DORA - Second Batch of Policy Products

On July 17 2024, the European Supervisory Authorities (“ESAs”) have unveiled the second batch of policy products under the Digital Operational Resilience Act (“DORA”), a significant regulatory initiative aimed at fortifying the digital operational resilience of the European Union's financial sector. This latest release includes four final draft Regulatory Technical Standards (“RTS”), one set of Implementing Technical Standards (“ITS”), and two sets of guidelines, all focused at enhancing the financial sector’s ability to withstand and recover from ICT-related incidents and cyber threats.

The comprehensive package places a strong emphasis on the reporting framework for ICT-related incidents, including detailed reporting clarity and templates, as well as stringent requirements for threat-led penetration testing (“TLPT”). The latest rendition of the standards introduces measures for designing an oversight framework, thereby ensuring the continuous and uninterrupted provision of financial services and even safeguarding customer data.

To address sector-specific concerns, a public consultation on the now-released technical standards and guidelines took place from December 8 2023, to March 4 2024. The ESAs received a substantial response from market participants, with 265 responses for the technical standards and 99 for the guidelines.[1]

The final draft technical standards published by the ESAs are as follows:

  1. RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats: These standards define the content, format, templates, and timelines for reporting major ICT-related incidents and significant cyber threats. The aim is to create a standardised approach across the EU to facilitate effective communication and a hasty response time to such incidents.
  2. RTS on the harmonisation of conditions enabling the conduct of the oversight activities: This standard harmonises the conditions enabling the conduct of oversight activities, ensuring a consistent and efficient regulatory oversight framework across member states.
  3. RTS specifying the criteria for determining the composition of the joint examination team: This standard specifies the criteria for determining the composition of the JET, which will be responsible for conducting thorough examinations and assessments of digital operational resilience within financial entities.
  4. RTS on threat-led penetration testing: This standard outlines the requirements for conducting TLPT, a proactive approach to identifying and addressing potential vulnerabilities in financial institutions’ ICT systems.

In addition to the aforementioned RTS and ITS, the ESAs have also published two sets of guidelines:

  1. Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents: These guidelines provide a framework for estimating the aggregated costs and losses resulting from major ICT-related incidents in order to assist institutions to better assess and mitigate financial impacts.
  2. Guidelines on Oversight Cooperation: These guidelines aim to enhance cooperation between different oversight bodies, ensuring a coordinated and comprehensive approach to digital operational resilience across the EU.

What’s next?

The final draft technical standards have been submitted to the European Commission, which will review them with the objective of adopting these policy products in the coming months. The remaining RTS on Subcontracting is expected to be released shortly.

--

The publication of this second batch of policy products under DORA marks a yet another significant step towards attaining a holistic look as to how digital operational resilience of the EU’s financial sector will be composed. The ESAs aim, by establishing such standards for incident reporting and oversight, to ensure that financial institutions are better equipped to handle ICT-related disruptions and cyber threats, ultimately safeguarding the stability and integrity of the EU internal market.

Do you require any help complying with the imminent enforcement of DORA? GTG is here to assist. For more information, assistance or clarification kindly contact Dr Ian Gauci or Dr Terence Cassar.

Author: J.J. Galea

References

ESAs Press Release


[1] https://www.esma.europa.eu/press-news/esma-news/esas-published-second-batch-policy-products-under-dora

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content