First set of Rules under the DORA Regulation published by ESAs

On January 17, 2024, the three European Supervisory Authorities (“ESAs”) i.e. the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ESMA”), have published the first set of technical standards implementing EU Regulation 2022/2554 (the Digital Operational Resilience Act or “DORA”), which came into effect on January 16, 2023. DORA’s purpose is to enhance the digital operational resilience of the EU financial sector and outlines certain obligations to be complied with, within January 17, 2025.

The ESAs final joint technical standards are composed of:

Regulatory Technical Standards (“RTS”) on ICT Risk Management Framework and Simplified ICT Risk Management Framework: they identify additional elements with respect to the ICT risk management in order to harmonise tools, methods, processes and policies and they ensure that ICT risk management requirements are uniform among different financial sectors.

RTS on Criteria for Classifying ICT-Related Incidents: they set the criteria for the classification of major ICT incidents, the methodology to classify major incidents, the thresholds for each classification parameter, the criteria and thresholds for determining significant cyber threats, and the criteria for competent authorities to make an assessment on incidents for competent authorities in other Member States. They ensure a uniform process for classifying incident reports in the financial sector.

RTS on ICT TPP policy: they specify parts of the governance arrangements, risk management framework and internal control that financial entities should comply with regarding the use of third-party ICT service providers. The purpose of these RTS is to ensure that financial entities control their operational risks, information security and business continuity during the life cycle of their contracts with ICT third-party service providers.

Technical Implementation Standards (“ITS”) to establish templates for the information registry: they establish the templates to be adopted and updated by financial entities with respect to their contractual arrangements with ICT service providers. The information registry will have a fundamental function in the third-party ICT risk management framework of financial entities and will be a crucial tool for the competent authorities and ESAs to check the compliance of financial entities with DORA.

The above described final technical standards have been developed pursuant to Articles 15, 16(3), 18(3), 28(9), and 28(10) of the DORA Regulation.

The final technical standards have been now submitted to the European Commission, which will review them with the purpose of approving them in the next months.