DORA’s technical standards: Know your RTS and ITS
With only five and a half months to go until the Digital Operational Resilience Act (DORA) takes full effect, the technical standards are being put in place ready for the deadline. The first tranche of DORA’s technical standards has now been finalised, and the European Commission (EC) adopted them without making any changes.
Regular readers will be aware of the way in which DORA is being implemented. The regulation is supported by additional documentation in the form of several regulatory technical standards (RTS) and implementing technical standards (ITS).
Examples of RTS include specifications for ICT risk management frameworks and criteria for classifying ICT-related incidents.
Examples of ITS include templates for the register of information related to contractual arrangements with ICT third-party service providers and establish the reporting details for major ICT-related incidents.
Both RTS and ITS are developed by the European Supervisory Authorities (ESAs) and are subject to adoption by the EC. They complement the primary legislation (that is, DORA itself) by providing more granular guidance and specific rules for implementation.
Tranche one: Finalised and approved
This is the full list of RTS and ITS finalised and approved by the EC to date (12 July 2024). No changes were made to the draft versions adopted by the EC in tranche one:
ICT risk management framework and simplified ICT risk management framework: Article 15 and Article 16(3)
This RTS set out the requirements for a comprehensive ICT risk management framework, including a simplified version for smaller entities.
The RTS specifies ICT security policies, procedures, and tools to ensure resilience, data integrity, and availability – along with the expected content of these ICT security policies, and procedures for the comprehensive ICT risk management framework.
The simplified ICT risk management framework is for small and non-interconnected firms, focusing on key areas necessary to ensure digital operational resilience. It requires a comprehensive but simplified approach to managing ICT risks.
RTS to specify the policy on ICT services performed by a third-party: Article 28(10)
This RTS sets out the requirements for policies related to contractual arrangements with ICT third-party service providers, ensuring these policies cover all aspects of governance, risk management, and internal control. The requirements also provide guidance on:
- risk assessment and due diligence;
- monitoring and management;
- exit strategies;
- proportionality; and
- group application.
ITS to establish the templates of a register of information: Article 28(9)
This standard establishes the templates for maintaining a detailed register of information related to contractual arrangements with ICT third-party service providers. The register aims to enhance transparency and regulatory oversight of third-party dependencies.
Note that the final draft of this ITS was released in January 2024. A “dry run” exercise is now being coordinated by the ESAs and competent authorities (CAs) of EU Member States to determine how it might work.
RTS on criteria for the classification of ICT-related incidents: Article 18(3)
The standard defines the criteria for classifying ICT-related incidents and setting out materiality thresholds. The classification criteria covers:
- impacted clients;
- financial counterparties and transactions;
- reputational impact;
- Incident duration and service downtime;
- geographical spread;
- data losses;
- critical services affected; and
- economic consequences.
Incidents are classified as major if they affect critical services and meet specific thresholds, such as affecting a significant percentage of clients or transactions, or if they have a substantial economic impact. Recurring incidents are considered major if they occur repeatedly within six months and meet combined criteria.
The goal is to standardise incident classification across financial entities to improve reporting and response consistency.
Tranche two: Public consultations closed
Public consultations on the following technical standards were conducted between 8 December 2023 and 4 March 2024. The submission deadline to the EC was 17 July 2024. This means that they may be subject to further refinement before final implementation.
Guidelines on aggregated costs and losses from major incidents: Article 11(1)
The guidelines align with the RTS on incident classification and reporting, distinguishing between gross costs (total incurred) and net costs (after financial recoveries).
Cost components include:
- expropriated funds;
- replacement costs;
- staff costs;
- Fees;
- customer redress;
- lost revenues;
- communication costs; and
- advisory costs.
There is a requirement to aggregate costs and losses for all major ICT incidents within the reference period, which is typically the accounting year. A standardised reporting template is provided to ensure transparency.
RTS to specify the reporting of major ICT-related incidents and ITS to establish the reporting details for major ICT-related incidents: Article 20(a) and (b)
The RTS sets out general reporting requirements around details of the information to be included in incident reports, such as the type of incident, affected entities, and contact details.
Initial notification requirements include date and time of detection and classification, a description of the incident, and classification criteria.
Intermediate incident reporting includes additional data points, such as a detailed impact assessment, actions taken, and any updates on the incident's status.
The final incident report focuses on root cause analysis, resolution measures, and includes an economic impact assessment.
The ITS provides standard forms and templates for reporting incidents, ensuring consistent data collection and reporting processes.
RTS on threat-led penetration testing: Article 26(1)
The threat-led penetration testing (TLPT) standards specify criteria for identifying financial entities required to undergo advanced penetration testing. They detail the scope, methodology, and procedures for conducting TLPT, ensuring a comprehensive evaluation of operational resilience.
These standards are designed to bolster the operational resilience of financial institutions, mitigating risks associated with ICT disruptions and enhancing the overall stability of the financial system.
RTS to specify the elements to determine and assess conditions for subcontracting ICT services supporting a critical or important function: Article 30(5)
This standard details responsibilities for overseeing:
- subcontracting arrangements;
- due diligence processes;
- risk assessments; and
- contractual obligations
related to subcontracting ICT services.
Contracts with ICT third parties should specify the conditions under which ICT services supporting critical or important functions can be subcontracted. Financial entities are required to monitor the entire subcontracting chain and ensure compliance with ICT security standards. Financial entities must ensure that they are informed in advance of any material changes to subcontracting arrangements to assess potential risks.
What else to keep track of
Centralisation of reporting of major ICT-related incidents: Article 21
As its title indicates, this aims to centralise the reporting process for major ICT-related incidents in the financial sector by establishing a mechanism for financial entities to report significant ICT incidents.
It is envisaged that the Article will work in conjunction with other DORA provisions related to incident management, classification, and reporting (Articles 17 to 20).
As of writing, a feasibility report on further centralisation of incident reporting through the establishment of a single EU hub is underway. It is scheduled to be submitted to the EC by 17 January 2025.
Calls for advice: Article 31(8) and Article 43(2)
On 29 September 2023, the ESAs published their joint response to the EC’s Call for Advice on two delegated acts under DORA.
For criticality criteria (Article 31(8)), the ESAs proposed a two-step indicator-based approach:
- Step 1: Six quantitative indicators with minimum relevance thresholds
- Step 2: Five qualitative indicators for further assessment
For oversight fees (Article 43(2)), the ESAs advised on:
- types of expenditure to be covered by fees;
- methods for determining applicable turnover of critical ICT third-party providers (CTPPs); and
- fee calculation methods and payment practicalities.
The ESAs' advice aims to inform the EC’s drafting of the delegated acts, which must be adopted by 17 July 2024.
The advice incorporates feedback from a consultation held from May to June 2023, which received 41 responses.
Structure of the oversight framework: Article 32(7)
This requires the ESAs to issue guidelines on the cooperation between the ESAs and the CAs for the oversight of CTPPs.
The guidelines aim to ensure:
- an overview of areas where cooperation and information exchange are needed;
- a coordinated approach between ESAs and CAs for oversight activities; and
- common rules of procedure and timelines for cooperation and information exchange.
The draft guidelines cover:
- general considerations (language, communication means, contact points);
- procedures for designation of CTPPs;
- oversight activities (annual plans, investigations, on-site inspections);
- follow-up of recommendations to CTPPs; and
- information exchanges between the lead overseer and CAs.
The guidelines focus on the oversight framework described in Articles 31 to 44 of DORA.
They seek to establish consistent, efficient, and effective practices for oversight cooperation and information exchange between ESAs and CAs.
The guidelines take a preventive and risk-based approach, aiming for balanced allocation of tasks between ESAs and CAs.
They were published for consultation on 27 November 2023, as part of the second tranche of DORA technical standards.
Harmonisation of conditions enabling the conduct of the oversight activities: Article 41
This Article requires the ESAs to develop draft regulatory technical standards through the Joint Committee. The ESAs had to submit these draft standards to the European Commission by 17 July 2024. These standards will specify:
- information required for ICT third-party service providers applying to be designated as critical;
- content, structure, and format of information to be submitted by ICT third-party service providers;
- criteria for determining the composition of joint examination teams; and
- details of competent authorities' assessment of measures taken by critical ICT third-party service providers.
Time for a health check
Understanding these various technical standards is vital for every organisation seeking to achieve DORA compliance.
It is unlikely the requirements will change much after 17 July 2024. What this means for organisations that are underway with DORA preparations based on the draft technical standards is that it's time to perform a health check. It may be that some minor adjustments are needed to reflect the final adopted versions of the RTS and ITS.
"Those organisations still in the process of putting together a DORA compliance plan have the benefit of starting with the final versions of the technical standards (which ought to be available from 22 July 2024). What they do not have, however, is the luxury of time."
Are you ready for DORA?
Use our free, easy-to-follow Readiness Toolkit to determine how close your organisation is to meeting all the Digital Operational Resilience Act (DORA) requirements. Once completed, we’ll send you a free report outlining how prepared you are for DORA. You can use our output to create an action plan to achieve compliance by 17 January 2025.
DORA regulation applies in:
Subscribe to DORA Digest and stay up to date with the key issues
and developments unfolding as the countdown to DORA begins.
We safeguard clients and their communities
Petroleum Development Oman Pension Fund
“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”
ATHEX
"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."
Northern Trust
“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”