
very strong awareness campaign,because if someone tries to gain
access to a phishing campaign,they can basically attack the
CEO or someone to gain that typeof access.
So of course, I mean it's goingto be an impact, because I mean
also this type, this type oftest, let's say, is a bit of
(39:10):
expensive, because I meanbecause of all the planning, all
the people that have to beinvolved and the time, because
it's not a like a normalpenetration test that you can
define to uh a scope and performthe test like in a week.
Right now, this type of testmaybe is a month, because I mean
it can start one month and thenin two other months they can
(39:33):
test another, try to get toanother asset, for example.
So it's not something that iseasy to perform.
It's quite complex.
Speaker 1 (39:45):
And, from the legal perspective, how should MTS, its
scope and their supplies bepreparing for DORA?
Speaker 3 (39:58):
So here I will say that the first thing is that we
need to receive the final draftof the RTS on subcontracting, as
well as some responses by theregulators, and as soon as we
have all of our doubts solved, Iguess maybe collaboration is a
nice tool.
I mean, the ideal scenario forme will be having a transitional
(40:21):
period for negotiating all thecontracts, because, let me be
honest here, it's going to bereally difficult to have every
contract in place, fully adaptedto Dota in every case and I'm
talking not from my personalpoint of view, but I'm just
repeating what all the financialentities have already said in
(40:41):
other forums, such as thewebinars that were held by ESMA
during the consultation papersperiod, such as the webinars
that were held by ESMA duringthe consultation papers period.
So a transitional period willbe perfect.
Another thing that we need totake into account that will be
quite useful is collaboration,because before we were talking
about the five or six pillarsunder DORA, the one regarding
(41:03):
the reporting of the incidentsaims to offer some transparency
that will bolster the securityframework that all the entities
have thanks to the informationthat can be shared.
I mean, we need to obviouslyhave limits in terms of what
information can I share or not?
(41:24):
I mean, if I am and, manuel,please correct me if I'm wrong,
because this is maybe a littlebit more techie If I am attacked
and my password is discovered,I'm not going to say to the
entire financial sector hey, Iwas attacked and this was my
password, no, no, no, I willtell them about the attack and
the tools that they use so theycan be prepared.
(41:44):
So, in terms of transparency,it will be also helpful for the
financial entities to cooperateand to help each other, like,
for example, negotiating thecontracts together, trying to
talk to each other and see whateverybody is doing to adapt
contractually to Dota.
So, yeah, we all need tocooperate and collaborate.
(42:06):
We are all on the same page andthis is good and beneficial for
all the financial entities manwell, we all need to cooperate
and collaborate.
Speaker 1 (42:08):
We are all on the same page and this is good and
beneficial for all the financialentities.
Man well, chief InformationSecurity Officer, what's your
advice to entities in scope andtheir suppliers to prepare for
DORA?
What do you think should beyour first step right now?
Speaker 5 (42:27):
Well, as I mentioned before, maybe if they have
already performed, you know likethey have compared against good
practices, standards, and theyperform continuous tests, for
example, if they performdisaster recovery tests, if they
perform tabletop exercise, forinstance, management, if they
(42:49):
focus on closing all thoseidentified gaps, for example,
you're in a good position.
Basically, and as it wasmentioned before, the starting
point is to get the regulationmake a deep dive analysis, a gap
analysis, evaluate the maturityof your control against Dota,
basically rethink everything.
(43:10):
You already know what theprocess is applications, have an
inventory, identify allcritical functions, applications
, so have a very broad vision ofeverything and, of course, we
cannot forget, have a verystrong awareness and training.
Okay and Azrin, what about fromyour side?
Speaker 1 (43:32):
What sort of advice should entities like RegiCR be
giving to their clients relativeto DORA, if they fall within
scope?
Speaker 4 (43:49):
fall within scope.
Well, I think I would also, youknow, agree with Manuel and, of
course, also what already said.
So, mainly, I would start firstof all with the gap analysis.
So, just you know, take theDORA Level 1 legislation and go
through it and see, you knowwhat you already have in your
company, you know what order youare applying and what changes
(44:11):
you have to apply.
So, just to check the impactand really understand you know
how you have to adapt from 2025.
So I would say, first, gapanalysis of DORA level one.
So just to see, you see now allthe regulatory requirements.
We already know that we haveRTSs and ITSs from the first
(44:32):
batch that they mentioned before, already published.
So we have final reports, andthey were on the 17th of January
.
So we also could start doingthis analysis as well while
we're still waiting for thesecond batch in July.
But we could already look atall those details so we can see
how the register of information,for instance, needs to be built
(44:54):
, what are all the templates anddetails that we'll need to
report.
So we could already startgathering information for this
one, for instance.
We could also see how theinstance will be classified and
we could also see what ICT riskmanagement framework really
requires, what policies andprocedures needs to be in place,
so we could order somethingthat we could already start
(45:16):
building and already startpreparing, you know, for 2025,
because the idea of these twoyears, you know, between when it
was published and came intoforce and it will become
applicable, is to really preparefor that and that's what
actually Trader Force is alreadydoing.
So we are on track there and Iwould like all the financial
(45:40):
entities, to do the same.
Speaker 1 (45:41):
You're there in the hot seat, as always, between
ESMA and the industry and I wantto ask you I'm guessing there
are webinars, events, variousdifferent opportunities, working
groups may be being set up justgive us some idea of how the
industry is going to cometogether around dora, as it has
done around amir and all theother legislation, sfr and
(46:03):
things we've covered, and therole that Registry Art is
playing in that.
Speaker 2 (46:12):
You read my mind, andrew, because that's actually
the point that I wanted to notefor all the listeners.
The ESAs, the EuropeanSupervisory Authorities that are
leading DORA they are doingdoing specific workshop after
(46:32):
they launch the consultationpapers or the RTSs, and it's
really important that everybodyI mean that possible to
participate to see what they arediscussing there, the questions
that the industry is raisingthere, because maybe you might
have a question from yourperspective we have many
questions from the traderepository perspective, but then
(46:52):
when going to this workshop, wesee that it's questions that
all the industry is putting onthe table, not only us.
So we can see that there arestill things that need to be
clarified and even if the RTSssome of them are already there,
there are things that need to beclarified in addition to what
(47:14):
is already published.
So very important to go to theEOPA, eva and ESMA websites to
see what information they havethere, to see the workshop that
had already been taking place,and follow up very closely all
the compliance teams from thedifferent entities to these
(47:38):
updates and these news from thesupervisory authorities and, of
course, from our side.
As you know, race-tr is a verysupervised entity and ESMA is
our supervisor.
So we are closely collaboratingwith them already with a
specific exercise that they areasking us.
So we yeah, because of course,they want their supervised
(48:02):
entities to be prepared for 2025.
So we are closely uh workingwith uh with them already.
Uh, so that's my uh advice, too, for everybody to uh okay.
Speaker 1 (48:15):
So just if you thought this was going to be
your busiest month, as much aspossible compliance wise, and
then the rest of the year wasgoing to be plane sailing,
forget it it's.
It's all starting again firstthing thing Monday morning after
refit has gone live.
So at this point we have todraw these threads together and
give a huge thank you to ourvery special team of experts for
(48:37):
this show, who have donebrilliantly in depth and under
the hood, with the DORAcompliance special.
And that is in no particularorder.
But starting with a hugeregistry of thank you to Alfonso
de la Puente from the legalteam at BME in six, alfonso,
thank you very much.
Speaker 3 (49:01):
Thank you very much for the opportunity.
It's been really fun to be herewith you all.
Speaker 1 (49:04):
Also a man who's given us lots of insights today
and, I should point out, out, iscalling in from home and
battling through a very nastydose of flu to be on the show
today.
It is the brilliant ChiefInformation Security Officer for
Registrar Manuel Requerro ofVenezuela.
Thank you very much for joiningus today.
(49:27):
Thank you, thank you and yesrest, if you work in IT, I'm
telling you that now anyone outthere like myself, who spent
their career working indevelopment and technology, you
will know that nothing stops youfrom working because you can
always take your laptop to bed.
So thanks for that and also forjoining us today.
(49:49):
An old friend of the show, whohas been on before with her
insights and information andexcellent advice.
It's Ozrin Yusceviscuti.
Ozrin, thank you so much forcoming back.
Speaker 4 (50:06):
Thank you, thank you, thank you very much and thank
you for you.
Speaker 1 (50:07):
Thank you and thank you, okay, and of course, a huge
thank you uh goes to my regularco-host, uh, the person who has
been the voice of esma uh forus many, many times.
Uh, not, that's not an officialjob title, by the way.
I'll just clarify that it is,of course, our head of
institutional relations, larLaura Rodriguez.
Speaker 2 (50:34):
Laura, thank you so much.
Thank you, andrew.
I never thought we could do apodcast on Dora.
Quite interesting and fun.
You know this is such a complextopic, but yeah, I think our
colleagues did it great and itwas fantastic, and I want to
(50:58):
take the opportunity to wisheverybody best of luck with the
refit implementation and, ofcourse, we see you here.
Okay, thank you to all ourguests for joining us.
Speaker 1 (51:04):
That's been fantastic we will be back.
As Laura just said, we're thepost-match analysis in our next
show, where we will be findingout how Amir refit went and what
the major problems would be, ifthere have been any problems at
all or if it's run super smooth.
We will find out.
And in the meantime, for takingus through a very, very
complicated topic today andputting up with my terrible Dora
(51:26):
the Explorer jokes, I wouldlike to thank everyone on the
show and from myself and fromLiana Sudan, the show's producer
, and everyone here in thevirtual studio, regis CR.
We'd like to say thank you andjoin us on our LinkedIn page
that is linkedincom.
Slash company slash Regis,hyphen tier and in the meantime,
have a good month, have a safemonth.
(51:47):
I hope your EMEA goes well andI hope your cybersecurity
preparations are underway.
Speaker 2 (52:08):
And from all of us here, bye-bye, let's go.
Dora, dora, dora, the Explorer,dora, who's that super cool
exploradora Me?
Popular Podcasts
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!