On 19 June 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA - together the "ESAs") launched a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).
Under Article 15 and 16 of the DORA Regulation, the ESAs have been tasked to develop draft RTS aimed at achieving a further harmonization of ICT risk management tools, methods, processes and policies across the EU as well as to develop a simplified ICT risk management framework for certain financial entities. In this publication, we provide an overview of what is included in ESAs’ recent publication on the RTS and the simplified framework for ICT risk management.
Due to the thematic interconnectedness, the mandates of Article 15 and Article 16(3) of the DORA Regulation have been merged into a single draft of RTS to comprehensively address the subject of ICT risk management. The structure of the RTS is broadly in line with the elements outlined by the ESAs under Articles 15 and 16(3) of DORA, as illustrated in the graphic below.
It should be stressed that the requirements set out in the RTS complement the requirements for the ICT risk management framework that have already been set out in DORA, and the RTS requirements should therefore be read in conjunction with the articles related to the DORA Regulation (Articles 1 to 14 of DORA).
Linking the RTS requirements to existing regulations and standards within the DORA Regulation
When getting acquainted with the RTS requirements, it is impossible not to notice a strong synergy with the EBA and EIOPA guidelines in the field of ICT risk management and security, as well as the direct references to other European and international regulations and standards (including NIS2, NIST cybersecurity framework, as well as standards from the ISO 27000-series). The aim of the ESAs’ RTS is to further harmonize, complement and clarify existing requirements, rather than creating a completely new standard for ICT risk management.
RTS requirements
The RTS requirements are extensive and contain many detailed provisions, but we would like to draw your attention to the following in particular:
We have also noticed several novelties that were not previously explicitly stated in the DORA Regulation:
Simplified risk management framework - the DORA Regulation
According to Article 16 of the DORA Regulation, certain organizations (depending on their size, scale, sector and/or complexity) will be able to establish and maintain a simplified ICT risk management framework in accordance with the principle of proportionality, meaning that the framework is tailored to fit the specific needs and characteristics of these entities. This is where the RTS requirements identify the key elements that should still be included.
The scope of the simplified framework is similar to the standard framework. However, it excludes some specific areas related to encryption and human resources. This means that the following elements will still be required:
Next steps
As part of the public consultation on the RTS project, comments will be accepted until 11 September 2023. Subsequently, based on the received comments, the finalized version of the RTS will be submitted by the ESAs to the European Commission on 17 January 2024. The DORA Regulation will then apply from 17 January 2025. The above means that the content of the RTS may still change, but it is definitely worth familiarizing yourself with it to have a better idea of what to expect in the future.