Insight

DORA Regulation - ICT risk management in light of ESAs’ recent publication of additional Regulatory Technical Standards (RTS)

On 19 June 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA - together the "ESAs") launched a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).

Under Article 15 and 16 of the DORA Regulation, the ESAs have been tasked to develop draft RTS aimed at achieving a further harmonization of ICT risk management tools, methods, processes and policies across the EU as well as to develop a simplified ICT risk management framework for certain financial entities. In this publication, we provide an overview of what is included in ESAs’ recent publication on the RTS and the simplified framework for ICT risk management.

Due to the thematic interconnectedness, the mandates of Article 15 and Article 16(3) of the DORA Regulation have been merged into a single draft of RTS to comprehensively address the subject of ICT risk management. The structure of the RTS is broadly in line with the elements outlined by the ESAs under Articles 15 and 16(3) of DORA, as illustrated in the graphic below.

It should be stressed that the requirements set out in the RTS complement the requirements for the ICT risk management framework that have already been set out in DORA, and the RTS requirements should therefore be read in conjunction with the articles related to the DORA Regulation (Articles 1 to 14 of DORA).

Linking the RTS requirements to existing regulations and standards within the DORA Regulation

When getting acquainted with the RTS requirements, it is impossible not to notice a strong synergy with the EBA and EIOPA guidelines in the field of ICT risk management and security, as well as the direct references to other European and international regulations and standards (including NIS2, NIST cybersecurity framework, as well as standards from the ISO 27000-series). The aim of the ESAs’ RTS is to further harmonize, complement and clarify existing requirements, rather than creating a completely new standard for ICT risk management.

RTS requirements
The RTS requirements are extensive and contain many detailed provisions, but we would like to draw your attention to the following in particular:

the requirement to develop, document and implement ICT risk management policy and procedures;
the requirement to develop, document and implement a comprehensive policy on encryption and cryptographic controls (including a cryptographic key management policy);
requirements to develop, document and implement policies, procedures, protocols and tools on network security management (including the segregation and segmentation of ICT systems and networks taking into account the criticality or importance of the function they support, as well as the classification and overall risk profile of ICT assets using them);
the requirement to develop, document and implement policies governing the acquisition, development and maintenance of ICT systems (including defining measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development, maintenance and deployment in the production environment);
the requirement to document ICT operational procedures, including asset management, capacity and performance management (including resource optimization), as well as vulnerability and patch management.

We have also noticed several novelties that were not previously explicitly stated in the DORA Regulation:

The section on the security of ICT operations has been divided, placing particular emphasis on the operational aspects of ICT security, including capacity and performance management.
The scope of the ICT change management section has been extended to include ICT project management, which additionally takes into account the aspect of development, acquisition and maintenance of ICT systems.
As part of the physical security aspect of the RTS, the requirement of defining, documenting and implementing a physical and environmental security policy has been introduced, which includes measures to protect the security of premises, data centers and computer equipment.

Simplified risk management framework - the DORA Regulation

According to Article 16 of the DORA Regulation, certain organizations (depending on their size, scale, sector and/or complexity) will be able to establish and maintain a simplified ICT risk management framework in accordance with the principle of proportionality, meaning that the framework is tailored to fit the specific needs and characteristics of these entities. This is where the RTS requirements identify the key elements that should still be included.

The scope of the simplified framework is similar to the standard framework. However, it excludes some specific areas related to encryption and human resources. This means that the following elements will still be required:

ICT risk management: including policies with clear definitions of roles and responsibilities; classification of ICT information and resources; implementation of an ICT risk management process; implementation of an ICT incident management process; and a clear approach to physical and environmental safety.
Mitigation: including implementing procedures related to logical and physical access control; monitoring and management of ICT resources; data protection; ICT security testing; and acquisition, development and maintenance of ICT systems.
ICT business continuity management: including carrying out business impact analyses; and developing, approving and testing ICT business continuity plans.
Reporting on the ICT risk management framework: including submitting an overview of the ICT risk management framework to the relevant authorities upon request.

Next steps

As part of the public consultation on the RTS project, comments will be accepted until 11 September 2023. Subsequently, based on the received comments, the finalized version of the RTS will be submitted by the ESAs to the European Commission on 17 January 2024. The DORA Regulation will then apply from 17 January 2025. The above means that the content of the RTS may still change, but it is definitely worth familiarizing yourself with it to have a better idea of what to expect in the future.

Contact us

Stefanie Ruys

Partner | Crisis and Resilience

steruys@deloitte.dk

+45 30 93 52 87

As a partner, Stefanie leads the national Resilience & Strategic risk practice in Denmark, and the Crisis & Resilience practice in the Nordics. Stefanie has over 16 years of experience in different ge... Mere

Anders Lukic

Director | Cyber Strategy

alukic@deloitte.dk

+45 22 20 23 29

Anders arbejder med compliance i bred forstand og med SAP Software Asset Management i særdeleshed. Anders har stor erfaring med implementering og optimering af forretningsprocesser, interne kontroller... Mere

Tobias Soettrup

Director | Regulatory and Compliance

tsoettrup@deloitte.dk

+45 51 53 16 28

... Mere

Kathrine von Grumbkow

Senior Manager | Regulatory & Compliance

kvongrumbkow@deloitte.dk

+45 30 93 40 18

Kathrine is a result-oriented leader with extensive and in-depth compliance and risk management experience. She has worked 20 years with and in various financial institutions where she has developed, ... Mere

Audit & Assurance

Financial Advisory

Risk Advisory

Consulting

Tax & Legal

Nordic Board & Executive Advisory

Consumer

Energy, Resources & Industrials

Financial Services

Life Sciences & Health Care

Government & Public services

Deloitte Private

Technology, Media & Telecommunications

Welcome to Careers at Deloitte

Search jobs

Event overview