ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification
The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today the first set of final draft technical standards under the Digital Operational Resilience Act (DORA) aimed at enhancing the digital operational resilience of the EU financial sector by strengthening financial entities’ Information and Communication Technology (ICT) and third-party risk management and incident reporting frameworks.
The joint final draft technical standards include:
- Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs); and
- Implementing Technical Standards (ITS) to establish the templates for the register of information.
RTS on ICT risk management framework and on simplified ICT risk management framework
The draft RTS on ICT risk management framework identify further elements related to ICT risk management with a view to harmonise tools, methods, processes and policies. These elements are complementary to those identified in DORA. The RTS identify the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework. The RTS ensure the ICT risk management requirements are harmonised among the different financial sectors.
RTS on criteria for the classification of ICT-related incidents
These RTS specify the criteria for the classification of major ICT-related incidents, the approach for the classification of major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard. The RTS ensure a harmonised and simple process of classifying incident reports throughout the financial sector.
RTS on ICT TPP policy
These RTS specify parts of the governance arrangements, risk management and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers. They aim to ensure financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with such ICT third-party service providers.
ITS on the register of information
Finally, the ITS set out the templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information will play a crucial role in the ICT third-party risk management framework of the financial entities and will be used by competent authorities and ESAs in the context of supervising financial entities’ compliance with DORA and to designate critical ICT third-party service providers that will be subject to the DORA oversight regime.
Legal basis and Background
These final draft technical standards have been developed in accordance with Articles 15, 16(3), 18(3), 28(9) and 28(10) of DORA (Regulation (EU) 2022/2554). The public consultation on the draft technical standards took place from 19 June to 11 September 2023. The ESAs received more than 420 responses from market participants, including a joint response from ESAs’ stakeholder groups. The public consultation feedback led to specific changes to the technical standards, including ensuring simplification and streamlining of the requirements, greater proportionality and addressing sector-specific concerns.
The final draft technical standards have been submitted to the European Commission, who will now start working on their review with the objective to adopt these first standards in the coming months.
Draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework
(1.74 MB - PDF)
Draft RTS to specify the policy on ICT services supporting critical or important functions
(754.99 KB - PDF)
Draft RTS on classification of major incidents and significant cyber threats
(1.02 MB - PDF)
Draft ITS on Register of Information
(2.92 MB - PDF)
Franca Rosa Congiu