Compliance with the EU’s Digital Operational Resilience Act (“DORA”) is increasingly coming into the foreground for many EU financial entities as the deadline for compliance with DORA looms closer (17 January 2025).  As part of DORA compliance efforts, financial entities will need to pay particular attention to the technical standards that will sit alongside DORA and this briefing provides a practical overview of key aspects of the second batch of technical standards, which are due to be finalised and sent to the European Commission by 17 July 2024 for approval.

DORA & Technical Standards Refresher

DORA is part of the European Commission’s Digital Finance Strategy and is designed to uplift existing ICT risk management requirements for financial entities and to consolidate these requirements into a single legislative instrument. Put simply, DORA is focussed on ensuring that financial entities are able to effectively respond to unplanned disruption while minimising the impact on their business and customers. DORA applies to a wide range of financial entities and will also result in certain major ICT service providers formally coming within scope of supervision by the European Supervisory Authorities (“ESAs”) for the first time. We previously discussed the main provisions and impact of DORA here and in our podcast here.

DORA will be supported by two batches of technical standards which provide further regulatory guidance and expectations on the requirements of DORA. The ESAs produced their final report on the first batch of regulatory technical standards on 17 January 2024.  These standards relate to ICT risk management frameworks, ICT third party risk management and incident handling. We address these standards in more detail in our previous article here. The standards are now with the European Commission for approval and adoption.

Second batch of technical standards

The second batch of draft technical standards was made available on 8 December 2023 with a period of consultation that closed on 4 March 2024. The technical standards forming part of the second batch relate to the content and timing for reporting major ICT-related incidents, the conditions for subcontracting ICT services supporting critical or important functions, threat led penetration testing and regulatory oversight of critical ICT third party service providers. The second batch also included guidelines on how to estimate costs and losses caused by major ICT incidents. We summarise below key aspects of technical standards from the second batch that apply to financial entities.

Content and timelines for incident reporting
Under DORA, financial entities are required to report major ICT-related incidents to their competent supervisory authority. They are also encouraged to report significant cyber threats as well.The new draft regulatory technical standards set out the content and timeline for ICT-related incident reporting.   Financial entities will have to submit three reports as follows:  

1. An initial report must be made 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the time of detection.
2. An intermediate report must be made within 72 hours from the classification of the incident as major, or when regular activities have been recovered and business is back to normal.
3. Lastly, a final report with a root cause analysis must be submitted one month from the classification of the incident unless it is not resolved at this point in which case the report must be submitted the day after the incident is resolved.

In a nod to proportionality, financial entities that are not significant and don’t operate across multiple Member States can report in the first hour of the following working day if the deadline falls on a weekend or bank holiday.
Helpfully, there are also implementing technical standards which include a template with all of the information that is required for each notification including how such information should be formatted.  
Conditions for sub-contracting of ICT services supporting critical or important functions
Under DORA, financial entities are required to ensure that contracts for ICT services include a description of all the services and whether subcontracting of an ICT service supporting a critical or important function is permitted and on what conditions.The draft regulatory standards set out the considerations for financial entities when assessing whether subcontracting of ICT services which support critical or important functions is permitted and the conditions that should be attached to any such subcontracting to ensure that the financial entity can continue to oversee risk across the ICT subcontracting chain.  

They include important detail on this risk assessment which must be considered over the lifecycle of the contractual arrangements.  

They also set out, in addition to the contractual obligations listed in Article 30 of DORA, provisions which must be contained in the contract between the financial entity and the ICT third party service provider in relation to subcontracting including in relation to risk assessment, due diligence and monitoring in respect of subcontractors.

For example, before entering into an arrangement with a subcontractor, the ICT third party service provider must assess the suitability of the prospective subcontractor including in relation to their business reputation, expertise, information security and financial, human and technical resources. The contract between the financial entity and the ICT third party service provider must also specify the monitoring and reporting obligations that subcontractors will have towards the provider.    
Threat led penetration testing (“TLPT”)
Under DORA, certain financial entities must carry out TLPT at least every 3 years covering several or all critical or important functions to be performed on live production systems.  The draft regulatory technical standards set out the criteria used for identifying financial entities required to perform TPLT, the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology and approach for each phase of testing, results, closure and remediation stages and the details on supervisory cooperation and mutual recognition.  

Financial entities may be aware of the TIBER-EU framework for threat intelligence-based ethical red teaming. The draft regulatory standards reflect the TIBER-EU framework subject to certain key differences:  

1. Member States can choose a single public authority to take control of all of the TLPT-related tasks and responsibilities. For significant credit institutions, this will be the ECB.
2. Internal testers can be used which was not foreseen under the TIBER-EU framework.
3. During TLPT, the red team represents the attackers and the blue the defends. Bringing together these teams in a collaborative process known as purple teaming is encouraged under the TIBER-EU framework and now is mandatory under TLPT as prescribed by DORA.

In terms of the criteria for identifying financial entities to conduct TLPT, the technical standards recognise that a certain degree of systemic importance and organisational maturity from an ICT perspective are required for a financial entity to perform TLPT. When determining whether a financial entity satisfies these criteria, the authority with competency for TLPT will look at:
1. Impact-related factors: to what extent a disruption of the financial entity would impact the financial sector.
2. Possible financial stability concerns: for example, the systemic character of the financial entity at EU or national level.
3. Specific ICT risk profile: level of ICT maturity of the financial entity or the technology features involved.  

Next steps

The ESAs are currently reviewing feedback on the second batch of technical standards received during the consultation period and the final standards will be issued to the European Commission by 17 July 2024 for approval.

In the meantime, we recommend that financial entities familiarise themselves with the first batch and second batch of technical standards and start to utilise their contents to help generate efficiencies in their DORA compliance project and a better understanding of regulatory expectations.

Financial entities should also keep these standards under review so as to ensure that they are alive to any changes appearing in the final versions of the standards approved by the European Commission and take any necessary steps to address these changes in their DORA compliance project.