Legal development

DORA Level 2 regulations finalised (NEARLY)

Insight Hero Image

    On 17 July 2024, the ESAs published the second (and final) batch of policy products under DORA. The package includes:

    • RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats. 
    • RTS on the harmonisation of conditions enabling the conduct of the oversight activities.
    • RTS specifying the criteria for determining the composition of the joint examination team (JET).
    • RTS on threat-led penetration testing (TLPT).
    • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents.
    • Guidelines on oversight cooperation.

    Importantly, the anticipated RTS on subcontracting has been delayed – without explanation – and will be published in "due course" according to the ESAs.

    With 6 months to go until DORA comes into force, firms should continue to move forward with their implementation projects and should review the changes made in the final reports as part of their DORA implementation framework.

    Below, we highlight the main takeaways from the most relevant documents published as part of this second batch of policy products.

    RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats

    The technical standards in relation to ICT-related incidents is likely to be of most interest to firms in this batch of policy products. DORA aims to harmonise and streamline the ICT-related incident reporting regime for firms in the EU. The RTS establishes the content of the reports for major ICT-related incidents, outlines the time limits for the initial notification and each subsequent notification, and sets out the related obligations on the voluntary notification for significant cyber threats. The ITS sets out the prescribed standard forms, templates and procedures firms must follow when submitting the notification and reports to their respective NCAs.

    Key changes made between the draft and final technical standards

    • Reporting timeframes. Following push-back from the market, the final report provides more flexibility on the time limits for reporting major ICT-related incidents to NCAs: 
      • The original text required firms to submit their "intermediate" report within 72 hours of classifying an incident as "major". Firms are now able to submit the intermediate report within 72 hours of submission of the initial notification, thereby potentially giving firms up to 24 hours longer to submit their intermediate report.
      • Similarly, with respect to the "final" report, the original consultation required submission of the final report within one month from the classification of the incident as major. Firms are now able to submit the final reports one month from the submission of the latest intermediate report. This potentially gives firms up to an additional three days to submit the final report.
    • Content of the reports. The ESAs have streamlined the incident templates by reducing the number of data fields from 84 to 59 and, importantly, reducing the reporting fields for the initial notification from 17 to 10 with only 7 mandatory fields (from the previous 9). This should reduce the burden on firms allowing them to focus their resources on managing the major ICT-related incident.
    • Aggregated reporting. The final text introduces aggregated reporting. This allows an ICT third-party service provider, where this responsibility has been outsourced to them, to submit a single aggregate report for multiple firms affected by the same incident. This is subject to the conditions set out in the RTS, for example, impacted firms should be supervised by the same NCA and the incident should originate or be caused by a third-party provider. 
    • Weekend reporting. The submission of an initial notification and intermediate report over the weekend is now only required by significant or systemic institutions at EU and national level.

    Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents.

    In addition to the above RTS and ITS on ICT-related incident reporting, the ESAs have also finalised the guidelines establishing harmonised content on how to estimate the costs and losses caused by major ICT-related incidents. The guidelines set out: 

    • how firms should estimate the annual costs and losses (with the removal of the requirement to calculate net costs and losses);
    • the figures to be used in calculating the estimated costs and losses; and
    • the reference period, which now allows flexibility in choosing whether to report based on the calendar year or the accounting year.

    RTS on threat-led penetration testing (TLPT).

    These technical standards deal with the criteria to designate firms in-scope for conducting threat-led penetration testing, as well as the related obligations relating to the TLPT undertaken by firms. It establishes the requirements and standards on, among other things, the use of testers (internal and external), testing methodology, and the approach for each phase of the testing, results, closure and remediation.

    Key changes made to the draft technical standards include:

    • Designation of firms. Revisions to the two-layered approach used to identify firms in scope of the TLPT regime, including by increasing the thresholds applicable to firms operating in "core financial services subsectors" and playing a systemic role. This should have the effect of reducing the number firms automatically in scope of the TLPT regime. 
    • Pooled and joint TLPT. Clarification on the processes relating to TLPT involving several financial entities and / or ICT service providers (intragroup or third-party) in pooled TLPTs and joint TLPTs.
    • Testers (internal and external). Increased flexibility on the requirements applicable to testers, internal and external, in conjunction with appropriate risk management measures.

    The final draft technical standards have been submitted to the European Commission, which will now start working on their review with a view to them being adopted in the coming months. As a reminder, DORA shall apply from 17 January 2025 and there is currently no transition period. Firms, in particular, should ensure their ICT Risk Management Frameworks and third-party vendor outreach programmes are on course for this date.

    Firms should also monitor for the publication of the final RTS on subcontracting, which should complete the expected DORA legislative document suite.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.