The financial industry eagerly awaits the release of the second batch of draft regulatory technical standards (RTS) for the Digital Operational Resilience Act (DORA). The first batch of policy products was released for public consultation in June 2023. The regulatory technical standards aim to establish a uniform and harmonized legal framework in the domains of ICT risk management, reporting major ICT-related incidents, and managing third-party risks associated with ICT.
Initially expected in November 2023, the release of the second batch of regulatory technical standards is running late. This delay leaves the industry eagerly anticipating whether the second batch of RTSs will unwrap as a digital gift during the holiday season or arrive as a belated offering in 2024. Finalization of the RTSs is expected on 17 July 2024.
In the meantime, the first batch of RTSs has undergone public consultation, with hundreds of responses analyzed.
What is a Regulatory Technical Standard?
A Regulatory Technical Standard (RTS) is a type of regulatory instrument used in the European Union to provide detailed technical specifications for the implementation of certain aspects of the legislation. In the context of the European financial regulatory framework, RTSs are often developed by the European Supervisory Authorities (ESAs) to provide more granular guidance and define specific rules that complement the broader provisions outlined in the primary legislation.
DORA, the Digital Operational Resilience Act, is a legislative framework that sets out high-level principles and requirements for ensuring the operational resilience of financial firms in the digital age. DORA’s main text, often called Level 1, contains the overarching provisions and objectives. To operationalize and provide more detailed guidance on how these provisions should be implemented, the ESAs develop the Regulatory Technical Standards (RTS), which are considered Level 2 legislation.
A Quick Overview of the Five DORA Pillars
The Digital Operational Resilience Act (DORA) establishes a transformative regulatory framework across five pillars to address Information and Communication Technology (ICT) risks in the EU financial sector.
- ICT Risk Management Requirements:
DORA places “full and ultimate accountability” on the management body of financial entities, directing them to define a digital operational resilience strategy, set risk tolerances, and approve policies for ICT Third-Party Providers (TPPs). Firms must meticulously identify Critical or Important Functions (CIFs) and conduct business impact analyses to sharpen their focus on entity functions and activity.
- ICT Incident Classification and Reporting:
Introducing enhancements to existing EU incident reporting obligations, DORA mandates financial entities to promptly inform relevant parties of significant cyber threats and document such incidents comprehensively. This pillar compels entities to enhance their capabilities for classifying and reporting ICT incidents and threats, ensuring a proactive response to emerging risks.
- Digital Operational Resilience Testing:
DORA imposes annual security and resilience tests on critical ICT systems, addressing identified vulnerabilities. Advanced Threat-Led Penetration Testing (TLPT) every three years, aligned with the ECB’s TIBER-EU framework, adds an extra layer of sophistication. Testing encompasses all Third-Party Providers (TPPs) supporting CIFs, fostering a collaborative mapping approach.
- Third-Party Risk Management (TPRM):
Expanding on existing ESA Guidelines, DORA’s TPRM requirements cover non-cloud Service Provider (CSP) ICT outsourcing, intensifying pressure on financial entities to negotiate with providers. The legal binding of terms underscores the need for concentration risk assessments, challenging firms to justify operating model decisions and adopt a multi-vendor approach when necessary.
- ICT Third Party Providers Oversight Framework:
Granting extensive supervisory powers to ESAs over Critical ICT Third-Party Providers (CTPPs), DORA empowers ESAs to assess, request security practice changes, and sanction CTPPs. Safeguards ensure that suspension or termination of contracts with CTPPs is exceptional, considering sector-wide implications. The Joint Oversight Forum (JOF) assumes prominence in setting precise standards for CTPPs’ expected resilience, contributing to a robust oversight structure.
The implementation of the EU’s Digital Operational Resilience Act (DORA) involves the development of draft regulatory technical standards (RTS) and implementing technical standards (ITS) to provide detailed guidelines for financial entities.
Overview of DORA’s Draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)
- Draft RTS on ICT Risk Management Framework and Draft RTS on Simplified ICT Risk Management Framework
Implications on DORA Pillar: ICT Risk Management
Details Covered:
The draft RTS on the ICT Risk Management Framework and its simplified counterpart aim to provide more detailed insights into ICT risk management’s protection, prevention, detection, and response aspects. These standards elaborate on the requirements outlined in DORA Chapter II, Section II, ensuring financial entities comprehensively understand their obligations.
Adaptations for Financial Entities:
Financial entities will gain clarity on necessary adjustments to their current risk management frameworks. Smaller entities benefit from the option of implementing a simplified ICT risk management framework, streamlining compliance efforts.
- Draft RTS on Criteria for the Classification of ICT-Related Incidents
Implications on DORA Pillar: ICT-Related Incident Reporting
Details Covered:
This RTS proposes criteria for classifying ICT-related incidents, introducing a classification approach and materiality thresholds for major incidents and significant cyber threats. It ensures consistency with frameworks like the Network and Information Security Directive 2 (NIS2) and Payment Services Directive 2 (PSD2), facilitating comparability and minimizing adaptations for compliant financial institutions.
Consistency with Existing Frameworks:
The RTS aligns with existing frameworks to ensure a harmonized approach to incident reporting, making it easier for financial institutions already complying with NIS2 and PSD2.
- Draft ITS to Establish Templates for the Register of Information
Implications on DORA Pillar: ICT Third-Party Risk Management
Details Covered:
This ITS establishes templates for the register of information, covering contractual arrangements with ICT Third-Party Providers (TPPs) at various levels. The extended information requirements of the ITS demand more comprehensive details compared to existing outsourcing guidelines from the European Supervisory Authorities (ESAs).
Extended Information Requirements:
Financial entities will need to invest additional effort in fulfilling the extended information requirements, enhancing the transparency and oversight of ICT third-party relationships.
- Draft RTS to Specify the Policy on ICT Services Supporting Critical or Important Functions Performed by ICT TPPs
Implications on DORA Pillar: ICT Third-Party Risk Management
Details Covered:
This RTS specifies the content of the policy regarding the life cycle management of third-party arrangements, focusing on ICT services supporting critical or important functions. Developed with consideration for existing outsourcing guidelines from the ESAs, this RTS aids financial institutions that have already implemented these guidelines.
Alignment with Existing Guidelines:
The RTS aligns with existing guidelines, ensuring financial institutions can make required changes without overhauling their existing frameworks.
Technical Standards Expected to be Released in the Second Batch
The upcoming release is expected to cover various areas, including:
- recommendations on calculating aggregated costs or losses arising from substantial ICT incidents
- procedures for reporting major incidents related to ICT
- a structure for performing threat-led penetration testing
- guidelines for outsourcing ICT services crucial for critical or important functions
- cooperation between the ESAs and competent authorities for DORA supervision, ensuring harmonized oversight conditions
The final version of DORA’s technical standards is scheduled to be submitted to the European Commission by July 17, 2024.
Embracing Resilience with DORA
As stakeholders navigate the intricate landscape of DORA and its associated Regulatory Technical Standards, the financial sector is poised to embrace a resilient and secure digital future. DORA reflects a commitment to addressing the challenges posed by digitalization while fostering innovation. As the implementation deadline approaches, stakeholders must remain vigilant, adapting to the evolving digital landscape in alignment with the regulatory framework outlined by DORA.
