On July 17 2024, the European Supervisory Authorities (“ESAs”) have unveiled the second batch of policy products under the Digital Operational Resilience Act (“DORA”), a significant regulatory initiative aimed at fortifying the digital operational resilience of the European Union's financial sector. This latest release includes four final draft Regulatory Technical Standards (“RTS”), one set of Implementing Technical Standards (“ITS”), and two sets of guidelines, all focused at enhancing the financial sector’s ability to withstand and recover from ICT-related incidents and cyber threats.
The comprehensive package places a strong emphasis on the reporting framework for ICT-related incidents, including detailed reporting clarity and templates, as well as stringent requirements for threat-led penetration testing (“TLPT”). The latest rendition of the standards introduces measures for designing an oversight framework, thereby ensuring the continuous and uninterrupted provision of financial services and even safeguarding customer data.
To address sector-specific concerns, a public consultation on the now-released technical standards and guidelines took place from December 8 2023, to March 4 2024. The ESAs received a substantial response from market participants, with 265 responses for the technical standards and 99 for the guidelines.[1]
The final draft technical standards published by the ESAs are as follows:
In addition to the aforementioned RTS and ITS, the ESAs have also published two sets of guidelines:
The final draft technical standards have been submitted to the European Commission, which will review them with the objective of adopting these policy products in the coming months. The remaining RTS on Subcontracting is expected to be released shortly.
--
The publication of this second batch of policy products under DORA marks a yet another significant step towards attaining a holistic look as to how digital operational resilience of the EU’s financial sector will be composed. The ESAs aim, by establishing such standards for incident reporting and oversight, to ensure that financial institutions are better equipped to handle ICT-related disruptions and cyber threats, ultimately safeguarding the stability and integrity of the EU internal market.
Do you require any help complying with the imminent enforcement of DORA? GTG is here to assist. For more information, assistance or clarification kindly contact Dr Ian Gauci or Dr Terence Cassar.
Author: J.J. Galea
References
[1] https://www.esma.europa.eu/press-news/esma-news/esas-published-second-batch-policy-products-under-dora