ESAs release final drafts on DORA: advancing ICT risk management for EU financial entities

On 17th January 2024, the European Supervisory Authorities (ESAs) (i.e. the EBA, EIOPA and ESMA) published their first set of final drafts of regulatory technical standards (RTS) under the Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector of 14 December 2022 (also known as Digital Operational Resilience Act (DORA)). DORA introduces a standardized regulatory framework designed to improve the digital operational resilience of financial entities in the European Union’s (EU) financial sector, specifically addressing disruptions and threats related to information and communication technology (ICT) (focusing mainly on ICT risk management, reporting, risk monitoring). DORA entered into force on 16 January 2023 and will apply to in-scope financial services entities as from 17 January 2025.  

The joint final draft technical standards include: 

  • RTS on ICT risk management framework and on simplified ICT risk management framework: 

The RTS on the ICT risk management framework aim to identify additional elements that relate to ICT risk management, seeking to standardize tools, methods, processes, and policies complementing those outlined in DORA. The RTS specifically highlight essential components that financial entities under the simplified regime and of smaller scale, lower risk, size, and complexity should implement, presenting a simplified ICT risk management framework. The intention is to harmonize ICT risk management requirements across various financial sectors. 

  • RTS on criteria for the classification of ICT-related incident: 

These RTS outline the criteria for categorizing ICT-related incidents, the methodology for their classification, the materiality thresholds for each classification criterion, the criteria and materiality thresholds for identifying significant cyber threats, and the guidelines for competent authorities to evaluate the importance of incidents for authorities in other Member States and the details of incidents to be shared in this context. The major criterion are  

  • The Clients, financial counterparts and transactions affected;  
  • The reputational impact; 
  • The duration and service downtime;  
  • The geographical spread;  
  • The data losses; 
  • The critical services affected 

The objective of these RTS is to establish a uniform and straightforward process for classifying incident reports across the financial sector.  

  • RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs): 

The objective is to guarantee that financial entities maintain control over their operational risks, information security, and business continuity throughout the entire life cycle of contractual arrangements with these ICT third-party services.  Indeed, the use of ICT service providers does not absolve financial entities and their management bodies of the responsibility to oversee risk management and compliance with legislative requirements. This holds particularly true when ICT third-party service providers support critical and essential functions. These RTS incorporate clauses to guarantee that financial entities distinctly designate internal responsibilities, especially when these services support critical or essential functions, for approving, managing, controlling, and documenting contractual arrangements related to the utilization of ICT services offered by third-party providers. These provisions are designed to enhance accountability within the relevant business areas of financial entities.  

  • Implementing Technical Standards (ITS) to establish the templates for the register of information:  

Finally, the ITS define the templates that financial entities must maintain and regularly update concerning their contractual agreements with ICT third-party service providers. The information registry will hold a pivotal role in the ICT third-party risk management framework of financial entities, serving as a tool for competent authorities and ESAs in monitoring compliance with DORA. The ITS aims to:  

  • capture minimum and necessary information concerning the contractual arrangements and the assessment of the related risks stemming from them for the financial entities; 
  • capture the ICT service supply chain with a focus on material subcontractors (i.e. supporting critical functions);  
  • identify unambiguously and consistently the ICT third-party service providers and the financial entity by using the Legal Entity Identifier (LEI)2 to enable an efficient aggregation of relevant information; and 
  • identify the (critical or important) functions supported by the ICT services provided by ICT third-party service providers following the steps listed below: (i) the entity shall identify all their operational and business functions; (ii) the entity shall identify which functions are critical or important according to their internal assessment considering the definition in Article 3(22) of the DORA; (iii) the financial shall identify the ICT services provided by ICT third-party service providers supporting the functions, (not only the critical or important functions); (iv.) In the context of groups, the financial entities shall focus on contract between entities within the group only and the contracts between an entity within the group and an external ICT service provider and (v) facilitate the collection of the registered information by competent authorities. 

You can explore the detailed RTS on the ESMA website.

Feel free to reach out to our investment management team if you have any questions.