Digital Operational Resilience Act (DORA)

The European Supervisory Authorities (i.e., EBA, EIOPA and ESMA) published the first batch of final draft technical standards under the Digital Operational Resilience Act (DORA) on 17 January 2024, aimed at enhancing the digital operational resilience of the EU financial sector by strengthening financial entities’ Information and Communication Technology (ICT), third-party risk and incident management and reporting frameworks.

The joint final draft technical standards include the following:

Regulatory Technical Standards (RTS) on ICT risk management framework and simplified ICT risk management framework

These RTS specify additional elements related to ICT risk management, complementary to those identified in DORA, with the aim to harmonise tools, methods, processes and policies. Taking into account the principle of proportionality, the RTS further identify the key elements that financial entities subject to the simplified regime (entities of lower scale, risk, size and complexity) would need to have in place, setting out a simplified ICT risk management framework.

RTS on criteria for the classification of ICT-related incidents

These RTS define the:

a. criteria for classifying major ICT-related incidents;
b. approach for classifying major incidents;
c. materiality thresholds of each classification criterion;
d. criteria and materiality thresholds for identifying significant cyber threats; and
e. criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard.

The RTS ensure a consistent and straightforward process for classifying incidents across the financial sector.

RTS on ICT third-party service providers (TPPs) supporting critical or important functions

These RTS outline the parts of the governance arrangements, risk management and internal control framework that financial entities should have in place when using ICT third-party service providers. These requirements aim to ensure that financial entities remain in control of their operational risks, information security and business continuity throughout the lifecycle of contractual arrangements with such ICT third-party service providers.

Implementing Technical Standards (ITS) on the register of information

The ITS set out the templates to be used and maintained up to date by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information will be an essential component of the ICT third-party risk management framework for financial entities as competent authorities and ESAs will use it to supervise financial entities’ compliance with DORA and to identify critical ICT third-party service providers that will be subject to the DORA oversight regime.

The ESAs have submitted the final draft technical standards to the European Commission, who will now initiate their review with the objective of adopting these first standards in the coming months.
The recently published first set of final draft technical standards can be accessed below.

• Regulatory Technical Standards on ICT risk management framework and on simplified ICT risk management framework.
• Regulatory Technical Standards on criteria for the classification of ICT-related incidents.
• Regulatory Technical Standards on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers.
• Implementing Technical Standards to establish the templates for the register of information.
   

How can Deloitte help?

Deloitte can help you along your journey towards compliance with DORA, through the performance of a DORA gap assessment, supporting you with the implementation of any remediation activities identified, understanding the various regulatory and implementing technical standards and keeping you up to date with its further developments. Speak to us for more information on our solutions.

Learn more about:

> Operational RIsk

> Cyber Risk