The upcoming arrival of the Digital Operational Resilience Act (DORA) on 17 January 2025 will end the fragmentation of legal obligations for ICT processes and security. By then, financial entities will be required to be fully compliant with both DORA and related regulatory technical standards. Some specific parts of DORA still need to be further developed in level 2 and level 3 legislation. These levels represent more detailed rules and elaborations of the obligations set out in the law.
On 8 December, the European regulators (EBA, ESMA and EIOPA, collectively referred to as the ‘ESAs’) published the second set of draft implementing technical standards. This second set of standards includes four ‘Regulatory Technical Standards’ (RTS), which provide specific technical requirements, one ‘Implementing Technical Standard’ (ITS), aimed at practical implementation, and two ‘Guidelines’ (GL), which serve as interpretative guidance.”
This article zooms in on this second set of regulatory and implementing technical standards flesh out DORA, and have been submitted for consultation.
Incident reporting (art. 20 DORA)
RTS and ITS on content, timelines and templates for incident reporting.
The draft RTS regarding the reporting requirements of serious incidents, addresses three topics:
The draft ITS contains an elaboration of the standard forms for the generic reporting requirements and reporting for serious ICT incidents and significant cyber threats.
Cost reporting (art. 11 DORA)
Guidelines on reporting total costs and losses resulting from major incidents.
The draft Guidelines set out how to report on the estimation of total annual costs and losses caused by major ICT-related incidents. The Guidelines introduce reporting on gross costs and losses, financial recoveries and on net costs and losses.
Testing requirements (art. 26 DORA)
RTS on threat-based penetration testing (TLPT)
Art.26 of DORA requires financial entities to conduct advanced testing through TLPT at least every three years. These are the entities that are not covered by the simplified ICT Risk Framework (Art.16), micro enterprises are also excluded. This RTS describes the requirements for these tests.
Sub-outsourcing (art. 30 DORA)
RTS on the sub-outsourcing of critical or important functions
This draft RTS elaborates on the requirements of Art 30(2)(a) on what elements a financial entity should assess in case of sub-outsourcing of ICT services supporting critical or important functions.
Supervision (arts 41 and 32 DORA)
RTS on harmonisation of supervision
GL on supervisory cooperation between ESAs and competent authorities
These last two documents cover cooperation between ESAs and local supervisory authorities, division of tasks and exchange of information.
The publication of these implementing standards marks the start of a public consultation, during which market participants will have the opportunity to comment on the content of the documents until 4 March 2024. The consultation period allows the ESAs to gather and evaluate feedback from the market.
Want to stay informed about DORA and other developments in financial laws and regulations through articles, e-papers and checklist?
After the consultation period, the final versions will be published on 17 July 2024. When they are, they will be incorporated into the Regulatory Change module of our compliance software, Ruler. This new module assists financial organisations in implementing new laws and regulations and incorporates all the requirements of DORA in an accessible way.
The Regulatory Change module helps you to:
We help organisations meet the requirements of DORA. For example, by conducting a gap analysis and then helping to ‘close’ the gaps identified. We can also help you create, adapt or review the necessary policies and procedures. Need help becoming DORA compliant? Please feel free to contact us.