The European Supervisory Authorities (ESAs) - the EBA, ESMA and EIOPA - have launched a consultation on the first tranche of policy 'products' under DORA. This first tranche of level 2 measures comprises the following technical standards:
|RTS' on the ICT risk management framework / simplified framework||Articles 15 and 16(3)||Sets out requirements for all financial entities regarding (1) ICT security policies, procedures, protocols and tools; (2) HR policy and access control; (3) incident detection and response; (4) ICT business continuity management; (5) the report on the ICT risk management framework review; and (6) proportionality. |
Also provides detail on the simplified framework applicable to smaller / less interconnected financial entities.
|RTS on the criteria for the classification of ICT-related incidents||Article 18(3)||Sets out requirements for financial entities on (1) classification of ICT-related incidents; (2) the classification approach and materiality thresholds for determining major ICT-related incidents to be reported to competent authorities; (3) criteria and thresholds for classifying significant cyber threats; and (4) criteria for competent authorities to assess the relevance of major ICT-related incidents to competent authorities in host member states.|
|ITS to establish the templates for the register of information||Article 28(9)||Sets out templates for the register of information to be maintained by financial entities covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers at individual, consolidated, and, sub-consolidated levels.|
Two sets of templates are included for the registers at an individual entity level and sub-consolidated / consolidated level.
|RTS to specify the policy on ICT services performed by ICT third-party providers||Article 28(10)||Sets out requirements for all phases that should be undertaken by financial entities during the lifecycle of ICT third-party arrangements management, from pre-contractual to exit and termination.|
overview document accompanying the documents above has also been published, which sets out the choreography of level 2 materials over the rest of this year and into 2024.
The consultation follows hot on the heels of the ESAs' recent discussion paper, which seeks input from market participants on the critical ICT third-party service provider designation criteria and oversight fees for CTPPs - see our recent post on this discussion paper for more details.
Further, before the end of the year, the second tranche of policy products is also expected to be published for consultation - with a view to being finalised by 17 July 2024. This somewhat longer list includes RTS to specify the reporting of major ICT-related incidents and threat-led penetration testing.
The consultation on the above technical standards closes on 11 September 2023. Based on the feedback received, texts will be finalised and submitted to the Commission by 17 January 2024 for adoption.