DORA: ESAs issue final reports on first set of RTS and ITS under DORA
23 January 2024
23 January 2024
The ESAs have published the final reports on the first set of draft RTS and ITS under DORA launched for consultation in June 2023. DORA will apply from 17 January 2025 (see our briefing here for a background) and the standards relate to ICT risk management framework; the classification of ICT-related incidents; contractual arrangements with CTPs; and registers of information in relation to contractual arrangements. In some cases, some changes have been made to the original draft. Firms may therefore wish to review these changes as part of their DORA implementation framework. The final draft technical standards have been submitted to the European Commission, with a view to them being adopted in the coming months.
The ESAs also recently published a second set of RTS and ITS for consultation (see our briefing here) in respect of DORA.
These deal with specific requirements that are intended to be part of the wider framework on ICT risk management under DORA. They set out the key elements that financial entities subject to the simplified regime would need to have in place. Changes made by the ESAs to the draft include the removal of the article on governance and information security awareness from the general regime requirements; and clarifying aspects concerning network security, encryption, access control and business continuity aspects. Following feedback on cloud computing specific aspects, the ESAs have decided against introducing any technology specific requirement (opting instead for a technological neutral approach) and to identify requirements related to ICT assets or services provided by ICT third party service providers in general.
RTS on criteria for the classification of ICT-related incidents
These provide further detail on the criteria for classifying major ICT-related incidents, the approach for the classification of major incidents, the materiality thresholds of each classification criterion and the criteria and materiality thresholds for determining significant cyber threats. Changes have been made to the classification approach, so that financial entities classify incidents as major if the "critical services affected" criterion is met and: any malicious unauthorised access to network and information systems as part of the "data loss" criterion is identified; or the materiality thresholds of any other two criteria are met. The approach for classifying recurring incidents has also been amended so that it relates to incidents that have occurred at least twice, which are deemed to have the same root cause, and which would have met cumulatively the incident classification criteria.
The RTS detail contractual arrangements in relation to the governance arrangements, risk management and internal control framework that financial entities should have in place in relation to their use of ICT services provided by ICT third-party service providers.
These contain templates for the registers of information that financial entities must maintain concerning their contractual arrangements with ICT third-party service providers, as required under Article 28(9) DORA.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.