First Batch of DORA Technical Standards Open for Public Consultation
The European Supervisory Authorities (EBA, EIOPA, and ESMA - the ESAs) have been assigned the responsibility of developing policy documents for DORA. These technical standards will be released in two batches, with the first one already available and the second expected by the end of the year.
It is important to note that the current release consists of consultation papers, meaning that the ESAs are seeking feedback and may adjust. While the publications provide guidance and a clear direction, there may be modifications in the final draft version that will be presented to the European Commission on January 17, 2024.
The following have been released for public consultation
- Draft Regulatory Technical Standards (RTS) on ICT risk management tools, methods, processes, and policies.
- Draft RTS on classification of ICT incidents.
- Draft Implementing Technical Standards (ITS) on the register of information.
- Draft RTS on the policy regarding the use of ICT services for Critical and Important (CI) functions.
You have until September 11, 2023, to provide your feedback on this batch and contribute to the process.
The current drafts encompass
ICT risk management: tools, methods, processes and policies
This section provides additional details on ICT risk management, complementing the requirements outlined in the main document. The ESAs have drawn inspiration from existing European and international standards on ICT risk management during the development process. The discussion covers key components of the ICT risk management framework, including expectations for a simplified version that certain institutions can adopt.
Classification of ICT incidents
This document addresses the objective of harmonizing and streamlining ICT incident reporting requirements under DORA. It outlines classification criteria for ICT-related incidents, materiality thresholds for identifying major incidents, criteria and thresholds for significant cyber threats, and guidelines for assessing the relevance of incidents across Member States. Additionally, it includes guidelines on sharing incident details with competent authorities.
ITS on register of information
These papers present the templates required for maintaining a register of information related to contractual arrangements with ICT Third-Party Service Providers. The register, aims to promote transparency and accountability in the use of ICT services.
Policy on the use of ICT services for Critical and Important functions
DORA emphasizes the importance of a strategy for managing ICT third-party risk, including requirements to have a policy governing the use of ICT services supporting critical or important functions provided by third-party service providers. This draft of the RTS highlights what needs to be included in the policy to ensure strong risk management practices.
The release of the first batch of DORA technical standards for public consultation marks an important step towards enhancing operational resilience within the financial sector. Stakeholders are encouraged to provide feedback on the consultation papers, which encompass various aspects of ICT risk management, incident classification, information registers, and policies for critical functions. By actively participating in the consultation process, stakeholders can contribute to the development of effective and comprehensive regulations under DORA. A detailed analysis of the content of these drafts will follow on our DORA page.
For more information please visit our DORA site.