Harmonization of the DORA requirements is progressing – The second package of the RTS/ITSs and guidelines for DORA is now also available

Harmonisierung der DORA-Anforderungen schreitet voran - das zweite Paket der finalen Entwürfe der RTS/ITSTs und Guidelines zu DORA ist nun auch da.

On June 17 and 26, 2024, the ESAs published the final drafts of the DORA-specific regulations in a second package. This package consists of four regulatory technical standards (RTS), one set of implementing technical standards (ITS) and two guidelines, all of which aim to improve the digital operational resilience of the EU financial sector.

The focus of the 2nd package is on the reporting system for ICT-related incidents (clarity of reports, templates) and threat-led penetration testing (TLPT). At the same time, some requirements for the design of the supervisory framework are introduced.

Specifically, these are the following final drafts from RTS/ITS:

The set of guidelines include:

and

Harmonization of the DORA requirements is progressing - The second package of the RTS/ITSs and guidelines for DORA is now also available 1

Background to the 2nd package

As we already reported in our blog post “DORA is taking shape – the first package of final RTS/ITS for DORA is here”, the second package of DORA regulations follows the RTS and ITS from the first package, some of which have already been published by the EU.

The current RTS from the 2nd package were publicly consulted, as were those from the first package. Prompted by numerous comments from market participants, the ESAs announced that they had made specific changes to the technical standards to simplify and streamline the requirements, ensure greater proportionality and take account of sector-specific concerns.

An overview of relevant final drafts

In the following, we summarize the key aspects of three final drafts, focusing on the RTS/guidelines that potentially have the greatest relevance for the financial companies concerned.

DORA requires financial undertakings (FIs) to report serious ICT incidents to the competent authority (Art. 19 (1) DORA). In addition, DORA allows financial undertakings to report significant cyber threats to the competent authorities on a voluntary basis if they consider that they are relevant to the financial system, service users or customers (Art. 19 (2) DORA). In this regard, DORA aims to standardize the way in which financial institutions report ICT incidents across the EU and establishes uniform requirements for financial institutions to handle, classify and report ICT incidents. To achieve this objective, the DORA mandates the ESAs (Art. 20 DORA) to develop common draft regulatory technical standards (RTS) for the content of serious ICT incident reports, the deadlines for initial and follow-up reporting and the content of significant cyber threat reports. In addition, the ESAs have been mandated to develop joint draft Technical Implementation Standards (TIS) to establish standard forms, templates and procedures for the reporting of serious ICT incidents and significant cyber threats by FIs.

When developing the draft standards, the ESAs should take into account the size and overall risk profile of the FI and the nature, scope and complexity of its services, in particular to ensure that the specificities of the financial sector are taken into account through different time limits where appropriate (Art. 20 DORA). This is also without prejudice to the uniform approach to the reporting of ICT incidents under DORA and NIS2.

Are there any changes to the consultation draft?

Participants in the public consultation commented on all aspects of the proposed draft RTS. The most important points reported by participants and partially taken into account by EBAs in the final drafts concerned:

  • the consideration of the principle of proportionality and the particularities of the respective financial undertaking subject to the reporting obligation (including the size and overall risk profile of the FE as well as the nature, scope, complexity and time criticality of its services), in particular when determining the initial reporting deadline,
  • Deadlines for reporting,
  • reporting over the weekend,
  • Interaction between DORA and NIS2,
  • content of the reporting template,
  • Aggregated reporting.

ESAs agreed with some of the proposals and arguments for the changes to the consultation draft. These changes concern, among other things, the deadlines for submitting the initial report, the interim report and the final report, reporting on weekends and public holidays, aggregated reporting and streamlining the content of the reporting form. In detail:

  • The deadline for submitting the interim report has been extended to up to 24 hours and the deadline for submitting the final report to at least 72 hours by starting the calculation of the deadlines with the submission of the last notification/report and not with the time when the event is classified as still proposed in the consultation draft.
  • For weekend and public holiday reporting, the ESAs have reduced the scope of incidents to be reported on weekends and public holidays, removed the obligation for smaller financial institutions to submit the first report on weekends and public holidays and extended the deadline for the submission of notifications and reports to noon on the first working day, instead of within one hour as proposed in the consultation draft.
  • The ESAs have streamlined the content of the reporting form by reducing the number of reporting fields from 84 to 59. The ESAs have also simplified the 7 mandatory fields for the initial report, arguing that this will allow financial firms to better focus their resources on processing the incident and only report the essential elements at this early stage of the incident.

At the same time, the ESAs have not provided sufficient justification for the proposed amendment as to why different initial reporting deadlines should apply to FEs from different financial sectors (such as insurance and pensions sub-sectors, asset managers, investment firms and trade repositories, and banks’ savings products). The ESAs consider that setting two separate deadlines for the submission of the first notification (4 hours from the classification of the incident, but no later than 24 hours from the time the FE became aware of the incident) is sufficient to take into account the different time criticality of the different financial services.

2. RTS on threat-led penetration testing (TLPT)

Section IV of DORA deals with digital operational resilience testing. Financial institutions are required to establish a robust and comprehensive digital operational resilience testing program as an integral part of their ICT risk management framework. The program must primarily include the testing of ICT tools and systems using an industry-standard portfolio of testing procedures, such as vulnerability assessments and vulnerability scans, open source analyses, network security assessments, gap analyses, physical security reviews, software solution scans, source code reviews where feasible, scenario-based testing, compatibility testing, stress testing, end-to-end testing and penetration testing (Art. 25 DORA). It must be ensured that the appropriate tests are carried out at least once a year for all ICT systems and applications that support critical or important functions.

In addition, Art. 26 DORA requires extended testing based on threat-based penetration tests (TLPT-Threat-Led Penetration Tests) at least every three years for some financial institutions and especially for those that have been required to do so by their regulator. TLPTs are defined in the DORA as a framework that mimics the tactics, techniques and procedures of real attackers perceived as a real cyber threat and provides a controlled, tailored, intelligence-led (Red Team) test of the financial institution’s critical live production systems. The financial undertakings that are required to perform such extended TLPT tests of ICT tools, systems and processes are determined by the supervisory authorities in accordance with the procedure described in Art. 26 (8) DORA. The competent authorities identify financial undertakings taking into account the principle of proportionality and the following criteria:

  1. impact-related factors, including in particular the extent to which the services and activities provided by the financial undertaking have an impact on the financial sector
  2. financial stability concerns, including systemic nature;
  3. the risk profile, ICT maturity of the financial undertaking or relevant technological features
  4. Micro-enterprises and enterprises within the meaning of Art. 16 (1) (1) are completely exempt from TLPT.

In connection with TLPT tests, the ESAs were tasked with drawing up technical regulatory standards in which criteria for financial institutions that have to carry out penetration tests are further specified. In addition, the requirements and standards for the use of internal testers, for the individual test phases (incl. scope and test methodology), the results, the conclusion and the corrective measures as well as the cooperation with the supervisory authorities are to be defined in these RTS on TLPT (Art. 26 (11) DORA). The ESAs have published a first draft of the RTS on TLPL together with 32 questions in a consultation paper (CP), on which the public was able to comment from 08.12.2023 to 04.03.2024.

The first draft of the RTS on TLPT was based on a two-stage approach to determine the financial entities subject to TLPT. In the standard case, all financial undertakings that are active in key sub-sectors of the financial sector, play a systemic role (such as CCPs/CSDs, as well as certain credit, payment and e-money institutions, trading venues, insurance and reinsurance undertakings) and meet certain criteria or exceed certain thresholds were included. The responsible TLPT authority reserves the right to exclude companies from TLPT if, for example, they do not have a sufficient level of maturity to carry out tests on the current production systems.

In addition to this standard case, the TLPT authority may decide on a case-by-case basis that selected financial entities must carry out a threat-based penetration test where this would not be required under the standard case described above. This decision should be made after an assessment, for which Chapter II of the draft RTS mentions some aspects, but no precise criteria or thresholds. Examples given include the threat level of the financial institution, the degree of its dependence on critical or important functions of ICT systems and processes, and the complexity of its ICT architecture.

The scope of the TLPT tests was to be determined by the FUs themselves on the basis of their own assessment, but this had to be validated by the competent authorities.

Are there any changes to the consultation draft?

In the public consultation, respondents were concerned about the requirements for TLPT providers (both testers and threat analysis providers). The requirements were felt to be too stringent, particularly given the limited availability of such providers in the existing market. There were also numerous comments on the proposed testing process, including many requests for more clarity, particularly in relation to TLPTs involving multiple financial institutions and an ICT service provider (in the case of pooled testing or joint testing), and for more time, particularly for the finalization phase. The ESAs have reviewed the proposals and their rationale and have made some changes to the draft RTS.

The most important changes concern the following points:

  • The criteria for the selection of insurance and reinsurance undertakings that must carry out TLPTs have been revised in order to create more predictability for the relevant market participants. The thresholds applicable to payment institutions and electronic money institutions have been raised. The categories of financial instruments to be taken into account when setting thresholds for trading venues have been assigned to the corresponding legal categories.
  • The concerns raised that membership of a group structure is not sufficiently taken into account have been addressed in the final draft text as follows: Group affiliation will be taken into account by the TLPT authority when identifying a financial entity if common ICT systems or the same ICT service provider are used within the group. Ultimately, however, identification must take place at the level of the financial institution.
  • TLPTs involving multiple financial entities and/or ICT service providers (intragroup or third parties) in pooled and joint TLPTs, with clarification of the relevant processes, which also require extended cooperation between the TLPT authorities involved, as well as risk management. In order to ensure a clearer distinction between pooled TLPTs on the one hand and joint TLPTs on the other, a definition of “joint TLPT” has been introduced in the final draft and the relevant provisions have been separated. In addition, it has been made clear that each financial undertaking is responsible for managing its own risks and that the designated financial undertaking is responsible for identifying all common sources of risks that may arise, while all other financial undertakings are required to cooperate in identifying and mitigating these risks.
  • The requirements for external and internal testers and threat analysis providers have been revised to include different criteria for the required appropriate experience with threat analysis and TLPT in the financial services industry and more flexibility in connection with appropriate risk management measures. Tester experience is no longer limited to intelligence led red teaming, but has been extended to include penetration testing and red teaming. In addition, the possibility of using testers who do not meet all the criteria has been introduced, provided that the financial institution identifies and mitigates any additional risks to the TLPT. Clearer wording has also been included in the updated RTS to align the requirements for internal testers with the requirements for external testers. In addition, the requirement that internal testers must have been employed by the financial institution for two years has been reduced to one year. This is to address the concerns of many respondents to the public consultation that this requirement could be difficult to meet in a fast-moving industry, while at the same time making the difference to external testers clear.

3. 1st update as of July 29, 2024: RTS for the specification of requirements for the subcontracting of ICT services to support critical or important functions

According to Art. 30 para. 2 lit. a) DORA, the contract for ICT services must, among other things, regulate whether the award of subcontracts for ICT services that support critical or important functions within the meaning of DORA or essential parts thereof is permissible, and – if this is the case – which conditions apply to this subcontracting.

In their final draft RTS published on July 26, 2024, the ESAs have specified the following requirements for the entire lifecycle of contractual agreements with third-party ICT service providers with regard to the subcontracting of ICT services to support critical or essential functions.

  • The conclusion of an agreement must be based on a prior planning phase. In this phase, the financial institution assesses the permissibility of subcontracting by its ICT service provider. To do this, it is necessary for the financial institution to evaluate the risks associated with subcontracting. This also includes a due diligence review. Among other things, the financial institution must assess whether sufficient service quality (SLA) can be guaranteed throughout the entire ICT subcontracting chain. In particular, it must be verified whether the third-party ICT service provider and, if applicable, the ICT subcontractors have the necessary resources to provide the (sub)contracted ICT services. This also includes an examination of the human, financial and technical resources as well as an assessment of the organizational structure, including risk management and internal controls. Financial firms should determine whether they will conduct the due diligence of subcontractors and risk assessment directly themselves or indirectly through their third-party ICT service providers, taking into account the specifics of the contractual arrangements and their ultimate responsibility under DORA.
  • Next, the RTS contain requirements for ensuring that the performance of critical or important functions by third-party ICT service providers and, where appropriate, by financial institutions themselves is monitored, audited and managed throughout the entire ICT subcontracting chain; The third-party ICT service provider must also be contractually obliged to ensure that its respective subcontractors grant the financial institution and the competent authorities and resolution authorities comprehensive access, audit and control rights.
  • In addition, the RTS define the requirements for terminating contractual agreements with ICT service providers in connection with subcontracting.

These requirements also apply to intra-group ICT subcontractors. Intra-group ICT subcontracts should be treated in the same way as subcontracts outside the group.

Are there any changes to the consultation draft?

The proposed changes made during the consultation process, such as greater consideration of the proportionality principle, greater transfer of responsibility for monitoring subcontractors from the financial institution to the ICT service provider, and the direct imposition of certain information requirements on the ICT service provider, were only partially taken into account by the ESAs, and mostly only to clarify formulations already contained in the consultation draft.

The guidelines on the estimation of aggregate costs/losses caused by serious ICT incidents aim to harmonize the estimation of the total annual costs and losses incurred by financial institutions due to serious ICT incidents in accordance with Art. 11 (10) DORA. The ESAs’ mandate to develop these guidelines is closely linked to the DORA mandates for the RTS on incident classification and serious incident reporting, as these also require an assessment of the costs and losses of ICT incidents. Accordingly, the ESAs aim to ensure consistency between these mandates in order to avoid inconsistencies, increase the comparability of the figures reported under the different mandates and, where competent authorities require this information from financial institutions, reduce the reporting burden on financial institutions.

All classification criteria in the RTS are also intended to ensure proportionality. In particular, ESAs are expected to classify smaller financial institutions as less likely to classify ICT-related incidents as “major” than larger financial institutions.

In summary, the draft Guidelines on the estimation of aggregate costs/losses requires financial undertakings to

  • apply the same approach as the RTS for the criteria for classifying ICT incidents when assessing gross costs and losses and the same approach as the technical standards for incident reporting when assessing the financial recovery from serious ICT incidents;
  • only take into account those ICT incidents that have been classified as serious and for which the financial institution has submitted a final incident report in accordance with Art. 19 (4) lit. c) DORA in the reporting year or has submitted one in previous years if they have had an impact on the costs and losses of the reporting year, and
  • break down the gross costs and losses as well as the financial recoveries by serious ICT incidents in order to substantiate the overall figures.

Are there any changes to the consultation draft?

The main points raised by participants in the public consultation were

(a) the review of the reference year for which financial undertakings should provide an estimate to the competent authority; and

(b) the limitation of costs and losses that should be reported to the competent authorities.

After evaluating this feedback, the ESAs have decided to revise their proposal for determining the reference year in order to give financial institutions more flexibility, which should also reduce their reporting burden. The ESAs have decided to amend the guidelines to allow financial institutions to choose which reference year they wish to use. However, once they have decided whether they will report on the basis of the calendar year or the financial year, financial undertakings should also submit future annual reports on the basis of the same type of year. If a financial undertaking wishes to change its decision, it should notify the competent authority, which then has two months to object to the change of decision. This approach of flexibility in the choice of year to be used should make it easier for financial undertakings to choose the most appropriate and accessible data source available to them. This should particularly benefit financial undertakings that have such information as part of their regulatory reporting (such as credit institutions).

Some respondents were in favor of including only the gross costs, while others argued that only the net costs should be included in the estimate. The same applies to the reporting of gross and net costs and losses and to the reporting form. The gross cost is the cost or loss paid or recognized by the finance company. The net costs are a simple subtraction of the financial returns from the gross costs and losses.

To further reduce the reporting burden, the ESAs have also decided to only require an estimate of the gross costs and losses and no longer the net costs and losses, as the competent authorities can calculate these themselves. However, the estimate of financial recoveries has been retained in the guidelines, in addition to the gross costs and losses.

What happens next?

The final drafts of the RTS have been submitted to the European Commission, which will now begin its examination. Following a successful review, the RTS will be adopted in the coming months and submitted to the European Parliament and the Council for examination. They will then be published in the Official Journal of the European Union.

The expected date for the application of the RTS/Guidelines has been announced by the ESAs as 17.01.2025.

As time moves on, financial companies must urgently prepare for the applicability of the DORA including the associated RTS/ITS and Guidelines from 17.01.2025 and in particular review and adapt the conformity of their business organization, their internal documentation and processes as well as their contracts with third-party ICT service providers.

As a first step, we recommend carrying out a gap analysis based on the final drafts of the RTS/ITS and guidelines from the 1st and 2nd packages that have already been published. The identified gaps must then be closed through appropriate adaptation measures, e.g. by implementing any missing functions, drafting missing or needs-based adaptations to existing company guidelines and adapting existing or drafting new DORA-compliant templates for contracts with third-party ICT service providers.

We will be happy to support you on your path to DORA compliance, be it with legal advice on the DORA requirements, carrying out your DORA gap analysis, drafting missing documentation or documentation that needs to be adapted, or negotiating with your ICT third-party service providers.



By continuing, you accept our privacy policy.
You May Also Like
A new era in IT security: a comparison of NIS2 and DORA 2
Read More

A new era in IT security: a comparison of NIS2 and DORA

As digitalization advances, companies and organizations are increasingly confronted with complex challenges around IT security and digital operational resilience. Within a few months, the European Union has adopted two important pieces of legislation to strengthen IT and cybersecurity, which will now come into force in the near future: the “Directive on measures for a high common level of cybersecurity across the Union” (NIS2) and the Digital Operational Resilience Act (DORA).
Read More