Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Preparing for DORA

On 17 January 2024, the European Supervisory Authorities published their final draft technical standards which we've summarised below.

29 February 2024

Publication

Preparing for DORA: summary of the final drafts of the first batch of regulatory technical standards

The Digital Operational Resilience Act ("DORA") is a EU wide regulation that aims to enhance the digital operational resilience of the financial sector. DORA covers a wide range of financial entities, such as banks, investment firms, payment service providers, electronic money institutions, insurance companies, and many others including critical third party vendors. 

One of the key elements of DORA is the level 2 requirements, that specify the technical details and methodologies for implementing the level 1 requirements, which are the general principles and obligations established by the regulation. 

On 17 January 2024, the European Supervisory Authorities in the financial sector (EBA, EIOPA, and ESMA) published their final draft technical standards in relation to the level 2 requirements.  

The joint final draft of technical standards cover the following:

RTS on ICT risk management framework

plus

RTS on ICT risk management framework and on simplified ICT risk management framework

This RTS identifies key components of Information and Communications Technology ("ICT") risk management in order to harmonise tools, methods, processes and policies. 

Policies are required under eight areas:  

ICT asset management: financial entities shall develop, document and implement a policy and procedure on management of ICT assets which should require the monitoring and management of the life cycle of ICT assets and keep appropriate records.

Encryption and cryptographic controls: the policy on encryption and cryptographic controls should be designed on the basis of the results of approved data classification and ICT risk assessment.

ICT project management, acquisition, development and maintenance of ICT systems: the ICT project management policy should ensure the effective management of the ICT projects related to the acquisition, maintenance and development of the financial entity's ICT systems.

Physical and environmental security: financial entities should define, document and implement a physical and environmental security policy, which shall be designed according to the cyber threat landscape, to the classification established according to Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and information assets that can be accessed

Human resources: financial entities should include ICT security related elements such as identification of ICT security responsibilities as part of their human resource policies.

Identity management and access control: financial entities shall develop, document and implement identity management policies and procedures to ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights.

ICT-related incident management: financial entities should develop an ICT-related incident policy which requires certain actions such as documenting the ICT-related incident management process and establish technical, organisational and operational mechanisms to support the ICT-related incident management process.

ICT business continuity: financial entities should make sure that they define the objectives, scope, timeframe, criteria, etc. in their ICT business continuity policies.

Further draft technical standards on advanced testing of ICT systems based on threat-led penetration testing will be published on 17 July 2024. 

RTS on criteria for the classification of ICT-related incidents

plus

This RTS defines the criteria for the following aspects:

Classifying major ICT incidents: notable criteria includes client, financial counter parts and transactions, reputational impact, duration and service downtime, geographical spread, data loses and economic impact.

The materiality thresholds for determining significant cyber threats: some of the key conditions include the potential to affect critical or important functions of the financial entity, other financial entities, third party providers, clients or financial counterparts, and a high probability of materialisation at the financial entity or other financial entities.

The criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared: this criteria is based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to clients, financial counterparts, a branch of the financial entity, a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services.

This RTS establishes a harmonised process of classifying incident reports throughout the financial sector.

RTS to specify the policy on ICT services

plus

RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers

This RTS defines the governance arrangements, risk management and internal control framework that financial entities should implement if they are using ICT third-party service providers. It requires financial entities to assign the internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements and ensure that appropriate skills, experience and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements, including the ICT services provided under these arrangements.

This RTS also requires financial entities to clearly identify the role of senior management responsible for monitoring the relevant contractual arrangements and ensure that the relevant contractual arrangements are consistent with the financial entity’s ICT risk management framework.

Moreover, financial entities must require that ICT services supporting critical or important functions provided by ICT third party service providers are subject to independent review and included in the financial entity’s audit plan.

Further draft technical standards on the assessment of and conducting of oversight of ICT third-party providers will be published on 17 July 2024.

ITS to establish the templates for the register of information

plus

This ITS provides 15 templates in the form of tables to be maintained and updated by financial entities to inform the register of information on their contractual arrangements with ICT third-party service providers. These form a single set of templates for all financial entities, sub-group and group to report information in the register of information. 

The templates include:

  • Entity maintaining the register of information;
  • List of entities within the scope of consolidation;
  • List of branches;
  • Contractual arrangements - general information;
  • Contractual arrangements - specific information;
  • List of intra-group contractual arrangements;
  • Entities signing the contractual arrangements for receiving the ICT services or on behalf of the entities making use of the ICT services;
  • ICT third-party service providers signing the contractual arrangements for providing ICT services;
  • Entities signing the contractual arrangements for providing ICT services to other entities within the scope of the consolidation;
  • Entities making use of the ICT services;
  • ICT third-party service providers;
  • ICT service supply chain;
  • Functions identification;
  • Assessment of the ICT services; and
  • Definitions from entities making use of the ICT services.

Next steps

The final draft technical standards are subject to the endorsement by the European Commission and the non-objection by the European Parliament and the Council. The final versions of the regulatory technical standards will be available after the European Commission's review. Once adopted in the coming months, they will apply to all financial entities within the scope of DORA. The expected date of application of these technical standards is 17 January 2025. 

What should relevant entities be doing now? 

As part of their DORA compliance programme, and in light of these technical standards, financial entities should: 

  • review their current inventory of ICT third-party service providers and contractual arrangements, and map them to the templates provided by the ITS;  
  • establish or enhance the processes and systems to collect, validate, update and report the information required in the templates for the register of information on a regular basis, as well as to monitor any changes in the risk profile or performance of the ICT third-party service providers;  
  • engage with the ICT third-party service providers to ensure that they are aware of the reporting obligations and expectations, and that they provide the necessary information and cooperation to the relevant entities. Consider whether contractual arrangements with those ICT third party service providers need to be amended to require such reporting; and 
  • develop or update the policies and procedures to govern the management of the register of information, including the roles and responsibilities, the escalation and reporting mechanisms, and the audit and review activities.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.