Share This Article
ESAs have launched a consultation on the first regulatory and implementation technical standards related to the DORA Regulation.
The entry into force of the DORA Regulation represents a turning point for cybersecurity in the financial and insurance sectors, and complying with its many provisions requires several activities. However, the DORA Regulation is not entirely exhaustive and requires adopting specific regulatory technical standards whose drafting is entrusted to the European supervisory authorities.
Specifically, the European Supervisory Authority (ESA), the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) as well as the European Insurance and Occupational Pensions Authority (EIOPA) are called upon to define appropriate technical standards that can provide elucidation about operational guidance on the specific requirements introduced by the DORA Regulation. Many of these requirements will have to be identified within a period of 12 to 18 months (depending on the case), thus leaving the relevant companies with the opportunity to implement the measures identified in the following months in any case by January 2025.
With this in mind, the ESAs have launched a public consultation on the first set of regulatory technical standards (RTS) and implementing technical standards (ITS) in the past few days. These technical standards ensure a consistent and harmonized legal framework in ICT risk management, ICT-related major incident reporting, and third-party ICT risk management.
But let’s see in more detail what obligations these first sets of technical standards introduce on DORA Regulation.
1. RTS on ICT risk management framework and RTS on simplified ICT risk management framework
Given the close connection between Article 15 and Article 16 of DORA, which govern certain aspects of the ICT risk management framework, the two sets of technical standards have been grouped to ensure a comprehensive and consistent treatment of the topic.
Indeed, this first set of standards defines in greater depth: (i) ICT security policies, procedures, protocols, and tools (including requirements for governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training); (ii) control components on access management and human resource policies; (iii) ICT-related incident detection and response mechanisms; (iv) ICT business continuity management components; and (v) content and format of the ICT risk management framework review report.
The requirements in the RTS complement those already set out in the ICT risk management framework provided by DORA. They should be read with Articles 5-16 of DORA, which deal with the same subject matter.
Compared to the simplified ICT risk management framework, which would apply to smaller or less interconnected financial entities, the RTS complements the requirements set out in Article 16 of DORA by specifying aspects related to (i) elements of systems, protocols, and tools to minimize the impact of ICT risk, (ii) ICT business continuity management, and (iii) ICT risk management framework review report.
2. RTS on criteria for the classification of ITC incidents
The second group of technical standards specifies harmonized requirements for classifying ICT incidents by financial entities. Specifically, the RTS defines the classification approach and materiality thresholds for identifying significant ICT incidents, for which the obligation to report to the relevant authorities is then triggered, and the criteria and thresholds to be adopted in classifying significant cyber threats. They also identify the criteria competent authorities should adopt in assessing the significance of significant ICT incidents to competent authorities in other member states and the details of the information to be shared with them.
3. ITS to establish templates for the information register
The third set of implementing rules (ITS) identifies some harmonized templates that financial entities should adopt to establish the register of information on contractual arrangements concluded with ICT service providers at the individual, consolidated and sub-consolidated levels (under Article 28(3 DORA)).
The templates were designed with the threefold purpose of the information register in mind, namely (i) to be a structural element of the ICT risk management framework of financial entities; (ii) to enable effective supervision of financial entities; and (iii) to enable the ESA to supervise the contracting of ICT service providers deemed critical at the EU level.
To simplify the setup of registries by financial entities, the draft ITS contains two sets of templates for registries at the individual entity and sub-consolidated and consolidated levels.
4. RTS for policies on ITC services provided by third-party vendors
Finally, this fourth group of RTS focuses on the life cycle phases related to the management of agreements concluded with third-party ICT vendors. Specifically, the technical standards define the content of policies on the use of ICT services that support critical functions, detailing the following aspects: (i) the pre-contractual phase (i.e., the planning of contractual arrangements, including risk assessment, due diligence, and the approval process for new or significant changes to such third-party contractual arrangements); (ii) the implementation, monitoring, and management of contractual arrangements for the use of ICT services that support critical functions; and (iii) the exit strategy and termination processes. The standards were developed by leveraging experience with management outsourcing agreements.
The public consultation on the first batch of technical standards is open until September 11, 2023. Based on the results of the consultations, the technical standards will be finalized and submitted to the European Commission by January 17, 2024, so that they can be adopted in time for the implementation of the DORA Regulation starting January 17, 2025.
However, a second batch of technical standards remains that should be published for public consultation by December 2023. This dramatically reduces the time for finalizing the documents and, thus, for subsequent adoption.
It is understood that the technical standards described above should always be read in conjunction with the DORA Regulation. We have described the many new features of that Regulation in the article “In force DORA Regulation: new cybersecurity obligations for banks, insurance companies, and financial institutions.”
Authors: Maria Chiara Meneghetti and Giulia Zappaterra