The European Supervisory Authorities (i.e., EBA, EIOPA and ESMA) published the second batch of policy products under the Digital Operational Resilience Act (DORA) on 17 July 2024, aimed at enhancing the digital operational resilience of the European Union’s (EU) financial sector.
The joint final draft technical standards include the following:
The RTS outline the content of reports for major ICT-related incidents, time limits for reporting to the Competent Authorities (CAs), and content for voluntary notifications of significant cyber threats. The ITS provide standard forms, templates, and procedures for financial entities to use when reporting to the CAs.
This RTS and ITS are closely linked to the draft RTS on specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554, which was published by the ESAs on 17 January 2024.
The RTS establish the criteria for identifying financial entities that are required to perform TLPT, testing requirements, scope, methodology, and relevant cooperation needed for the implementation of TLPT.
The RTS set out the requirements for standardising oversight activities, such as general investigations or inspections, to be conducted by the ESA acting as the designated Lead Overseers (LO) for Critical ICT third-party service providers (CTPPs).
The LO will receive support from a JET comprising of the ESAs and CAs to conduct oversight activities for the CTPPs. The RTS outline the criteria for establishing a JET, including its tasks and working arrangement
These guidelines detail the procedures and conditions for allocating and executing tasks between CAs and the ESA within DORA’s oversight framework for CTPPs. The guidelines also cover the exchange of information needed for CAs to follow up on recommendations provided by the ESAs to CTPPs.
Financial entities are required to report to the CAs, upon their request, an estimation of the aggregated annual costs and losses caused by major ICT-related incidents. These guidelines provide a framework for harmonising the assessment and estimation of these costs and losses by financial entities.
The RTS, published on 26 July 2024, focus on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them. Financial entities are required to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process. Furthermore, the RTS specify the requirements regarding the management of contractual arrangements between financial entities and ICT third-party service providers throughout their lifecycle
The second set of final draft technical standards and guidelines can be accessed below.
The ESAs have submitted the final draft technical standards to the European Commission, who will now initiate their review with the objective of adopting these policy products in the coming months. The guidelines have already been adopted by the Board of Supervisors of the ESAs.
Deloitte can help you along your entire journey towards compliance with DORA, through the performance of the following activities:
Deloitte can provide an overview of the regulation to the Board of Directors and other relevant teams/individuals including the introduction to the regulation, timeline, overview of the DORA’s five core pillars and key implications, upcoming important technical standards and next steps.
Deloitte can assess your current readiness and propose measures to meet the regulatory requirements while customising the remediation plan to your specific environment.
Deloitte can support you in the implementation of any remediation activities identified to ensure compliance with DORA regulations in line with the regulatory deadlines.
Deloitte can help you to stay on top of the regulatory agenda with its regulatory watch service and keep you up to date on the evolution of DORA and its related regulatory and implementing technical standards.