Second tranche of draft RTS, ITS and Guidelines published under DORA

On 8 December 2023, the European Supervisory Authorities (ESAs) published the second tranche of policy measures under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) for public consultation.

Background 

DORA, which will apply from 17 January 2025, is intended to create a harmonised regulatory framework that enhances the digital operational resilience of in-scope EU financial entities in respect of ICT related disruptions and threats. 

As part of the harmonised regulatory framework, DORA requires the adoption of specific regulatory technical standards (RTS), implementing technical standards (ITS) and joint guidelines (Guidelines). The ESAs are jointly leading the development of the RTS, ITS and Guidelines, which have been progressing in two separate tranches.

On 19 June 2023, the ESAs published the first tranche of measures for public consultation, which closed on 11 September 2023. The first tranche comprised draft RTS and ITS in the areas of ICT risk management, major ICT related incident reporting and ICT third party risk management. See our previous Insight which discusses the first tranche of draft measures.

The second tranche of draft measures comprises four draft RTS, one set of draft ITS and two sets of Guidelines, as outlined below.

Second tranche of draft policy measures 

RTS and ITS on reporting of major ICT-related incidents and significant cyber threats (Article 20 of DORA)

The draft RTS set out the content of the reports for major ICT-related incidents, the time limits for submission of an initial notification, an intermediate report and a final report in respect of a major ICT-related incident, and the content of the notification for significant cyber threats.

The draft ITS set out the standard forms, templates and procedures for reporting major ICT-related incidents and significant cyber threats. The draft ITS also provide data glossary, characteristics of the data fields and instructions on how to populate the forms.

RTS specifying elements related to threat-led penetration testing (Article 26(11) of DORA)

The draft RTS set out the scope of, and methodology for, advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT), in accordance with the TIBER-EU framework. The TIBER-EU framework is a European framework for threat intelligence-based ethical red-teaming that provides comprehensive guidance on how authorities, entities and red-team providers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. 

RTS on subcontracting of critical or important functions (Article 30(5) of DORA)

The draft RTS set out requirements regarding when the use of sub-contracted ICT services supporting critical or important functions by ICT third-party service providers is permitted by financial entities, and the conditions applying to such subcontracting. The aim of the RTS is to ensure that financial entities can assess the risks associated with sub-contracting along the entire sub-contracting chain.

RTS on oversight harmonisation (Article 41(1) of DORA)

The draft RTS specify requirements to harmonise the conditions enabling the conduct of oversight activities by the Lead Overseer.

Guidelines on estimation of aggregated costs and losses caused by major ICT-related incidents (Article 11(11) of DORA)

The draft Guidelines specify requirements for the estimation by financial entities of aggregated annual costs and losses that are caused by major ICT-related incidents. 

Guidelines on oversight cooperation and information exchange between the ESAs and competent authorities (Article 32(7) of DORA)

The draft Guidelines provide guidance for cooperation between the ESAs and the national competent authorities (NCAs), including detailed procedures and conditions for the allocation and execution of tasks between the ESAs and the NCAs and relevant information exchanges between the ESAs and the NCAs.

Next steps

The public consultation on the draft measures will close on 4 March 2024.

The policy measures must be finalised and submitted to the European Commission by 17 July 2024 for adoption.

A public webinar on the draft measures will be held on 23 January 2024.

For further information in relation to this topic, please contact Patrick Brandt, Partner, Caoimhe Crowley, Solicitor, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.

Date published: 14 December 2023