New draft technical standards provide useful guidance for DORA compliance projects
European financial supervisory authorities have published the first batch of draft technical standards under the Digital Operational Resilience Act (“DORA”) relating to ICT risk management frameworks, ICT third party risk management and incident handling.
These technical standards provide regulatory guidance in respect of certain key areas under DORA and will be helpful for many organisations as they begin to ramp up their DORA compliance projects in coming months.
As a quick refresher, DORA is part of the European Commission’s Digital Finance Strategy and is designed to uplift existing ICT risk management requirements for financial entities and to consolidate these requirements into a single legislative instrument. It applies to a wide range of financial entities and will also result in certain major ICT service providers formally coming within scope of supervision by the European supervisory authorities (“ESAs”) for the first time. We previously discussed the main provisions and impact of DORA here and in our podcast here.
First batch of technical standards
The ESAs (namely the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) are jointly tasked with the development of technical standards under DORA. These standards will be developed and adopted in two batches with the first batch being submitted to the European Commission for adoption by 17 January 2024 and the second batch by 17 July 2024. The first batch of draft technical standards were made available on 19 June 2023 and are open for consultation until 11 September 2023. We have summarised the technical standards forming this first batch below which relate to three main areas: ICT risk management frameworks, incident handling and third party risk management.
ICT risk management frameworks
Under DORA financial entities are required to have a comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. Some financial entities are subject to lighter requirements due to their size and complexity of the services offered and these entities must implement a simplified ICT risk management framework.
The new draft regulatory technical standards set out details for these ICT risk management frameworks:
Helpfully, the technical standards refer to the principle of proportionality which recognises that financial entities can tailor their ICT risk management framework depending on their size, risk profile and complexity of their services. Certain financial entities will only be required to implement a simplified ICT risk management framework which is also described in these technical standards.
Under DORA financial entities are required to report major ICT-related incidents to their competent supervisory authority.
The new draft regulatory technical standards set out the criteria for classifying incidents, and particularly for classifying incidents as “major”. “Major” incidents are those which involve at least two primary criteria or three or more primary and secondary criteria (with at least one primary criteria).
The primary criteria are:
The secondary criteria are:
Further technical standards in relation to the content and timeline for incident reporting will be published for consultation later this year and finalised next summer.
Third party risk management
Under DORA financial entities are required to manage risks relating to the provision of ICT services including by adopting a policy on the sub-contracting of critical or important ICT services and establishing a register of all ICT-related contracts.
The new draft regulatory technical standards set out the requirements for a policy on the use of ICT services supporting critical or important functions which must:
A template has also been provided for the register of information on all ICT-related contracts at an individual entity level and at the sub-consolidated and consolidated level for groups.
Any comments on the first batch of technical standards must be sent to the ESAs by 11 September 2023 via the “send your comments” button on the consultation page. Comments will be incorporated (as appropriate) and the revised standards will be issued to the European Commission by 17 January 2024 for adoption.
The next batch of standards will be published later this year relating to content and timelines for incident reporting, criteria for determining sub-contracting of critical or important ICT services and threat lead penetration testing. After the consultation period these standards will be revised (as appropriate) and submitted to the European Commission by 17 July 2024 for adoption.
We recommend that organisations start reviewing the first batch of draft technical standards and take account of them as part of their DORA compliance project while bearing in mind that the final version of these standards that is due to be published early next year may contain some adjustments. Organisations should also keep an eye out for publication of the second batch of draft technical standards in the coming months. We recommend that organisations await the publication of this second batch of technical standards before seeking to significantly progress the areas of their DORA compliance project covered by such standards. We will provide an update on the second batch of technical standards once the drafts are available.
The authors would like to thank Caoimhe Daunt for her assistance preparing this briefing.