29/01/24

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks

The ESAs have published the first set of final draft technical standards under DORA aimed at enhancing the digital operational resilience of the EU financial sector.

Context

On 17 January 2024, the three European Supervisory Authorities, EBA, EIOPA and ESMA (the ESAs), published the first set of final reports on technical standards under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), in accordance with Articles 15, 16(3), 18(3), 28(9) and 28(10).

This first set of final draft technical standards (the Technical Standards) includes final reports on:

  • Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework.
  • RTS specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats.
  • RTS to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (TPP).
  • Implementing Technical Standards (ITS) on the standard templates for the register of information covering contractual arrangements on the use of ICT services provided by ICT TPP.

The Technical Standards amend the initial drafts published on 19 June 2023. A public consultation ran until 11 September 2023. During this period, the ESAs received more than 420 responses from market participants. According to the ESAs, “the public consultation feedback led to specific changes to the technical standards, including ensuring simplification and streamlining of the requirements, greater proportionality and addressing sector-specific concerns”.

Brief overview of the Technical Standards

1. Harmonisation of ICT risk management tools, methods, processes and policies

The RTS on the ICT Risk Management Framework describe the key elements that financial entities are required to cover in their ICT risk management tools, in particular  listing the mandated ICT risk policies and procedures. There are 20 policies and procedures listed in total, including ICT risk management, ICT asset management, encryption and cryptographic controls, ICT operations security, and vulnerability and patch management. Further detail is also provided on the simplified ICT risk management framework available to certain financial entities, such as small and non-interconnected investment firms and payment institutions exempted pursuant to Directive (EU) 2015/2366[1] in accordance with Article 16(3) of DORA.

2. Criteria for classification of ICT-related incidents

One of the objectives of DORA is to harmonise and streamline the ICT-related incident reporting regime for financial entities in the EU. To that end, the RTS introduce a list of seven classification criteria for determining whether an incident constitutes a "major ICT-related incident", as well as detailed materiality thresholds for each criterion.

The classification criteria are as follows: (1) critical services affected, (2) clients, financial counterparts and transactions, (3) data losses, (4) reputational impact, (5) duration and service downtime, (6) geographical spread and (7) economic impact.

In the initial draft RTS, the ESAs proposed differentiating between 'primary' and 'secondary' classification criteria, which would then be weighted differently in the final classification of the ICT-related incident. However, following feedback from the respondents to the public consultation, the ESAs changed their approach so that it is clearer, simpler and straightforward. As such, all criteria will be treated equally, except for the criticality of the services affected, meaning that an ICT-related incident can be classified as major only if it has an impact on the financial entity’s critical services.

3. Content of policy on ICT services supporting critical or important functions

The policy on ICT services supporting critical or important functions is required to explain the mandatory steps to be followed by financial entities when contracting with an ICT TPP supporting critical or important functions. The RTS states the necessary governance arrangements, risk management and internal control framework that financial entities must have in place. The objective is to ensure that financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with ICT TPP supporting critical or important functions.

4. Templates for register of information

The ITS set out the detailed templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT TPP, as well as instructions to be followed by financial entities to complete each field.

Having taken into consideration the feedback received during the public consultation, the information to be recorded in the register of information has been slightly reduced and the templates of the register of information streamlined. Instead of a template for financial entities at entity level and another one at (sub)consolidated level, the final draft ITS define one single set of templates for the register of information.

Note that the register of information contains not only details on the financial entity’s direct ICT TPPs, but also details on all of the ICT TPP’s subcontractors, in the event that the direct ICT TPP is supporting a critical or important function.

Next steps

The Technical Standards have been submitted to the EU Commission, which will now start working on their review with the objective of adopting these first standards in the coming months. Once adopted, the Technical Standards will form part of the DORA level 2 framework and will therefore be directly applicable to all financial entities within the scope of DORA.

Access the Technical Standards here_

Read about the Digital Operational Resilience Act (DORA) here_

Learn more about how Arendt can help you regarding the Digital Operational Resilience Act (DORA) here_

[1] As well as institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of DORA; electronic money institutions exempted pursuant to Directive 2009/110/EC; and small institutions for occupational retirement provision.

dotted_texture