Global Regulation Tomorrow

On 17 July 2024, the European Supervisory Authorities (ESAs) issued the second batch of policy products under the Digital Operational Resilience Act (DORA).

The second batch comprises:

• Joint technical standards on major incident reporting. The ESAs have developed the draft technical standards per the mandate provided to them under Article 20 of DORA which provides that they shall produce draft regulatory technical standards (RTS) establishing the content of reports for ICT related incidents and the notification for significant cyber threats, and the time limits for financial entities to report these incidents to Member State competent authorities (NCAs). The ESAs are also to produce draft implementing technical standards establishing the standard forms, templates and procedures for financial entities to report a major ICT-related incident or to notify a significant cyber threat. The draft technical standards will be submitted to the European Commission (Commission) for adoption. Following adoption, the draft technical standards will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union (OJ).

• Joint RTS on the harmonisation of conditions enabling the conduct of the oversight activities. The draft RTS have been developed per the mandate in Article 41(1) of DORA and specify: (i) the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical under Article 31(11); (ii) the content, structure and format of the information to be submitted, disclosed or reported by the ICT third-party service providers pursuant to Article 35(1), including the template for providing information on subcontracting arrangements; (iii) the details of the NCAs’ assessment of the measures taken by critical ICT third-party service providers based on the recommendations of the Lead Overseer pursuant to Article 42(3). The draft technical standards will be submitted to the Commission for adoption. Following adoption, the draft technical standards will be subject to scrutiny by the European Parliament and the Council and then will be published in the OJ. The expected date of application of these technical standards is 17 January 2025.

• Joint RTS specifying elements related to threat led penetration tests. The draft RTS have been developed per the mandate in Article 26 of DORA which tasks the ESAs to develop draft RTS ‘in accordance with the TIBER-EU framework’ to specify further the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT), the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition. The draft technical standards will be submitted to the Commission for adoption. Following adoption, the draft technical standards will be subject to scrutiny by the European Parliament and the Council and then will be published in the OJ. The expected date of application of these technical standards is 17 January 2025.

• Joint RTS on the criteria for determining the composition of the joint examination team. The draft RTS have been developed per the mandate in Article 41 of DORA which requires the ESAs to produce draft RTS to harmonise the conditions enabling the conduct of oversight activities. Among other things the draft RTS specify the information to be provided by an ICT third party service provider in the application for a voluntary request to be designated as critical. The ESAs will submit the draft RTS to the Commission for adoption. The Commission may decide if the draft RTS be merged in a single RTS with the other draft RTS based on the mandates under Article 41(1)(a), (b), and (d) of DORA. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny by the European Parliament and the Council before publication in the OJ. The expected date of application of the RTS is 17 January 2025.

• Joint guidelines on oversight cooperation. The draft guidelines have been produced per the mandate in Article 32(7) of DORA to issue guidelines on the cooperation between the ESAs and the NCAs covering the detailed procedures and conditions for the allocation and execution of tasks between NCAs and the ESAs and the details on the exchanges of information which are necessary for NCAs to ensure the follow-up of recommendations addressed to ICT third party service providers designated as critical. The draft guidelines will be translated into the official languages of the EU and published on the websites of the ESAs. The deadline for NCAs to notify the respective ESA whether they comply or intend to comply with the draft guidelines will be two months after the publication of the translated guidelines. The draft guidelines should apply from 17 January 2025.

• Joint guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents. The draft guidelines have been developed per the mandate in Article 11 of DORA and seek to harmonise the estimation by financial entities of their aggregated annual costs and losses caused by major ICT-related incidents. The draft guidelines will be translated into the official EU languages and published on the ESAs websites. The deadline for NCAs to report whether they comply with the draft guidelines will be two months after the publication of the translations. The draft guidelines should apply from 17 January 2025.