- Question ID
-
2025_7369
- Legal act
- Regulation (EU) No 2022/2554 (DORA Reg)
- Topic
- ICT third-party risk management
- Article
-
28
- Paragraph
-
5
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
EU 2022/2554 Art. 28 (5)
- Type of submitter
-
Credit institution
- Subject matter
-
Exist a definition of information security standards
- Question
-
In DORA Article 28 (5), reference is made to "appropriate information security standards" and "of the most up-to-date and highest quality information security standards". Is There a definition of which standards are applicable here, or can credit institutions define the desired requirements themselves?"
- Background on the question
-
So far, the term "standard" has been equated with ISO27xx. Before DORA for ICT service providers, selected security requirements have previously been defined by the Sparkasse. For small service providers in particular, certification according to ISO27001 would be an exclusion criterion.
- Submission date
- Rejected publishing date
-
- Rationale for rejection
-
This question has been rejected because the matter it refers to has is in the process of being answered in Q&A DORA188 (ESMA Q&A 3200).
- Status
-
Rejected question