The European Supervisory Authorities (ESAs) i.e. EBA, EIOPA and ESMA published their 2nd batch of policy products under the Digital Operational and Resilience Act (DORA).
This package focuses on the reporting framework for ICT-related incidents and threat-led penetration testing, design of oversight framework, aiming to enhance resilience.
Consists of 4 final draft regulatory technical standards (RTS), one set implementing technical standards (ITS), and 2 sets of guidelines re digital operational resilience.
Responses to the related consultations have led to specific changes to the material, ensuring simplification of requirements, greater proportionality, addressing concerns.
Also follows ESAs Jan. 2024 final reports on first batch DORA ITS, RTS, see #198438.
RTS and ITS on Major Incident Reporting
Final report contains Draft RTS on content of notification and reports for major incidents and significant cyber threats and determining time limits for reporting.
And also includes draft ITS on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat.
Following consultation, ESAs made changes related to the time limits for reporting initial notification, intermediate report and final report, reporting over weekends and bank holidays, aggregated reporting, and streamlining contend of reporting template.
RTS on Conditions Enabling Oversight Activities
Final report sets out Draft RTS on the harmonization of conditions enabling the conduct of the oversight activities, and sets out changes made due to consultation feedback.
Relate to scope of information to be provided by an ICT 3rd party service provider in application to be designated as critical, relevant identification code, scope and content of information to be provided by critical 3rd party service providers to Lead Overseer.
Including information about their subcontracting arrangements and the competent authorities' assessment of the risks addressed in recommendations of Lead Overseer.
RTS on Composition of Joint Examination Team
Final report sets out Draft RTS on the harmonization of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of DORA, the draft RTS specify the criteria for determining the composition of the joint examination team (JET).
Aims to ensure a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements.
The draft RTS has been refined for legal clarification compared to consultation version.
RTS on Threat-Led Penetration Testing
Final report contains Draft RTS specifying elements related to threat-penetration tests (TLPT), the ESAs agreed with some comments to the consultation and made changes.
Main changes relate to: criteria to be used to select insurance and reinsurance undertakings required to perform TLPT by default, allowing for more predictability.
TLPTs with several financial entities and/or ICT service providers in pooled TLPTs, clarification of related processes that also require extended cooperation by authorities.
The requirements applicable to testers, external and internal, and threat intelligence providers, which have been revised to include different criteria on past experience and more flexibility, in conjunction with appropriate risk management measures.
Guidelines on Oversight Cooperation
Final report sets out Joint guidelines on the oversight, cooperation and information exchange between the ESAs and the competent authorities under DORA Regulation.
Some amendments were made following stakeholder comments, these relate to strong security measures for online tool, and coordination of Lead Overseer and authorities.
Guidelines on Estimation of Costs
Final report contains finalized Joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under the DORA Regulation.
Due to consultation feedback, ESAs reviewed their proposal for how to set reference year to allow for more flexibility for financial entities, reduce their reporting burden.
To further reduce this, also decided to request only the estimation of gross costs and losses, not net costs and losses, as competent authorities can calculate these.
Next Steps
Both sets of guidelines have been adopted by the ESAs' Boards of Supervisors, they will be translated into the EU languages and published on the websites of the ESAs.
Competent authorities will have to notify ESA whether they comply/intend to comply within 2 months of that publication, the guidelines should apply from Jan. 17, 2025.
The final RTS and ITS have been submitted to EU CMSN for their adoption.
Final report on proposed RTS on subcontracting ICT services which was published for consultation as part of this batch of DORA proposals will be published in due course.
In Jul. 2024, ESAs issued final report on draft RTS on subcontracting, see #220906.
Oct. 23, 2024 EC RTS/ITS Major Incident Reporting
On Oct. 23, 2024, EU CMSN adopted RTS specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and content of voluntary notification for significant cyber threats (C(2024)6901).
And ITS on standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (C(2024)7277).
Subject to scrutiny period, usually 2 months, during which EP and council may object.
Regulations in force on 20th day following publication in the Official Journal of the EU.
Oct. 24, 2024 RTS Oversight Activities
On Oct. 24, 2024, EU CMSN adopted RTS on harmonization of conditions enabling the conduct of the oversight activities (C(2024)6913); sets out the information to be provided by ICT third-party service providers in the application for a voluntary request to be designated as critical; content of information to be provided by to Lead Overseer.
Subject to scrutiny period, usually 2 months, during which EP and council may object.
Regulation in force on 20th day following publication in the Official Journal of the EU.
In Oct. 2024, FIA gave position on ICT subcontracting, 2nd batch DORA, see #231706.
On Nov. 6, 2024, EU EBA, EU EIOPA and EU ESMA issued translations of theJoint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under DORA Regulation (EU) 2022/2554.
Guidelines cover detailed procedures and conditions for allocation and execution of tasks between competent authorities and ESAs, and details on exchange of information needed to ensure follow-up of recommendations to 3rd part ICT service providers.
The guidelines apply from Jan. 17, 2025, competent authorities must notify the ESAs of whether they comply or intend to comply with the guidelines by Jan. 6, 2025.
