The DORA regulation, in force since January 16, 2023, aims to encourage financial institutions to develop measures to achieve digital operational resilience. To achieve this goal, financial institutions must comply with the regulation by January 17, 2025. In our previous article, we explored the regulatory environment around DORA and its six pillars.
We now look at the innovative aspects of the DORA framework and the timetable set for future progress on the development and publication of the first and second waves of Regulatory Technical Standards (RTS) and Implementation Technical Standards (ITS).
Innovative aspects of DORA framework
Before DORA, some progress had already been made in order to mitigate cybersecurity risks following the publication of:
- European Insurance and Occupational Pensions Authority (EIOPA) guidelines on ICT security in the insurance industry;
- EBA (European Banking Authority) guidelines on ICT risk management and security;
- The Network and Information Security Directive (NIS Directive), implemented by the European Parliament and Council, which targets organizations such as banks, investment firms and payment service providers.
DORA introduces not only a revolution in terms of compliance, but also a further new extension of the “scope” of the financial entities involved: in fact, crypto-asset service providers and crowdfunding service providers also become part of the pool of entities impacted by the regulation. In addition, for the first time, ICT service providers become supervised and regulated entities, with reporting and authorization requirements; this represents a significant discontinuity, which puts IT outsourcers on the “front line”, prompting them to adopt a more proactive approach towards regulation.
Timeline and next steps of RTS and ITS
It is necessary to step back to 2018 when the EU promotes the initiative of an action plan for digital finance, which in 2020 results in the “EU Digital Finance Package”; but it is at the end of 2022 that the DORA proposal is approved and published with its subsequent official entry into force on January 16, 2023. This path is followed by a tight timetable in which the Supervisory Authorities in a Joint Committee prepare sets of documents in which eight RTSs and several ITSs will be outlined, as well as guidelines for:
- Estimate of costs and losses originated by potential incidents;
- Organize cooperation between Supervisory Authorities and Competent Authorities;
- Preparation of feasibility reports on the centralization of incident reporting.
The Committee divided RTS and ITS into 2 groups/waves, defining for each wave a deadline for publication: January 2024 for the first wave and June 2024 for the second.
It is worth specifying that RTS and ITS are both useful tools for providing more detailed specifications and requirements in financial legislation; however, they differ in one detail: the former (RTS) aims to specify, harmonize, and further develop legal frameworks in order to facilitate processes and increase legal certainty, while the latter (ITS) ensures consistent conditions of application.
First wave of RTS & ITS
The first wave of RTS and ITS is currently under consultation and includes the following:
- RTS on risk management related to ICT (Chapter II, Art. 15) and RTS on simplified risk management related to ICT (Chapter II, Art. 16.3).
These introduce principles for all financial institutions on aspects such as:
- ICT security policies, procedures, protocols and tools;
- Human resources policy and access control;
- Detection and response to ICT-related incidents;
- Review and audit reports on the ICT risk management framework.
- RTS on criteria for the classification of ICT-related incidents (Chapter III, Art. 18.3).
The draft sets out harmonised requirements for financial institutions about:
- Classification of ICT-related incidents;
- Classification approach and relevance thresholds for determining material incidents to be reported to competent authorities;
- Criteria and thresholds for the classification of significant cyber threats;
- Criteria for competent authorities to assess the relevance of incidents.
- ITS to establish information record templates in connection with contractual agreements on the use of ICT services provided by third-party providers (Chapter IV, Art 28.9).
The consultation version defines the harmonized templates for the information register that financial institutions should maintain on all contractual agreements on the use of ICT services provided by third parties at the individual, consolidated and sub-consolidated levels. Two different templates have been developed, the first for records at the individual level and the second for records at the consolidated and sub-consolidated level.
- RTS to define guidelines for ICT services provided by third parties (Chapter IV, Art. 28.10).
In this case, requirements are defined for all stages undertaken by financial entities regarding the lifecycle of the management of third-party ICT agreements.
DORA’s next steps
The public consultation on the draft presented in June will end in September. After reviewing all responses, the final version will be integrated and submitted for final approval by 17 January 2024.
The second wave of RTS and ITS is wider and will follow a longer timeline: the public consultation phase will run from November 2023 to February 2024, with the official publication date scheduled for 17 June 2024.
The European Commission has also asked the ESA (European Supervisory Authority) to prepare delegated acts to complement DORA on the criteria for designating third-party providers of critical ICT services. After a public consultation in May and June 2023, this document will be finalized by September 30, 2023.
Additional update will follow in the coming months on the changes resulting from this document. At Parva, we will closely monitor the progress and provide updates on our website and LinkedIn: stay tuned!