Skip to main content

The ESAs publish second set of Technical Standards and Guidelines

The second batch of policy products under the Digital Operational Resilience Act (DORA)

The European Supervisory Authorities (i.e., EBA, EIOPA and ESMA) published the second batch of policy products under the Digital Operational Resilience Act (DORA) on 17 July 2024, aimed at enhancing the digital operational resilience of the European Union’s (EU) financial sector.

The joint final draft technical standards include the following:

 

Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats

The RTS outline the content of reports for major ICT-related incidents, time limits for reporting to the Competent Authorities (CAs), and content for voluntary notifications of significant cyber threats. The ITS provide standard forms, templates, and procedures for financial entities to use when reporting to the CAs.

This RTS and ITS are closely linked to the draft RTS on specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554, which was published by the ESAs on 17 January 2024.

 

RTS on Threat-Led Penetration Testing (TLPT)

The RTS establish the criteria for identifying financial entities that are required to perform TLPT, testing requirements, scope, methodology, and relevant cooperation needed for the implementation of TLPT.

 

RTS on the harmonisation of conditions enabling the conduct of the oversight activities

The RTS set out the requirements for standardising oversight activities, such as general investigations or inspections, to be conducted by the ESA acting as the designated Lead Overseers (LO) for Critical ICT third-party service providers (CTPPs).

 

RTS specifying the criteria for determining the composition of the Joint Examination Team (JET)

The LO will receive support from a JET comprising of the ESAs and CAs to conduct oversight activities for the CTPPs. The RTS outline the criteria for establishing a JET, including its tasks and working arrangement

 

Guidelines on oversight cooperation

These guidelines detail the procedures and conditions for allocating and executing tasks between CAs and the ESA within DORA’s oversight framework for CTPPs. The guidelines also cover the exchange of information needed for CAs to follow up on recommendations provided by the ESAs to CTPPs.

 

Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents

Financial entities are required to report to the CAs, upon their request, an estimation of the aggregated annual costs and losses caused by major ICT-related incidents. These guidelines provide a framework for harmonising the assessment and estimation of these costs and losses by financial entities.

 

RTS on subcontracting

The RTS, published on 26 July 2024, focus on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them. Financial entities are required to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process. Furthermore, the RTS specify the requirements regarding the management of contractual arrangements between financial entities and ICT third-party service providers throughout their lifecycle

 

The second set of final draft technical standards and guidelines can be accessed below.

Next steps

The ESAs have submitted the final draft technical standards to the European Commission, who will now initiate their review with the objective of adopting these policy products in the coming months. The guidelines have already been adopted by the Board of Supervisors of the ESAs.
 

 

How can Deloitte help?

Deloitte can help you along your entire journey towards compliance with DORA, through the performance of the following activities:

 

DORA training

Deloitte can provide an overview of the regulation to the Board of Directors and other relevant teams/individuals including the introduction to the regulation, timeline, overview of the DORA’s five core pillars and key implications, upcoming important technical standards and next steps.

DORA gap assessment and remediation plan

Deloitte can assess your current readiness and propose measures to meet the regulatory requirements while customising the remediation plan to your specific environment.

Implementation of remediation activities

Deloitte can support you in the implementation of any remediation activities identified to ensure compliance with DORA regulations in line with the regulatory deadlines.

DORA regulatory monitoring

Deloitte can help you to stay on top of the regulatory agenda with its regulatory watch service and keep you up to date on the evolution of DORA and its related regulatory and implementing technical standards.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey