First tranche of draft RTS and ITS published under DORA

As a measure to enhance the overall digital operational resilience of the EU financial sector, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) entered into force on 16 January 2023 and will apply to in-scope financial services entities from 17 January 2025.

DORA creates a harmonised regulatory framework to enhance the digital operational resilience of financial entities in the EU financial sector against ICT related disruptions and threats. As part of the regulatory framework, DORA requires the adoption of specific regulatory technical standards (RTS) and implementing technical standards (ITS). In this briefing, we provide an overview of the status of these technical standards and a summary of the draft RTS and ITS that have been published to date.

The RTS and ITS

As DORA is a cross-sectoral regulation, the European Supervisory Authorities (ESAs) (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority) are jointly leading the development of the RTS and ITS required under DORA, which are progressing in two separate tranches.

On 19 June 2023, the ESAs published the first of the two tranches of draft technical standards for public consultation (which closed on 11 September 2023). The second tranche of draft technical standards is expected to be published towards the end of this year.

The first tranche of draft RTS and ITS

The first tranche of technical standards includes the following four draft RTS and one ITS which aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT related incident reporting and ICT third party risk management:

We have provided an overview of the first tranche of draft technical standards below. While these technical standards are in draft form and could be subject to further modification following the end of the public consultation period, they will serve as guidance to in-scope financial entities on the key requirements to be considered in implementing DORA. However, it is important to note that these draft technical standards are complementary to the requirements set out in DORA and should be read together with the Articles that they are mandated under.

RTS on ICT risk management framework and simplified ICT risk management framework

Given the close connection between Article 15 and Article 16 of DORA, which each set out requirements relating to the ICT risk management framework, the two sets of technical standards that required under the Articles have been grouped into a single text to ensure coherence.

DORA requires financial entities to have a comprehensive and well-documented ICT risk management framework as part of their overall risk management system. The draft RTS require the following to be embedded in the ICT risk management framework:

  • ICT security policies, procedures, protocols and tools which address governance, risk management, asset management, encryption, cryptography, operations security, network security, project and change management, physical and environmental security and ICT and information security awareness and training
  • human resources policy and access controls
  • ICT related incident detection and response systems
  • ICT business continuity management
  • reporting standards on the ICT risk management framework

The draft RTS also incorporate the proportionality principle, which recognises that given the wide range of financial entities that fall within the scope of DORA, the ICT risk management framework must be fit for application to entities of all types, sizes, and levels of complexity. As such, certain less complex financial entities will be entitled to implement a simplified ICT risk management framework, which is described in detail in the draft RTS.

RTS on criteria for the classification of ICT related incidents

DORA requires financial entities to classify ICT related incidents and determine their impact based on certain criteria. The associated draft RTS provide further detail on the classification criteria.

The draft RTS also define the classification approach and materiality thresholds for determining “major ICT-related incidents” which trigger the obligation to report to the competent authorities. The RTS provide that the criteria for classifying incidents as “major” should be afforded different weights and the RTS separate the criteria into two groups on that basis:

  • primary criteria – clients, financial counterparts and transactions affected, data losses and critical services affected
  • secondary criteria – reputational impact, duration and service downtime, geographical spread and economic impact

The materiality threshold will be met where at least two primary criteria have been met OR three or more primary and secondary criteria have been met (with at least one primary criterion).

The draft RTS also set out the criteria and thresholds to be applied when classifying significant cyber threats and the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT related incidents to competent authorities in host Member States and the details of the information to be shared with them.

ITS on templates for the register of information on contractual arrangements with ICT third party service providers

DORA requires financial entities to maintain and update a register of information in relation to all contractual arrangements for the use of ICT services provided by ICT third party service providers. 

To simplify the establishment of registers by financial entities, the draft ITS proposes two sets of harmonised templates for the register of information, one to be used at entity level and the other to be used at sub-consolidated and consolidated level.

The draft ITS also provide financial entities with instructions and explanations for how to complete both templates.

RTS on management of contractual arrangements with ICT third party service providers

DORA requires financial entities to manage third party ICT risk as part of their ICT risk management framework. This includes establishing and implementing a policy on the use of ICT services supporting critical or important functions provided by ICT third party service providers. The associated RTS define the content of the policy, focusing on the following lifecycle phases of contractual arrangements with third party ICT service providers:

  • the pre-contractual phase (i.e. planning of contractual arrangements, including governance, risk assessment, due diligence and the approval process of new or material changes to third party contractual arrangements)
  • the implementation, monitoring and management of contractual arrangements for the use of ICT services supporting critical or important functions
  • the exit strategy and termination processes

Next steps

Based on the feedback received during the public consultation on the first tranche of draft technical standards, the RTS and ITS will be finalised and submitted to the European Commission by 17 January 2024 for adoption.

The second tranche of draft technical standards are expected to be published for consultation by the end of 2023. The finalised version of these standards must be submitted to the European Commission by 17 July 2024.

The second tranche will cover the following areas: guidelines on the estimation of aggregated costs/losses caused by major ICT incidents, reporting of major ICT related incidents, framework for threat-led penetration testing, specifications on the subcontracting of ICT services that support critical or important functions, cooperation between the ESAs and competent authorities regarding DORA oversight and harmonisation of oversight conditions.

While DORA takes full effect on 17 January 2025, the first tranche of draft technical standards indicates the challenges financial entities will face in complying with DORA and highlight the need for preparation. We recommend that financial entities review and become familiar with the provisions in the draft technical standards in order to understand their impact and to effectively plan for implementation.

For further information in relation to this topic, please contact Patrick Brandt, Partner, Caoimhe Crowley, Solicitor and Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.

Date published: 13 October 2023