The European Supervisory Authorities (ESAs), have released the first set of technical draft standards under the Digital Operational Resilience Act (DORA) regulation.
The ESAs consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
The first set of regulatory technical standards (RTS) considers ICT risk management frameworks and simplified ICT risk management frameworks, aiming to harmonise related tools, methods, processes and policies.
RTS on criteria for the classification of ICT-related incidents are also included, along with the approach for the classification of major incidents and materiality thresholds for each classification criterion.
The standards outline details on how significant cyber threats can be determined, and explain the process of sharing these incidents with competent authorities in other member states.
The ESAs have also specified the policy on ICT third-party service providers (TTPs) supporting critical or important functions, including the governance, risk management and internal control frameworks that financial entities should have in place.
Implementing Technical Standards (ITS) have been released, setting out templates that financial entities must maintain and update in relation to their contractual arrangements with ICT TTPs.
Alongside ensuring that firms have effective risk management frameworks, these registers of information will allow competent authorities and ESAs to supervise DORA compliance and determine which ICT TTPs will be subject to the DORA oversight regime.
These draft technical standards have been submitted to the European Commission, and are expected to be adopted in the coming months pending review.
James Kemp, managing director of the Association for Financial Markets in Europe (AFME), says: “There is now only a year until the application of DORA, intended to harmonise risk management frameworks for ICT services. This latest set of technical standards will regretfully exacerbate the challenge facing banks and financial entities in taking forward those preparations.
“In particular, AFME is concerned that without a proportionate and phased approach to enforcement, the obligations on supplier contracts will cause major disruption. Between now and January 2025, AFME strongly encourages the EU authorities to engage with industry on how firms should be rationalising these requirements. We recommend this be done on a forward-looking basis upon contract renewal.
“Proportionality is similarly required on the establishment of the incoming registers of information. The use of new data fields and formats will impede firms in efficiently pulling data from those registers already in existence. [DORA] would be self-defeating if the implementation of this regulation, which has the support of industry in principle, caused disruption.”
