DORA: One year to go

ESAs publish technical and operational guidance for DORA compliance

The EU's Digital Operational Resilience Act ("DORA") will come into effect in less than a year's time. DORA was approved by the European Parliament in December 2022, came into force on 16 January 2023 and will apply from 17 January 2025.

This groundbreaking piece of European legislation seeks to improve and harmonise approaches on ensuring digital operational resilience and IT security in the financial services sector. It will impose stringent new requirements on financial entities ("FEs") and their IT suppliers.

If you are a financial services firm (of a type listed in Article 2 of DORA), or if you provide any form of digital or data service into the financial services sector, you are likely to be impacted by the obligations under DORA.

Those obligations will take a considerable amount of time, and resource, to fully comply with, and the penalties for not doing so are potentially severe. If you have not yet started to think about what this means for your business, now is the time to do so.

For further information on DORA, and what you need to do to comply, please see our previous articles:

• DORA is coming – are you ready?
• ICT incident management, classification and reporting under DORA
• Managing ICT Third-Party Risk under DORA
• DORA: IT suppliers into the financial services sector should be preparing

Draft Regulatory Technical Standards

DORA is a relatively prescriptive piece of legislation, certainly when compared to its predecessors. However, some of the specific obligations under it are left to be further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA – the "ESAs") who are required, via secondary legislation, to present regulatory technical standards ("RTS") which give Fes and their IT suppliers more guidance on how to comply with their DORA obligations.

As an anniversary present (who said that regulators aren’t generous!), the ESAs delivered the first set of their draft RTSs on January 17 2024. Those cover:

• Approaches to harmonising ICT risk management tools, methods, processes and policies;
• Guidance on classifying ICT related incidents, materiality thresholds for major incidents and significant cyber threats;
• Drafting standard templates for the register of information required for contractual arrangements with ICT third-party service providers; and
• Specifying the content of the required policy in relation to contractual arrangements for ICT services supporting critical or important functions.

At this stage, the RTSs are still technically drafts from a legislative perspective, and will only be finalised once the European Commission has adopted them.

A second batch of RTSs are due to be published by the ESAs in July 2024.

Overview

In the remainder of this article we briefly summarise these draft standards and what they contain. These RTSs will be of great interest in particular to individuals working in compliance functions and technical functions within impacted organisations, but given the level of detail specified and the importance of getting compliance right, we would recommend that anyone in your organisation responsible for managing your DORA compliance programme should review them.

If you would like further information or would otherwise like to discuss how these standards or the legislation more generally impacts you, please get in touch with Nikhil Shah (nikhil.shah@fieldfisher.com) to arrange a free 30 minute consultation.

Draft RTS on harmonising ICT risk management tools, methods, processes and policies

The ESAs have published this RTS to clarify the obligations on FEs to harmonise ICT risk management tools and policies (found in Article 15 of DORA), as well as to develop a simplified ICT risk management framework for certain FEs (Article 16 of DORA).

This draft RTS introduces additional detail to the guidelines already found in DORA, including in relation to:

• access control;
• incident detection and response;
• business continuity management; and
• risk management review reporting.

While restating the overarching principle of proportionality (which is pervasive throughout DORA), the ESAs attach a significant amount of importance to (1) ensuring strong ICT risk management and control frameworks in FEs and (2) ensuring a clear and coherent picture towards the effective implementation of these frameworks. To this effect, the ESAs are still considering whether, how and what further guidance needs to be provided to the market with respect to the interaction between the requirements in this RTS and other requirements currently contained in DORA.

It is important to note that effective implementation under this RTS does not include mandating the use of any specific technology or products – the ESAs are focusing on being technology- and product-neutral in their mandates.  

Draft RTS on classifying ICT related incidents, materiality thresholds for major incidents and significant cyber threats

In response to the requirements in Article 18 of DORA, the ESAs have drafted this RTS examining the materiality thresholds for and approach to classification of major incidents and significant cyber threats. The RTS includes a simplified table on page 8 outlining these thresholds and classification criteria. This RTS will be especially helpful to FEs looking to assess the reporting requirements which may need to be flowed down to their suppliers.

The criteria that will impact the classification of ICT-related incidents include:

• Critical services affected;
• Clients and financial counterparts affected;
• Reputational impact;
• Geographical spread;
• Duration and service downtime;
• Data losses; and
• Economic impact.

Draft RTS on drafting standard templates for the register of information required for contractual arrangements with ICT third-party service providers

Article 28(9) of DORA requires FEs to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT Third-Party Service Providers ("ICT TPPs"). The ESAs have drafted this RTS to establish standard templates for the purposes of this register, including information that is common to all contractual arrangements on the use of ICT services.

The templates have been designed to be proportionate, where the amount of information required will take into account the nature of the contractual relationships between FEs and ICT TPPs. For example, a FE with a significant number of ICT TPPs or a complex level of ICT dependencies will have more information to report than an FE depending on a small number of ICT TPPs.

The Register of Information comprises 15 templates in the form of tables, all linked together via different specific keys to form a relational structure. To ensure clarity, the RTS proposes a single set of templates that is common to all FEs to be used to report information. The templates capture:

• the risk assessment on ICT TPP services;
• the list of FEs that can use the ICT TPPs; and 
• contracts in place with the TPPs.

Draft RTS on specifying the content of the required policy in relation to contractual arrangements for ICT services supporting critical or important functions

Under Article 28(10) of DORA, there is a requirement that FEs adopt and regularly review their strategy on managing ICT third-party risk. This strategy must include a policy on the use of ICT services supporting critical or important functions provided by ICT TPPs to strengthen the level of accountability within FEs. The RTS outlines what this policy needs to include, e.g.:

• language that defines crucial parts of the FEs' governance arrangements, risk management and internal control frameworks; and
• internal controls to ensure that the FEs retain oversight of operational risks, information security and business continuity throughout the life cycle of contractual arrangements with ICT TPPs.

To maximise effectiveness, the RTS covers the entire life cycle of such contractual arrangements - beginning with the planning phase of the procurement of ICT services (including due diligence processes and risk assessments), transitioning through the ongoing service delivery, monitoring and auditing, and ending with the exit from such arrangements.

FEs are also expected to assess the business reputation of the ICT TPP and ensure that it has available the appropriate resources, including expertise and adequate financial, human and technical resources, and is able to comply with the contractual and regulatory requirements.