In a significant step towards fortifying the digital operational resilience of the European Union’s financial sector, the three European Supervisory Authorities (ESAs) – EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority), and ESMA (European Securities and Markets Authority) – announced the publication of the initial set of final draft technical standards under the Digital Operational Resilience Act (DORA). This regulatory initiative aims to bolster the Information and Communication Technology (ICT) and third-party risk management frameworks while refining incident reporting structures within financial entities.

The comprehensive set of final draft technical standards includes:

1. Regulatory Technical Standards (RTS) on ICT Risk Management Framework: The draft RTS on ICT risk management framework introduces additional elements to harmonize tools, methods, processes, and policies related to ICT risk management. Specifically designed for financial entities subject to the simplified regime, these standards outline a simplified ICT risk management framework. By establishing key requirements, the RTS ensures consistency in ICT risk management across various financial sectors.

2. RTS on Criteria for the Classification of ICT-related Incidents: Addressing the need for a standardized process, these standards specify criteria for the classification of major ICT-related incidents, including materiality thresholds and significant cyber threats. The RTS ensures a streamlined and consistent approach to classifying incident reports across the entire financial sector, facilitating effective incident management.

3. RTS on ICT Third-Party Provider (TPP) Policy: These standards delineate governance arrangements, risk management, and internal control framework components that financial entities must have in place concerning ICT third-party service providers. The goal is to maintain control over operational risks, information security, and business continuity throughout the lifecycle of contractual arrangements with such service providers.

4. Implementing Technical Standards (ITS) on the Register of Information: The ITS define templates for financial entities to maintain and update regarding their contractual arrangements with ICT third-party service providers. This register of information plays a pivotal role in the ICT third-party risk management framework and will be used by competent authorities and ESAs in supervising compliance with DORA and designating critical ICT third-party service providers subject to the DORA oversight regime.

Legal Basis and Background: These final draft technical standards adhere to the provisions of DORA (Regulation (EU) 2022/2554), specifically Articles 15, 16(3), 18(3), 28(9), and 28(10). Following a public consultation period from 19 June to 11 September 2023, which garnered over 420 responses, the ESAs incorporated feedback to ensure simplification, proportionality, and alignment with sector-specific concerns.

Next Steps: The final draft technical standards have been submitted to the European Commission, marking the initiation of the review process. The European Commission will work towards adopting these standards in the coming months, reinforcing the EU’s commitment to digital operational resilience within its financial sector.

To find out more and to download these draft standards visit: https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-first-set-rules-under-dora-ict-and-third-party