On 6 February 2023 the three European Supervisory Authorities (ESAs) held a joint public hearing on the implementation of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“Digital Operational Resilience Act” or DORA). As per a follow up press release, the event – held online – gathered over 2,000 representatives from credit and payment institutions, investment firms, (re)insurance undertakings, ICT third-party service providers and other financial entities. The focus of the joint hearing was to provide an opportunity for industry participants to engage with regulators on the new legislation, share their initial views and raise any potential areas of concern regarding the policy mandates that the ESAs have to develop over the course of 2023 and 2024.
In its opening presentation, the European Commission provided a high-level overview of DORA and the background to the legislation. In their joint presentation that followed, the ESAs provided a complete overview of all DORA implementing technical standards (ITSs) and regulatory technical standards (RTSs) that they are mandated to develop, and they provided an indicative timeline for the upcoming work, including an indicative timeframe for the upcoming industry consultation. Accordingly, the ESAs planning depends on the length of time it has to submit drafts to the Commission and their deadlines for doing so:
- Deadline 17 January 2024 (including RTSs for risk management framework, ICT policy, classification of major ICT incidents, ITS on the register of information): public consultation to take place between mid-June 2023 and September 2023.
- Deadline 17 June 2024 (including RTSs on sub-contracting, reporting of major ICT incidents): public consultation to take place between November 2023 and February 2024.
In addition, the ESAs plan to hold a targeted public consultation in May 2023 on the content of their technical advice to the Commission on the criteria for assessing criticality of ICT third-party service providers (we provided an update on the ESAs mandate in our earlier blog post: European Commission asks ESAs for technical advice on DORA | Regulation Tomorrow).