The new technical standards implementing the DORA Regulation

The DORA Regulation entering into force is a turning point for cybersecurity in the financial and insurance sectors. But the Regulation is not exhaustive and requires the adoption of specific regulatory technical standards. The European supervisory authorities are entrusted with drafting these standards.

Specifically, the European Supervisory Authority (ESA), the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) have been asked to define suitable technical standards to clarify the operational indications on specific requirements introduced by the DORA Regulation. Many of these requirements must be identified within 12-18 months (depending on the case), allowing companies to implement the measures in the subsequent months, in any case by January 2025.

In recent days, the European supervisory authorities (collectively ESA) have launched a public consultation on the first group of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, reporting of serious ICT incidents, and third-party ICT risk management.

Let's take a closer look at the obligations introduced by these first sets of rules:

RTS on the ICT risk management framework (Article 15 of the DORA Regulation) and RTS on the simplified ICT risk management framework (Article 16(3) of the DORA Regulation)

Given the close connection between Article 15 and Article 16 of DORA, which both regulate certain aspects of the ICT risk management framework, the two sets of technical standards have been grouped into a single text to ensure a comprehensive and coherent treatment of the subject.

This first group of standards establishes a more detailed definition of:

• ICT security policies, procedures, protocols, and tools (including requirements for governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training)
• control components on access management and human resource policies
• detection and response mechanisms for ICT-related incidents
• components of ICT business continuity management
• content and format of the ICT risk management framework review report

The requirements established in the RTS complement the requirements already defined in the ICT risk management framework provided by DORA and must be read together with Articles 5-16 of DORA, which deal with the same subject matter.

Regarding the simplified ICT risk management framework, which would apply to smaller or less interconnected financial entities, the RTS integrate the requirements established in Article 16 of DORA by specifying aspects related to:

• system elements, protocols, and tools to minimize the impact of ICT risk
• ICT business continuity management
• ICT risk management framework review report

RTS on criteria for the classification of ICT incidents (Article 18(3) of the DORA Regulation)

The second group of technical standards specifies harmonized requirements for the classification of ICT incidents by financial entities.

The RTS defines the classification approach and relevance thresholds to identify significant ICT incidents, which trigger the obligation to report to the competent authorities, as well as the criteria and thresholds to be adopted in the classification of significant cyber threats. They also identify the criteria that competent authorities should use to assess the relevance of significant ICT incidents to the competent authorities in other Member States, along with details of the information to be shared with them.

ITS to establish models for the information register (Article 28(9) of Regulation DORA)

The third set of implementing rules (ITS) identifies harmonized models that financial entities should adopt to prepare the information register on contractual agreements concluded with ICT service providers at the individual, consolidated, and sub-consolidated levels (pursuant to Article 28(3) of DORA).

These models have been designed taking into account the triple purpose of the information register, namely:

• being a structural element of the ICT risk management framework of financial entities;
• enabling effective supervision of financial entities; and
• enabling the ESA to monitor the contracting of ICT service providers deemed critical at the EU level.

To simplify the establishment of registers by financial entities, the draft ITS contains two different sets of models for registers at the individual entity level and at the consolidated and sub-consolidated levels.

RTS on policies for ITC services provided by third-party suppliers (Article 28(10) of Regulation DORA)

Finally, this fourth group of RTS focuses on the lifecycle phases related to the management of agreements concluded with third-party ICT entities. Specifically, the technical standards define the content of policies on the use of ICT services that support critical or important functions, detailing the following aspects:

• the pre-contractual phase (including contractual agreement planning, risk assessment, due diligence, and the approval process for new or significant changes to such third-party contractual agreements);
• the implementation, monitoring, and management of contractual agreements for the use of ICT services supporting critical or important functions;
• exit strategy and termination processes. The standards have been developed based on experience with management outsourcing agreements.

The public consultation on the first batch of technical standards is open until 11 September 2023. Based on the consultation results, the technical standards will be finalized and presented to the European Commission by 17 January 2024, to allow for adoption in time for the application of Regulation DORA starting from 17 January 2025.

However, a second batch of technical standards should still be published for public consultation by December 2023. This significantly reduces the time for finalizing the documents and subsequent adoption.

The above-described technical standards must always be read in conjunction with the DORA Regulation.