On 17 January 2024, the European Supervisory Authorities (ESAs) published the first part of their draft regulatory technical standards (RTS) and implementing technical standards (ITS) developed under the Digital Operational Resilience Act (DORA). The publication follows a public consultation on the draft measures that the ESAs conducted last year (see our note).
The package of final draft RTS and ITS includes:
- RTS on ICT risk management framework and on simplified ICT risk management framework. The draft RTS on ICT risk management framework identifies elements related to ICT risk management with a view to harmonise tools, methods, processes and policies. From the documentation perspective, it is worthwhile to note that the draft RTS requires a total of 20 policies and procedures: for example, policies are required under eight areas (ICT asset management, encryption & cryptographic controls, ICT project management, acquisition, development and maintenance of ICT systems, physical and environmental security, human resources, identity management, access control, ICT-related incident management, ICT business continuity). The draft RTS also identifies the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework. The RTS harmonises the ICT risk management requirements among the different financial sectors.
- RTS on criteria for the classification of ICT-related incidents. The final draft RTS specifies the criteria for the classification of major ICT-related incidents, the approach for classifying major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for Member State competent authorities (NCAs) to assess the relevance of incidents to other NCAs and the details of the incidents to be shared between them. It also sets out a harmonised process of classifying incident reports throughout the financial sector.
- RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers. The draft RTS specifies parts of the governance arrangements, risk management and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers. The provisions aim to ensure financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with such ICT third-party service providers. This includes the provisions requiring financial entities to clearly assign the internal responsibilities for the approval, management, control, and documentation of contractual arrangements on the use of ICT services provided by ICT third-party service providers to support their critical or important functions. In respect of the group-level arrangements, the draft RTS requires the EU parent undertaking or the parent undertaking in a Member State to ensure that the policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers is implemented consistently in their subsidiaries and adequate for the effective application of the RTS at all relevant levels.
- ITS to establish the templates for the register of information. The final draft ITS sets out the templates of the register of information to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information is composed of a set of open tables, all linked to each other by using different specific keys in order to form a relational structure. The draft ITS proposes a single set of templates that is common to all financial entities, sub-group and group to be used to report information in the register of information.
The final draft RTS and ITS were submitted to the European Commission for a review and adoption.