On January 17, 2024, the European Supervisory Authorities (ESAs) announced the set of Regulatory Technical Standards (RTS) based on Digital Operational Resilience Act for the Financial Sector (DORA). These standards specify the method for carrying out the tasks arising from DORA. This article discusses the elements included in the regulations.
What are Regulatory Technical Standards?
DORA harmonizes and consolidates key elements of existing digital resilience frameworks and standards in the European Union, but also introduces new requirements.Financial entities are interested in extensive cooperation with external ICT providers because they significantly impact the organization’s ICT environment. For this reason, DORA applies to these providers and affects the contracts financial entities conclude with them.
However, the regulation itself does not specify the activities or documents that financial entities should prepare to ensure compliance with DORA. Regulatory technical standards (RTS) aim to establish a common legal framework for ICT risk management, reporting serious ICT-related incidents, and managing ICT-related third-party risks.
A regulatory technical standard is a tool used in the EU to clarify certain aspects of legislation and develop detailed technical specifications in relation to compliance with the law.
European Supervisory Authorities (ESAs) often develop RTS to provide more detailed guidance and specify detailed rules that complement the broader provisions set out in primary legislation.
DORA establishes a legal framework that outlines high-level principles and requirements to promote the operational resilience of financial institutions in the digital age. To implement these principles and requirements, as well as provide more detailed guidance on implementation, the European Supervisory Authorities have developed regulatory technical standards for DORA.
What does the first RTS package contain?
Implementation of the RTS has been divided into two parts. The published draft technical standards comprise three RTS and one ITS. These are:
- RTS on ICT risk management frameworks and simplified ICT risk management frameworks
- RTS on the criteria for classifying ICT incidents
- RTS specifies the policy for ICT services supporting critical or important functions provided by external ICT service providers.
- ITS specifies the templates for the information register.
The individual documents are discussed below.
RTS on risk management frameworks
The Regulatory Technical Standards on risk management frameworks aim to further specify elements related to ICT risk management in order to harmonize tools, methods, processes, and policies. The elements defined in the draft RTS complement the existing elements within DORA. The issue focuses on the following topics, among others:
- ICT security policies, procedures, protocols, and tools
- Human resources and access control policies
- Detection and response to ICT incidents
- ICT system continuity management
- Report on the review of the ICT risk management framework.
Based on the principle of proportionality, which guides DORA, financial entities must assess and justify the standard and scope of the requirements they prepare and implement. Accordingly, the RTS defines simplified ICT risk management frameworks for certain entities.
RTS on the criteria for classifying ICT-related incidents
These standards specify areas such as criteria for classifying serious incidents, approaches to classification, materiality thresholds for each criterion, and criteria and materiality thresholds for identifying significant cyber threats.
The RTS provide criteria for assessing incidents. They indicate to authorities in individual Member States how to determine their significance. The RTS also provide details on sharing information on incidents in this context. Consequently, the RTS standardize the process of classifying incident reports across the financial sector.
RTS on ICT service policies supporting critical or important functions provided by external providers
The regulatory technical standards on ICT service policies supporting critical or important functions provided by external providers specify key aspects of governance, risk management, and internal control frameworks. Financial entities should define this scope in the context of their use of external ICT service providers. The main objective of these RTS is to enable financial entities to effectively manage operational risk, information security, and business continuity throughout the entire lifecycle of contracts with external ICT service providers.
ITS on the information register
Specifically, the ITS on the information register outlines the templates that financial entities should maintain and update in their contractual arrangements with external ICT service providers. The register plays a key role in managing risks associated with ICT third-party service providers.
It is useful for monitoring financial institutions’ compliance with DORA requirements and identifying key ICT service providers that are subject to DORA-related oversight. Competent authorities and European Supervisory Authorities use this information to effectively supervise and enforce compliance with regulatory requirements.
What will be included in the second package of RTS?
Consultations on the second set of Regulatory Technical Standards were completed on March 4, 2024. The package includes:
- RTS and ITS on the content, timing, and templates for incident reporting
- Guidelines on aggregate costs and losses resulting from major incidents
- RTS on outsourcing critical or important functions
- RTS on supervisory harmonization
- Guidelines on supervisory cooperation between European Supervisory Authorities and competent authorities
- RTS on threat-based penetration testing (TLPT).
Tasks towards DORA compliance
Ensuring compliance with DORA is not an easy task. The regulation contains a set of high-level tasks that do not specify concrete implementation steps. The RTSs help navigate compliance with the regulation. In addition to the steps outlined in the RTSs, it is important to map out responsibilities across departments within the financial organization. A DORA implementation schedule can be helpful in this regard by combining a timeline of tasks with the responsibilities of the compliance, security, and IT departments without overlooking the management board’s key role.
In summary, regulatory technical standards are a key tool for complying with the digital resilience regulation in the financial sector. It is important to familiarize yourself with these standards and consider how your team’s current documentation needs to adapt to comply with the digital resilience regulation.
The first package of regulatory technical standards (RTS) consists of three RTS and one ITS. The RTS cover the ICT risk management framework, the criteria for classifying ICT incidents, and the policies for ICT services that support critical or important functions provided by external ICT service providers. Additionally, the ITS specifies templates for the information register. Each of these documents specifies in detail the elements related to risk management, incident classification, and ICT service policy.
The second package of RTS was open for consultation until March 4, 2024. It contains RTS and ITS on incident reporting content, timing, and templates; guidelines on aggregate costs and losses resulting from serious incidents; RTS on outsourcing critical or important functions; RTS on harmonization of supervision; guidelines on supervisory cooperation between European Supervisory Authorities and competent authorities; and RTS on threat-based penetration testing (TLPT).
