EU regulators have published the final versions of an initial set of four technical standards for operational resilience that financial institutions must meet to operate in Europe.
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have released the first package of final draft of technical standards under the DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) on January 17,2024. The new publication follows a public consultation on the draft measures that the ESAs conducted last year. The final drafts were now submitted to the European Commission for a review and adoption.
The now finalized standards include three new Regulatory Technical Standards (RTS) on ICT risk management frameworks, criteria for classifying ICT-related incidents and policies on ICT services supporting critical functions provided by third-party service providers and one new Implementing Technical Standards (ITS) for establishing outsourcing register templates.
These Standards concretize the requirements of DORA and, for the first time, allow to better assess the implementation effort in relation to DORA.
Background: What is DORA?
DORA is applicable from January 17, 2025 and establishes operational resilience guidelines for the financial industry and enriches oversight in the areas of ICT risk management, incident management and reporting, operational resilience testing of ICT systems and ICT third party risk management. The scope of DORA extends to almost all supervised institutions and companies in the European financial sector.
DORA builds a supervisory framework and raises awareness of ICT-related cyber risks and incidents experienced by financial organizations. It enhances cooperation between authorities from different sectors and countries and monitors systemic and concentration risks caused by the financial sector’s dependence on ICT third-party service providers. DORA also introduces an EU-level supervision framework for vital ICT service providers to ensure adequate control of these risks.
Financial firms and their supply chains must comply with the standards set out under DORA to improve their digital operational resilience. Failure to do so may result in enforcement action, including fines.
THE NEW RTS and ITS
The newly published Standards specify the expectations for implementation and reduce the room for interpretation left open by DORA itself.
These regulatory standards concretize the requirements of Articles 15 and 16.3 DORA regarding the guidelines and procedures for protection, prevention, identification and response in the context of the management of ICT risks. They identify the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework and give therefore a stronger focus on proportionality and the risk-based approach for ICT Risk Management.
It is striking that the newly published RTS prescribes a total of 20 policies and procedures for the ICT Framework. For example, policies are required for
- ICT asset management,
- encryption and cryptographic controls,
- ICT project management,
- acquisition, development and maintenance of ICT systems,
- physical and environmental security,
- human resources,
- identity management,
- access control,
- ICT-related incident management,
- ICT business continuity
There is no precise description or outline of the overall ICT risk management framework required, but the RTS now published give financial institutions a good idea of what content such an ICT framework needs to have and, accordingly, what changes they need to make to their current ICT risk management.
These new RTS specify the criteria for the classification of major ICT-related incidents, including the approach for the classification of major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard. This was laid down in Article 18 (33) DORA and the RTS now ensure a harmonized and simple procedure for classifying incident reports throughout the financial sector. To that end, the RTS introduce a list of seven classification criteria for determining whether an incident constitutes a “major ICT-related incident”, as well as detailed materiality thresholds for each criterion.
The classification criteria are as follows:
- critical services affected,
- clients, financial counterparts and transactions,
- data losses,
- reputational impact,
- duration and service downtime,
- geographical spread and
- economic impact.
All criteria will be treated equally, except for the criticality of the services affected, meaning that an ICT-related incident can be classified as major only if it has an impact on the financial entity’s critical services.
The newly published RTS are based on the provisions of the Network and Information Security Directive 2 (NIS2) and the Payment Services Directive 2 (PSD2) and align with reporting requirements for incidents under Section 54 ZAG as well as BaFin Circular 03/2022 / EBA- Guidelines. This alignment helps financial institutions to reduce adjustment work to their existing ICT-related incident reporting processes. The RTS might be helpful in identifying differences to the existing frameworks and the necessary adjustments. For companies that are already bound by these directives, the additional effort should be minimal. Other companies may need to adapt their existing assessment and reporting processes and the affected systems, which may involve higher costs.
These new RTS specify parts of the governance arrangements, risk management and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers. They aim to ensure financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with such ICT third-party service providers.
With these new RTS, financial organizations now have an idea of what guidelines should apply to contracts and agreements with third-party providers, especially when outsourced ICT services support critical or essential functions. This also includes the provisions requiring financial entities to clearly assign internal responsibilities for the approval, management, control and documentation of contractual arrangements for the use of ICT services provided by third-party ICT providers in support of their critical or important functions. Although the RTS now provide instructions for strategies and processes, the strict requirements for internal and external service contracts will entail considerable additional adjustment and supplementation work.
The RTS explicitly includes internal (intra-group) ICT service providers as third-party providers but sets out the conditions for their management and exit strategies in a positive way. On the other hand, internal service providers will also require improved management with Service Level Agreements (SLAs) and KPI reporting.
These ITS set out the templates for an ICT-outsourcing register to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers.
The now given template consists of a series of open tables, all linked together through the use of different specific keys to form a relational structure. The ITS proposes a single set of templates that is common to all financial institutions to be used to report information in the ICT-outsourcing register. The main objective is to make the dependencies of ICT third-party service providers transparent to the regulatory authorities. The register is to be kept at the level of each individual unit, at sub-consolidated and consolidated level and include all contract details with ICT third-party providers. The amount of data required depends on the importance of the service, but often exceeds the previous information requirements. The ITS also sets out specific requirements for implementation, the information to be recorded and the underlying data model.
The ICT Outsourcing Register will play a crucial role in the ICT third party risk management of financial firms and will be used by competent authorities in the context of monitoring compliance with DORA and the designation of critical ICT third party providers subject to DORA supervision. For many companies, the establishment of this register will involve considerable effort, whether due to the need to introduce new tools or the need to make extensive changes to existing systems.
Next steps for financial institutions
2024 is the year of implementation work for the financial sector. Companies must prepare for the entry into force of regulations such as DORA or the EU Regulation on Markets in Crypto Assets (MiCA). The European Commission will review the newly published RTS and ITS on DORA and they are expected to become mandatory for compliance by financial entities from 17 January 2025.
Financial institutions should therefore start performing or updating their gap assessment based on this final draft set that has been released now. They should countercheck their incident strategies and policy documents for compliance with the newly published RTS. Furthermore, financial institutions should develop or improve their strategy for dealing with ICT risks, especially with ICT Third Party risks, and improve their Risk management framework, their ICT Outsourcing policy and their ICT-outsourcing register accordingly.
On the basis of their ICT-outsourcing strategy, financial institutions need to carry out a pre-contractual risk analysis to check whether a third-party ICT service provider complies with appropriate information security standards. This requirement becomes more stringent when using third-party ICT providers for critical or important functions, where financial companies must check whether the latest and highest quality standards for information security are being applied. In addition, the type and number of new ICT contracts must be reported annually to BaFin. When commissioning third-party ICT providers, the minimum contract contents set out in Article 30 DORA must also be observed. It is highly recommended to use contract templates that are simply adapted as required when a new contract is concluded. In addition, there should also be a guideline for the use of ICT services to support critical or important functions.
Even if some of the necessary guidelines or instructions should already exist due to the requirements of the banking supervisory requirements for IT (BAIT) or the requirements for the IT of payment institutions (ZAIT), these should already be revised and supplemented now on the basis of DORA and the newly published RTS to ensure that all requirements are met at the beginning of 2025.