On January 17, 2024, European legislators published the first batch of RTS. The second batch was released in July 2024, and this article discusses the scope of its guidelines.
RTS as a clarification of DORA
Regulatory technical standards are detailed guidelines and technical specifications developed within the framework of a specific regulation or legal act. They aim to clarify and supplement general legal provisions. The RTS help interpret and implement legal requirements in specific cases. We have explained the concept of RTS in the context of the DORA regulation in more detail in the article devoted to the first batch of RTS.
RTS often define technical requirements that systems, processes, or products must meet to comply with legal regulations. In the case of EU-wide regulations, this means that RTS apply in all member states. RTS form the basis for assessing regulated entities’ compliance with the law. They serve as a reference point for supervisory authorities to determine if these entities meet legal requirements.
Often, the European legislator creates regulatory technical standards to provide more detailed guidance and establish specific rules that expand on the general provisions in legal acts.
The second batch of RTS
Regulatory technical standards are divided into two batches. The second batch was under consultation until March 4 and was finally issued on July 17, 2024. This batch includes four draft regulatory technical standards, one set of implementing technical standards (ITS), and two series of guidelines (GL). These documents address the reporting of serious ICT-related incidents, estimation of incident-related losses, management of ICT subcontractor risks in critical or important functions, supervision of key external ICT service providers, cooperation between supervisory authorities, and testing of digital operational resilience.
RTS and ITS on content, timelines, and templates for incident reporting
The RTS and ITS on incident reporting specify the content, timelines, and templates for ICT incident reports.
They also introduce time limits for reporting different types of incidents and standard forms and procedures for financial entities to report serious ICT incidents or important cyber threats.
GL on aggregate costs and losses from serious incidents
Due to the multitude of serious ICT-related incidents in the community and the lack of aggregated information on these events, the legislator decided to control the financial sector’s cybersecurity by imposing a measurement-based methodology. The guidelines on estimating the cumulative costs and losses from serious incidents aim to standardize the estimation method. Thanks to a consistent measurement methodology, the annual costs and losses of financial entities generated by incidents can be assessed on a European Union scale.
RTS on Outsourcing Critical or Important Functions
DORA requires financial entities to cooperate only with ICT service providers that comply with high, appropriate information security standards. When cooperating with providers for critical or important functions, financial entities must verify that they apply the most up-to-date and highest information security standards. Regulatory technical standards on the outsourcing of critical or important functions will govern subcontracting agreements for ICT services.
In an era of highly complex ICT services and frequent outsourcing, even financial entities’ critical functions are performed by ICT providers. The RTS draft specifies the elements that financial entities should assess. When estimating risk, financial entities should assess ICT services outsourced to date in terms of the use of ICT subcontractors. Financial entities should conduct surveys to determine the following information: the location of the subcontractor; the contractual clauses between the supplier and the subcontractor; and the possibility of audit access for the financial entity.
Activities related to the assessment of ICT suppliers are part of the holistic risk management required by DORA. Refer to the schedule that supports the implementation of the regulation for the tasks of departments related to risk management and the assessment of ICT suppliers.
RTS on supervisory harmonization
The regulatory technical standards on supervisory harmonization aim to establish common criteria for key external ICT service providers. The draft RTS specifies the information that external service providers must submit to obtain key provider status, as well as the procedures that supervisory authorities should follow when assessing providers’ actions.
Guidelines on supervisory cooperation between the ESA and competent supervisory authorities
These guidelines focus on the detailed procedures and conditions for allocating and performing tasks between supervisory authorities and the ESA.
RTS on threat-based penetration testing (TLPT)
The regulatory technical standards on threat-based penetration testing set out the criteria for identifying financial entities that are required to carry out such tests. The draft RTS also establishes requirements for the scope, methodology, and results of the tests, as well as the remedial actions to be taken based on the results of the tests.
Date of entry into force of DORA
The introduction of appropriate standards for the content, timelines, and templates for incident reporting is important for the effective functioning of financial supervision systems. It is also important to specify the information contained in incident reports and the reporting schedule and to provide standardized templates. The second RTS package enables financial entities to effectively monitor and respond to incidents, contributing to the security and stability of the financial sector. Additionally, standardizing the reporting process facilitates data analysis and comparison between entities, enabling a quick response to potential threats.
Based on comments received by March 4, 2024, the standards were finalized and published on July 17, 2024. They went into effect across the whole EU on January 17, 2025.. The RTS, GL, and ITS from both published batches provide details of the regulatory framework specifying the requirements for using ICT services in financial entities.
