Key takeaways
- European Supervisory Authorities (EBA, EIOPA, ESMA) released draft technical standards under the EU Digital Operational Resilience Act (DORA).
- Technical Standards add further detail on ICT risk management framework requirements, criteria for classifying ICT-related incidents, contractual clauses expected to be in place by third-party providers of ICT services (TPPs), and templates for registers of contracts with TPPs.
- Once the technical standards are finalised, they will be mandatory for implementation by financial entities by January 17, 2025, with a risk-based approach based on size of the financial entities and nature of services.
On 17 January 2024, the European Supervisory Authorities in the financial sector (EBA, EIOPA, ESMA) published draft technical standards, as required by the EU Digital Operational Resilience Act (DORA). DORA is an EU regulation which sets out cybersecurity requirements for financial firms. The technical standards cover the following:
- Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework. These complement the existing guidelines issued by the ESA on the ICT risk management framework and requirements in DORA by introducing further specific details (e.g. access control, incident detection and response, business continuity management, and risk management review reporting). Further draft technical standards on advanced testing of ICT systems based on threat-led penetration testing will be published on 17 July 2024.
- RTS on criteria for the classification of ICT-related incidents. These set out thresholds for notifying major incidents and criteria that affect the classification (clients and financial counterparts affected, reputation impact, geographical spread, duration and service downtime, data losses, critical services affected, economic impact). Details of the draft incident notification templates will be published on 17 July 2024.
- RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs). These focus on contractual arrangements for the use of ICT TPP (including intra-group) and are based on the existing guidelines on outsourcing arrangements published by the ESAs. They set out internal procedures for the approval, management, control and documentation of contracts with the TPPs to strengthen the accountability within financial firms. Further draft technical standards on how to assess ICT TPPs when sub-contracting services supporting critical or important functions and how to conduct oversight of ICT TPPs designated as critical will be published on 17 July 2024.
- Implementing Technical Standards (ITS) to establish the templates for the register of information. There are 15 templates in the form of tables that are linked to form a structure. They capture the risk assessment on TPP services, the list of financial entities that use the TPPs, contracts in place with the TPPs and information on their supply chain.