The Digital Operational Resilience Act (“DORA”) - Developments

The policy documents primarily focus on Information and Communication Technology (“ICT”) and on the following legislative initiatives:

RTS and ITS on content, timelines, and templates on ICT-related incident reporting (Article 20)

This RTS, in the form of Commission Delegated Regulation, covers the procedure, including timelines applicable with regards to reporting of major ICT-related incidents, seeking to introduce consistent reporting requirements. It follows on from the first consultation batch wherein one of the texts was the Commission Delegated Regulation outlining regulatory technical standards specifying the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents, and significant cyber threats.

The process consists of an initial notification, intermediate, and/or final report within the following time limits:

Guidelines on aggregated costs and losses from major ICT-related incidents (Article 11(1))

These Guidelines require financial entities to estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year. These Guidelines lay out the sequential steps to be followed when estimating the aggregated annual costs and losses. A template is also being provided to ensure consistent reporting across the board.

RTS on thread-led penetration testing (Article 26(11))

The Commission Delegated Regulation mirrors the process, methodology, and structure of thread-led penetration testing (“TLPT”) as described in the TIBER-EU framework. As such, financial entities operating in core financial services subsectors are required to perform thread-led penetration testing where relevant criteria indicating their systemic impact are met. The regulators are given the discretion to exclude from TLPT those entities for which they deem that TLPT is not justified on the basis of the overall assessment relating to ICT maturity, impact, and financial stability impact.

RTS on sub-contracting of critical or important functions (Article 30(5))

Regulation (EU) 2022/2554 requires financial entities to include in contractual arrangements on the use of ICT services, a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting critical or important functions, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting. To a certain extent this draft RTS follows on from the first ESAs consultation providing inter alia for a Commission Delegated Regulation specifying the detailed content of the policy on the contractual arrangements regarding the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

The Commission Delegated Regulation lists the risks to be taken into consideration when assessing contractual arrangements between financial entities and ICT third-party service providers. In addition, when an ICT service supporting critical or important functions is being subcontracted to an ICT third-party service provider, a due risk assessment should be carried out both ahead of entering the contractual relationship and on an ongoing basis.

Guidelines on oversight cooperation between the ESAs and competent authorities (Article 32(7))

These guidelines cover the cooperation and information exchanges between the ESAs and competent authorities only.

RTS on oversight harmonisation (Article 41(1))

This RTS supplements the requirement introduced by DORA of an oversight framework for ICT third-party service providers.

Taking stock of the situation

By now, financial entities, and in particular AIFMs, UCITS Management Companies, MiFID Firms, and internally managed AIFs and UCITS, should be aware of the following documents, which will be impacting considerably their day-to-day operations with effect from next year.

Our advice is that of starting off with a gap analysis, taking stock of the situation within the financial entity and identifying areas of remediation to ensure legal and operational readiness for DORA. A particularly challenging aspect for internally managed AIFs and UCITS will also be the classification as micro-enterprise, small and medium-sized enterprise, and non-SME for the purposes of DORA. Some national authorities are reaching out to the entities on their financial services register to obtain further information on the classification of these entities.

For ease of information, the below is a list of consultation documents/final draft technical standards which were published by the ESAs under DORA.

Final draft technical standards

Published January 17 2024

• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards, specifies further elements to be included in ICT security policies, procedures, protocols, and tools. It develops further components of the controls of access management rights, developing the mechanisms to detect anomalous activities, and the criteria triggering ICT-related incident detection and response processes. The regulation further specifies components of the ICT business continuity policy, testing of ICT business continuity plans, components of the ICT response and recovery plans, and the content and format of the report on the review of the ICT risk management framework. It also specifies  certain elements of the simplified ICT risk management framework.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards for specifying the detailed content of the policy on the contractual arrangements regarding the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards, specifying the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents, and significant cyber threats.
• Commission Implementing Regulation laying down implementing technical standards with regard to standard templates for the register of information according to Regulation (EU) 2022/2554 of the European Parliament and of the Council.

Ongoing consultation exercise

• Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards to specify the elements which a financial entity needs to determine and assess when sub-contracting ICT services supporting critical or important function, as mandated by Article 30(5) of Regulation (EU) 2022/2554.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards to unify the conditions enabling the conduct of the oversight activities.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents, and significant cyber threats.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards specifying the content of the reports and notifications for major ICT-related incidents and significant cyber threats and the time limits for reporting of these incidents
• Commission Implementing Regulation laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
• Draft Guidelines on ESAs-competent authorities oversight cooperation.
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, with regard to regulatory technical standards, specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology, and approach for each phase of the testing, results, closure, and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

It remains to be seen whether, following the technical advice provided by the ESAs to the European Commission’s December 2022 Call for Advice on two delegated acts specifying further criteria for critical ICT third-party service providers (“CTPP”) and determining oversight fees levied on such providers, the EASs will be mandated to prepare another two delegated acts.

What’s next on the radar?

This second consultation runs till March 4 2024. An online public hearing was held on January 23 2024. Based on the feedback received from the public consultation, the ESAs will deliver all legislative instruments to the European Commission by July 17 2024. The target application date for both the first batch and second batch of legislative instruments is January 1 2025.

Apex Group can help

We can help you stay compliant with the latest regulations. Get in touch for further information on:

• DORA gap analysis
• Policies and procedures
• ICT and cybersecurity training