Drafting the future: unveiling the next chapter of DORA

Drafting the future: unveiling the next chapter of DORA

Thu 29 Feb 2024

DORA is a legislative proposal that aims to improve the digital operational resilience and ensure the performance and stability of the financial system of the member countries of the European Union in the face of the risks associated with ICT (Information and Communication Technology) in the financial sector (cyber-threats, cyber-attacks).

The DORA requirements will apply from 17 January 2025. European regulators are consulting on the standards setting out the requirements for regulated entities. A first wave of RTS/ITS standards [1] was published by the ESAs on 16 June 2023 with a call for consultation until 11 September 2023 (the final texts were published on 18 January 2024).

Following its publication in the Official Journal of the European Union on 16 January 2023, the Digital Operational Resilience Act (DORA) regulation, which aims to strengthen the digital operational resilience of players in the banking and financial sectors, has made further progress.

On 8 December 2023, the European Supervisory Authorities (ESAs) launched the second public consultation on a batch of technical standards, implementation, and guidelines (RTS, ITS, and GL) [2] to facilitate its operational implementation. The public consultation on these proposals is open until 4 March 2024.

In the meantime, reporting entities will need to prepare themselves and analyse the strategic, operational, and organisational impacts of these regulations.

This article provides an update on the legislative framework for DORA and highlights key challenges, concerns.

DORA and the second drafts on RTS, ITS, and GL

To make its application operational, the European Supervisory Authorities (ESAs) have jointly drawn up a set of 14 texts divided into two batches. The second batch concerns the following topics:

RTS on the content, deadlines, and format of ICT incident reports (art. 20)

The draft RTS covers three distinct aspects under DORA:

  1. The content of major ICT incident reports;
  2. The deadlines for reporting an initial, intermediate, and final notification for each incident;
  3. The content of the notification for major cyber threats.

It is associated with draft implementation standards that introduce the general requirements for compiling a report, including the template and format. It also provides a data glossary, characteristics of the data fields, and instructions on how to fill them in.

RTS on aggregated losses and costs resulting from major incidents (art. 11)

These proposed guidelines (GL) specify the calculation and estimation of aggregated annual costs and losses caused by each major incident. They also introduce a report covering all such gross and net costs and losses, and financial recoveries for each major ICT incident.

It proposes to:

  • apply the same approach as the forthcoming regulatory technical standard on major incidents;
  • fix the reference period for the aggregation of all costs and losses, facilitating an estimation based on the figures available in the validated financial statements;
  • only include ICT incidents that have been classified as major and for which the entity has provided a final incident report;
  • provide a breakdown of all gross and net costs, losses, and financial recoveries for each major ICT incident to support the overall figures.

RTS on outsourcing of critical or important functions (art. 30)

This draft RTS incorporates:

  • additional specifications for the identification and assessment of subcontractors supporting critical or important functions;
  • the monitoring of agreements between financial entities and ICT service providers;
  • the definition of key requirements for the use of outsourced services by financial entities.

Reporting entities will need to formalise the following when outsourcing critical or important ICT functions:

  • risk assessment before authorising outsourcing;
  • requirements for contractual agreements;
  • monitoring of subcontracting agreements;
  • notification of significant changes;
  • exit and termination rights.

RTS on the harmonisation of supervision conditions (art. 41)

The main objective of this draft RTS is to harmonise requirements between regulations and to establish effective supervisory conditions vis-à-vis critical third-party service providers (CTPPs), financial entities, and supervisory authorities. It specifies:

  1. the information to be provided by a third-party ICT service provider in the context of a voluntary designation is critical;
  2. the content, structure, and format of the information that third-party ICT service providers must submit, disclose, or communicate to the lead supervisor (LO);
  3. specifications on the assessment by competent authorities of measures taken by CTTPs based on LO recommendations.

Guidelines on cooperation between supervisors and ESAs (Art. 32)

These draft guidelines cover the following areas:

  • general considerations: language, means of communication, contact points, and differences of opinion between the different authorities;
  • designation of critical third-party ICT service providers: the exchange of information between the LO, the competent authorities, and the supervisory forum regarding the designation of these service providers;
  • supervision activities: procedures and exchanges of information relating to the annual supervision plan, general investigations, inspections, and measures taken by the competent authorities concerning ICT CTTPs;
  • follow-up of recommendations: exchanges of information between the LO and the competent authorities to ensure the follow-up of recommendations and the decision by financial entities to suspend or terminate their contract with an ICT CTTP.

RTS on threat-led penetration testing (TLPT)

Article 26 of the DORA regulation requires certain financial entities to carry out advanced tests using TLPTs at least every three years. It also defines :

  • the criteria identifying the entities responsible for carrying out TLPTs;
  • standards and requirements for internal testers;
  • requirements relating to methodology, scope, results, closure, and corrective action;
  • the type of cooperation relevant to the implementation of TLPTs;
  • facilitation of mutual recognition.

The next steps

In conclusion, the DORA regulation implies organisational and structural changes. Institutions should already be taking steps to ensure that they are ready for the deadline of 17 January 2025. Our specialist teams are on hand to help you implement them.

[1] Flash BankNews n°88 | DORA et les premières RTS/ITS [translation: DORA and the first drafts on RTS and ITS]

[2] RTS: Regulatory Technical Standard; ITS: Implementing Technical Standards; GL: Guidelines