Search results for: DORA

On 11 February 2025, the European Banking Authority (EBA) issued an updated version of its guidelines on ICT and security risk management measures which were built on the provisions of Article 74 of the Capital Requirements Directive IV and the Payment Services Directive 2. The update to the guidelines is to avoid duplication with the requirements on ICT risk management that were introduced by the Digital Operational Resilience Act (DORA) which applies to financial entities across the banking, securities/markets, insurance and pensions sectors.

The update includes the EBA narrowing down:

  • The entity scope of the guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.
  • The scope of the guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.

Next steps

The updated guidelines apply within two months of the publication of the translated versions.

On 31 January 2025, the European Commission (Commission) published a letter (dated 21 January 2025) it had sent to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs). The letter concerns the draft Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) on subcontracting ICT services supporting critical or important functions. The ESAs delivered the draft RTS to the Commission last summer.

In the letter the Commission explains that it is rejecting the draft RTS on the basis that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” go beyond the empowerment given to the ESAs by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting. The Commission therefore considers that Article 5 of the draft RTS and the related recital 5 should be removed to ensure compliance with the mandate set out in DORA.

The Commission intends to adopt the draft RTS once its concerns are taken into account, and the necessary modifications are made by the ESAs.

On 22 January 2025, the European Supervisory Authorities (ESAs) published guidance prepared by the European Commission (Commission) on the definition of ICT services under the Digital Operational Resilience Act (DORA). The guidance was eagerly awaited by the European financial services industry subject to DORA’s requirements, seeking clarity on the distinction between ICT services and financial services.

By way of background, DORA defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. This definition is intentionally broad, as reflected by the types of ICT services listed in Annex III of Commission Implementing Regulation (EU) 2024/2956 on standard templates for registers of information. This broad definition has caused problems for the industry, as in practice numerous financial services have some ICT components, which could prospectively lead to double-regulation.

In the Q&A guidance published, the Commission confirmed that where such regulated financial services entail an ICT component, they should still be considered financial and not ICT services, and regardless whether the services are provided by an EU-regulated financial entity or a third-country one (“In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).”). This guidance responds to the industry’s concerns and as such is a positive development.

The guidance further states that services provided by regulated financial entities can be ICT services (all other elements of the definition being met) if they are “unrelated or is independent from such regulated financial services”. The Commission also confirmed that the “same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.” 

DORA is now live, without any transitional provision.

A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, applies from today. DORA applies to nearly all financial entities in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated ICT third-party service providers; a significant shift in European financial regulation.

One of the immediate and key requirements under DORA is the reporting of ICT-related incidents, which entities must begin doing today. Additionally, in-scope entities will need to submit detailed information registers to regulators in early Q1 2025.

To help those asset managers who may be behind with their DORA implementation we have just published the latest episode in our Let’s talk asset management series covering DORA and its impact on asset managers.

In addition, for those financial entities that are behind with their DORA implementation we continue to run last minute bespoke emergency clinics and training.

For further information please contact Floortje Nagelkerke, Anna Carrier, Sebastien Praicheux, Dorothee Ciolino or your usual Norton Rose Fulbright contact.

Introduction

The Dutch Authority for the Financial Markets (AFM) has submitted its sixth DORA update explaining what to expect in 2025. The AFM stresses that it is important to complete the implementation of DORA’s requirements as soon as possible to be DORA-compliant by this Friday: 17 January 2025.

What to expect in 2025?

Once DORA enters into force, national supervisory authorities will start their supervisory activities. This will include establishing reviews to determine whether financial institutions are complying with the requirements, as well as collecting and verifying information requested by the European Supervisory Authorities (ESAs, meaning EIOPA, ESMA and EBA).

  1. Register of information

The first data request that firms can expect in 2025 concerns the register of information. The deadline for the first submission of registers of information by AFM and DNB to the ESAs is set for 30 April 2025. To ensure timely submission of the registers to the ESAs, soon after DORA enters into force the AFM will send a request for information to all organisations with an AFM licence that are subject to DORA. Firms should therefore already be preparing their register of information to be able to share in a timely manner.

After this initial request, the AFM and DNB will request the register of information from firms each year. The AFM and DNB will then verify that all the fields in the registers of information are complete before forwarding the registers to the ESAs.

Based on the information from the registers, the ESAs will designate ICT third-party service providers that are considered critical for the financial sector. The ESAs will supervise these designated critical ICT third-party service providers.

  1. ICT related incidents

Firms are also obliged to report major ICT-related incidents. When an ICT-related incident has occurred, firms must determine on the basis of criteria whether a major ICT-related incident has occurred. For the classification of ICT-related incidents, see the relevant Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Once a firm determines that a major ICT-related incident has occurred, it must notify the relevant supervisory authority (AFM or DNB) within 4 hours, from the moment the incident is classified as major. In addition, an intermediate report and final report must be submitted to the AFM within 72 hours and 1 month, respectively, of the classification of the incident.

The AFM will assess the completeness of the incident report when analysing these reports. It will also assess whether the incident, and its impact, are adequately described in the report. Where this is not the case, the AFM will seek additional information to determine these facts. In addition to major ICT-related incident reporting, financial undertakings may also, on a voluntary basis, notify cyber threats. Both types of reports will mainly be used to determine whether ICT-related incidents have occurred or there are active cyber threats that impact, or could potentially impact, the financial sector.

  1. TLPT

A number of firms will be identified for threat-led penetration testing (TLPT). Firms only have to comply with these requirements if notified by the supervisory authority by means of a designation letter. Once the RTS for TLPT is approved by the European Commission, the AFM will contact the firms identified for TLPT. The timing of the test will be scheduled in consultation with the relevant firm.

The test managers of the AFM will assist the firm during the preparation and execution phases of the test to ensure that the test complies with the requirements in the Regulation and the RTS. After (successful) completion of the test, the firm receives a certificate, which can be used to demonstrate compliance with the requirements related to TLPT.

This Friday (17 January) the EU Digital Operational Resilience Act, DORA, comes into force and, unusual for EU legislation, there are no transitional provisions meaning the legislation comes into effect immediately.

The European Securities and Markets Authority has already warned that financial entities should identify and address gaps between their internal set ups and DORA’s requirements. In addition, as of this Friday the firm should be ready for the new reporting ICT-related incidents in accordance with the new reporting obligations. Also, firms should be ready for the request to provide the new register of ICT third-party providers’ contractual arrangements as soon as February/March.

For those financial entities that are behind with their DORA implementation we are running last minute bespoke emergency clinics and training.

For further information please contact Floortje Nagelkerke, Anna Carrier, Sebastien Praicheux, Dorothee Ciolino or your usual Norton Rose Fulbright contact.

On 17 December 2024, the European Supervisory Authorities (ESAs) issued a summary report with the key findings from the 2024 dry run exercise on reporting the registers of information (RoI) under the Digital Operational Resilience Act (DORA).

Dry run

The primary objective of the dry run exercise was to help financial entities with the preparation of the RoI and their reporting to Member State competent authorities (NCAs) and the ESAs. The exercise was designed to help the industry improve data quality for the formal reporting that will begin from 2025. The dry run exercise also allowed for testing the reporting processes in an environment as close as possible to the official reporting.

Summary report

The summary report is intended to provide an overview of the dry run exercise and its key findings focusing on the quality of data found in the RoI submitted to the ESAs.

The report draws conclusions and highlights lessons learnt that should be considered by financial entities, NCAs and the ESAs to ensure that the financial sector is generally better prepared for the start of the application of DORA in 2025 and the RoI to be reported by the financial entities are of better quality and meet the requirements of the applicable legislation.

The report has three main sections:

  • Section 2 provides an overview of the participating financial entities.
  • Section 3 deals with the key points observed in the dry run submissions from a data quality perspective.
  • Section 4 focuses on the key lessons learnt for financial entities, NCAs and the ESAs for the finalisation of their preparations for the official reporting of RoI to start from 2025.

Lessons learnt

Lessons learnt and recommendations for financial entities include that they:

  • Should continue to identify and integrate missing data into their RoI, so they are able to submit full registers to their NCA and then the ESAs. Missing mandatory information will be flagged as data quality issues with the request to re-submit the registers within the short time frame provided.
  • Are encouraged to continue as much as possible the preparation of their registers, especially for information which may not be immediately available (e.g. the relevant identifiers of their third-party service providers (TPPs)), where additional data collection/retrieval efforts may be necessary given that such information have not been used in the dry run.
  • Are encouraged to ensure that they have a valid LEI for themselves and for all financial entities belonging to their consolidated groups noting that where the registers are reported on the consolidated basis, all financial entities included in template B_01.02 should be identified with LEI.
  • Are encouraged to work with their TPP so that those are identified and recorded in the registers with identifiers specified in the ITS on the Registers of information.

On 4 December 2024, the European Supervisory Authorities (ESAs) issued a statement on the application of the Digital Operational Resilience Act (DORA).

The statement notes that DORA and its technical standards and guidelines will apply from 17 January 2025 and financial entities and third-party providers are called on to advance their preparations to ensure readiness. It also emphasizes the importance for financial entities to adopt a robust, structured approach to meet obligations in a timely manner given that DORA does not provide for a transitional period.

Other key messages in the statement include that financial entities:

  • Are expected to identify and address in a timely manner gaps between their internal set ups and DORA’s requirements.
  • Should prepare for the new reporting obligations and in particular financial entities need to have their registers of ICT third-party providers’ contractual arrangements available for Member State competent authorities early in 2025, as the latter will have to report them to the ESAs by 30 April 2025.

The ESAs also invite those ICT third-party service providers that meet the criticality criteria published in May 2024 to assess their operational setup against DORA’s requirements. The first designation of critical ICT third-party service provider is expected to take place in H2 2025.

On 2 December 2024, there was published in the Official Journal of the EU Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of the Regulation on digital operational resilience for the financial sector (DORA) with regard to standard templates for the register of information. The Implementing Regulation enters into force on the twentieth day following that of its publication in the Official Journal of the European Union (22 December 2024).

On 15 November 2024, the European Supervisory Authorities issued a Decision on the information that Member State competent authorities (NCAs) must report to them for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act (DORA). In particular, the Decision requires NCAs to report by 30 April 2025 the registers of information on contractual arrangements of the financial entities with ICT third-party service providers.

Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024. The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024.