On 8 December 2023 the European Supervisory Authorities (ESAs) launched public consultation on a second package of technical standards under Digital Operational Resilience Act (DORA). This includes the following draft regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines:
RTS and ITS on content, timelines and templates on incident reporting
By way of background, DORA mandates ESAs to develop draft RTS establishing the content of the reports for ICT-related incidents and the notification for significant cyber threats, and the time limits for financial entities to report these incidents to competent authorities, as well as draft ITS establishing the standard forms, templates and procedures for financial entities to report a major ICT-related incident or to notify a significant cyber threat. The draft RTS propose time limits for reporting of the initial notification of 4 hours after classification and 24 hours after detection of the incident, 72 hours for reporting of the intermediate report and 1 month for the reporting of the final report; this is in line with the corresponding requirements under the Network and Information Security Directive (NIS2). The draft RTS and ITS also propose the types of information to be collected with the notification/reports for major incidents and significant cyber threats and, in line with proportionality principle, propose that the essential data fields (46%) are mandatory and the remaining one conditional, depending on the type and nature of the incident. The draft ITS sets out a single template for reporting major incidents, which covers the initial notification, intermediate and final reports.
GL on aggregated costs and losses from major incidents
DORA mandates the ESAs to develop common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. As such, the draft guidelines harmonise the estimation by financial entities, which are then to be reported by financial entities, other than microenterprises, to their competent authority upon its request.
RTS on subcontracting of critical or important functions
DORA requires financial entities to include in contractual arrangements on the use of ICT services a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting critical or important functions, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting. The draft RTS further specifies the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. Accordingly, the draft RTS prescribes that financial entities should assess complexity and risk considerations of the subcontracting arrangement; it prescribes the elements of the risk assessment regarding the use of subcontractors and sets out description and conditions under which ICT services supporting a critical or important function may be subcontracted. The draft RTS includes provisions concerning monitoring of the entire ICT subcontracting chain by the financial entity; it also sets out provisions governing material changes to subcontracting arrangements and termination of the contractual arrangement.
RTS on oversight harmonisation
DORA introduced a European oversight framework of critical ICT third-party service providers (CTPPs) and mandated the ESAs to develop technical standards harmonising the conditions enabling the conduct of oversight activities. Accordingly, the draft RTS specifies: the information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical; the information to be submitted by the ICT third–party service providers that is necessary for the Lead Overseer (LO) to carry out its duties; and the details of the competent authorities’ assessment of the measures taken by CTPPs based on the recommendations of the LO.
GL on oversight cooperation between ESAs and competent authorities
As part of the oversight framework for CTTPs, the ESAs and competent authorities have received new roles and responsibilities, including the roles and responsibilities assigned to the LO. The competent authorities will participate in the LO’s oversight of the CTPP as part of the Joint Examination Team and follow up with financial entities concerning the risks identified in the recommendations. The draft Guidelines sets out the detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs and the details on the exchanges of information which are necessary for competent authorities to ensure the follow-up of recommendations addressed to CTPPs. They include the following sections: (1) General considerations (language, communication means, contact points and difference of opinions between ESAs and competent authorities), (2) Designation of CTPPs (the information exchanges between the LO, competent authorities and the Oversight Forum related to the designation of CTPPs; (3) Oversight activities (the procedures and information exchanges related to the annual oversight plan, general investigations and on-site inspections as well as the measures competent authorities can take concerning CTPPs only in agreement with the LO); (4) Follow-up of the recommendations (the general principles for the follow-up of the recommendations and the information exchanges between the LO and competent authorities to ensure the follow-up of recommendations, including information exchanges in case of the last resort decision of competent authority to require financial entities to suspend / terminate their contract with the CTPP) and (5) Final provisions.
RTS on threat-led penetration testing (TLPT)
DORA requires ESAs to specify further the criteria used for identifying financial entities required to perform TLPT, the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition. The draft RTS sets out criteria to identify financial entities required to perform TLPT, requirements regarding test scope, testing methodology and results of TLPT, requirements and standards governing the use of internal testers as well as rules regarding cooperation and mutual recognition.
Consultation is open until 4 March 2024. On 23 January 2023, the ESAs will host a public hearing on the draft proposals. By way of reminder, public consultation on the first package closed on 11 September 2023 and the final drafts are expected to be submitted to the European Commission in early January 2024.