Article
DORA Regulatory Technical Standards Finalised
A Comprehensive Overview
The Digital Operational Resilience Act (DORA) is a pivotal regulatory framework designed to enhance the operational resilience of financial entities within the European Union (EU). As part of its implementation, DORA mandates the development of Regulatory Technical Standards (RTS) to ensure a consistent and standardised approach across the sector. This article provides a comprehensive overview of the RTS, incorporating insights from both the first and second batches of RTS consultations, with both batches now finalised.
First Batch of Regulatory Technical Standards (Finalised in January 2024)
In January 2024, the first batch of DORA Regulatory Technical Standards was finalised, marking a significant milestone in strengthening cyber resilience for financial entities. This first batch addressed several key areas essential for the effective implementation of DORA:
1. Risk Management Framework:
- Financial services firms are required to establish and maintain a robust ICT risk management framework. This framework encompasses governance, risk identification, and mitigation strategies, all aligned with industry best practices. Additionally, it addresses asset management, encryption, operations security, and network security.
- For small and medium-sized enterprises (SMEs), the RTS provides a simplified framework focusing on minimising ICT risks while ensuring compliance. This tailored approach ensures that SMEs can manage their risks effectively without being overburdened by complex requirements.
2. Incident Classification and Reporting:
- The RTS sets out specific criteria for classifying ICT-related incidents and cyber threats. Incidents are classified using primary criteria such as the number of transactions affected, the number of clients impacted, and the criticality of the disrupted service. Secondary criteria include factors like reputational damage and the duration of service downtime.
- These classifications are essential for ensuring that incidents are reported and addressed promptly and appropriately, thereby mitigating potential risks to the financial system.
3. Register of Information:
- Financial firms are required to maintain a detailed register of all ICT third-party contractual arrangements. This register must include comprehensive information at both the entity level and the consolidated group level.
- The RTS specifies the data to be included, such as the nature of the service provided, the duration of the contract, and the criticality level associated with the service. This requirement ensures transparency and enables effective monitoring of third-party risks.
4. Policies for ICT Services Performed by Third-Party Providers:
- The RTS provides detailed guidance on managing ICT services performed by third-party providers, particularly those supporting critical financial functions. It includes requirements for differentiating providers based on the criticality of the services they offer, planning and implementing ICT services, and monitoring and assessing third-party providers' risks.
- This section is crucial for ensuring that financial entities can effectively manage the risks associated with outsourcing critical functions, thus safeguarding the integrity of their operations.
Second Batch of Regulatory Technical Standards (Final draft published in July 2024)
The final draft of second batch of DORA RTS was published in July 2024, building upon the foundations laid by the first batch and introducing further detailed requirements in several key areas:
1. Threat-Led Penetration Testing (TLPT):
- This RTS outlines the criteria for identifying entities requiring TLPT. It details the requirements for testing, including the standards that internal testers must meet. The testing process includes preparation, scoping, testing, reporting, and remediation phases.
- While the methodology is aligned with the TIBER-EU framework, specific adaptations include mandatory purple teaming exercises, which involve collaboration between red and blue teams to test and improve an organisation’s cyber defences comprehensively.
2. Major Incident Reporting:
- The RTS harmonises the time limits for reporting major ICT incidents, requiring initial notifications within four hours of incident classification. A comprehensive final report must be submitted within one month of the incident.
- The RTS also includes standardised templates for reporting, ensuring consistency and completeness in the information provided to regulators. This standardisation is vital for effective communication and response coordination during major incidents.
3. Subcontracting of ICT Services:
- The second batch of RTS introduces stringent requirements for subcontracting ICT services, including precontractual and ongoing risk assessments, monitoring obligations, and developing incident response plans.
- These requirements aim to ensure that financial entities can effectively manage the risks associated with subcontracting critical ICT services to third parties, thus maintaining the security and continuity of their operations.
4. Oversight Harmonisation:
- Aimed at critical third-party providers (CTPs), this RTS provides guidelines for their designation and interaction with the Lead Overseer (LO). It includes requirements for the application process, criteria for determining criticality, and the nature of oversight interactions between CTPs and the LO.
- This harmonisation ensures that critical third-party providers are subject to consistent oversight, reducing the risk of operational disruptions across the financial sector.
5. Estimating Costs and Losses from ICT Incidents:
- The RTS also provides guidance on estimating the financial impact of major ICT incidents. This is particularly important for competent authorities in assessing the effectiveness of a financial entity’s risk management framework and its ability to absorb and recover from significant disruptions.
- Accurate cost estimation is crucial for ensuring that financial entities can plan and allocate resources effectively to mitigate the impact of ICT incidents.
Conclusion
The finalisation of DORA’s RTS underscores the EU’s commitment to enhancing the operational resilience of its financial sector. With both the first batch (finalised in January 2024) and the second batch (final draft published in July 2024) of RTS now complete, financial entities must ensure they are fully prepared to implement these standards. Compliance with these RTS will not only ensure adherence to regulatory requirements but also significantly enhance the cyber resilience of financial entities, thereby protecting the broader financial system from operational disruptions.
How Deloitte can help
Deloitte can support you on your DORA compliance journey, by assessing your current readiness and proposing measures to meet the regulatory requirements while customising the remediation plan to your specific environment. We have the specialist skillset and experience to support organisations in implementing the frameworks, processes and controls, and frameworks to comply with DORA. Deloitte can help you improve your current capabilities and prepare your organisation to comply fully with DORA.