On 19 June 2023 the European Supervisory Authorities (ESAs) launched a public consultation on a first batch of regulatory and implementing technical standards (RTS and ITS) under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). This covers the draft RTS and ITS that the ESAs are expected to submit to the European Commission by 17 January 2024, and includes:

  • Draft RTS on ICT risk management framework and RTS on simplified ICT risk management framework: The draft RTS on ICT risk management framework sets out requirements with respect to: (a) ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training); (b) human resources policy and access control; (c) ICT-related incident detection and response; (d) ICT business continuity management; (e) report on the ICT risk management framework review; and (f) proportionality.
  • Draft RTS on criteria for the classification of ICT-related incidents: The draft RTS set out harmonised requirements for financial entities on: (a) the classification of ICT-related incidents by financial entities; (b) the classification approach and materiality thresholds for determining major ICT-related incidents to be reported from financial entities to competent authorities; (c) the criteria and the thresholds to be applied when classifying significant cyber threats; and (d) the criteria to be applied by Member State competent authorities for the purpose of assessing the relevance of major ICT-related incidents to relevant competent authorities in host Member States and the details of the information to be shared with them.
  • Draft RTS to specify the policy on ICT services performed by ICT third-party providers: The draft RTS set out the requirements for all phases that should be undertaken by financial entities regarding the life cycle of ICT third-party arrangements management. It specifies the content of the policy regarding the use of ICT services supporting critical or important functions by dealing with the following aspects: (a) the pre-contractual phase (i.e. planning of contractual arrangements including the risk assessment, the due diligence and the approval process of new or material changes to those third-party contractual arrangements); (b) the implementation, monitoring and management of contractual arrangements for the use of ICT services supporting critical or important functions; and (c) the exit strategy and the termination processes.

The consultation is open until 11 September 2023. On 13 July 2023, the ESAs will host an online public hearing on the draft RTS and ITS, registration is open at the following link.